Situational Awareness with Open Source Tools

Transcript

1. Situational Awareness Paul Halliday | Security Analyst | NSCC |

   CANHEIT 2010

2. • 20+ Sites (13 Campuses) • 5500 IP Devices •

   25,000 Full-time/Part-time & Online Students • 1,800 Employees About The Nova Scotia Community College

3. About My Job

4. Warm Warm Warm Cold Cold Cold Session Data and PCAP

   Metadata Event and alert Data Awareness About This presentation

5. Zabbix A very brief introduction

6. None
7. None
8. None

9. Data Sources Where the raw information comes from and how

10. None
11. None
12. None
13. None
14. None

15. • Easy to collect and process(SIAFI) • Clearly defned and

    concise • Results should be consistent and verifable • Cheap (resource wise) • Preferably not proprietary Rules for data sources The rules I try to follow anyway

16. Putting it all together. Presentation status.nscc.ca

17. Links to sections within this tab Section Content (a graph

    or stub or both) Section note Section Title … FLOW IDS NESS US URL ZABB IX 1 2 3 4 5 SH

18. Control #1 Control #2 Control #3 Section content A graph

    created with RRDTool that shows Internet Trafc FLOW

19. Section content A graph created with Zabbix that shows flesystem

    utilization ZABB IX

20. Section content A graph created with JpGraph that shows IDS

    alert data IDS IP2C

21. Section content A graph created with Afterglow that shows IDS

    alert data IDS

22. Section content A Stub created with a MySQL query that

    shows blocked Email

23. A Section A graph and stub (fow-tools) combined that show

    Blackhole activity FLOW

24. A Section in action Suspicious activity FLOW

25. A Section in action Suspicious activity 10.11.12.13 - - [29/May/2010:00:24:58

    -0300] "GET /MaV2XmZP8T6Y2Us29ae3c2a404357831ccd07fc6a0aec04d18g HTTP/1.1" 404 122 "http://daybreak.com/key/? qs=52db268891d044c4fa128d4e06b660870c2fe9c4ca138597ad60562136102f407d68b576f42d29c7e 60320ff28a9667d&t=daypro+testimonials" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; OfficeLiveConnector.1.3; OfficeLivePatch.0.0; InfoPath.1)" 10.11.12.13 - - [29/May/2010:00:42:19 -0300] "GET/? xurl=http://cdn.mfdclk001.org/6vQ11Ovp8f7J1NO2fca2fef53de5ef21823110c774f7972617c&xref=http:/ /www.dogfleatreatment.com/default.pk? tsearch=auto+credit+loan+poor&search_button.x=48&search_button.y=12 HTTP/1.1" 200 1870 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; OfficeLiveConnector.1.3; OfficeLivePatch.0.0; InfoPath.1)" 10.11.12.13 - - [29/May/2010:00:42:26 -0300] "GET/? xurl=http://cdn.mfdclk001.org/VKw2IN5L7g4JXpS8460217bb4f66f154be9a6e568412b24f38h&xref=htt p://bagging.org/key/? qs=52db268891d044c4fa128d4e06b660870c2fe9c4ca138597ad60562136102f407d68b576f42d29c7e 60320ff28a9667d&t=auto+credit+loan+poor HTTP/1.1" 200 1870 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR

26. • Be consistent and conscious of fow • Be clear.

    Use helpers • Be mindful of loading time • Don’t “dead end” the user • Think ahead Rules for data presentation Ok, maybe just suggestions

27. Tab C O M P L I A N C

    E : Contains compliance related information

28. WWW NESS US ZABB IX

29. None

30. Nessus HTML output • BIG! 300K to 1.5M in size;

    redundant • Difcult to navigate • Single option for host representation

31. Modifed HTML output • Small! Under 10K • Just report

    relevant info • Sort option on column headings • Hostname and IP

32. Tab D E V I C E S : Contains

    maps created by Zabbix

33. ZABB IX

34. None

35. Tab E M A I L : Contains SPAM summary

    data and Exchange environment information

36. ZABB IX

37. IP2C

38. This link graph shows a typical day of spam:

39. This link graph shows a particularly heavy day of spam:

40. FLOW SH

41. Tab N E T W O R K : Contains

    high level network information

42. FLOW

43. FLOW

44. FLOW

45. FLOW

46. SH

47. Tab S I T E S : Acts as a

    loader for sensor content

48. SH

49. SH

50. SH

51. SH

52. SH

53. FLOW

54. FLOW

55. Tab S T U D E N T V L

    A N : An example (last one, promise) of grouped content

56. FLOW

57. IDS SH

58. IP2C IDS

59. IDS

60. • URELLS • Visuals with more depth • New types

    of visuals: - Wordmaps (tag clouds) - Circos • Hints in link area The Future? Where are we going