Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Situational Awareness with Open Source Tools
Search
paulh
June 13, 2010
Technology
120
0
Share
Embed
Copy iframe code
Copy JS code
Copy link
Start on current slide
Situational Awareness with Open Source Tools
CANHEIT, Memorial University. 2010.
paulh
June 13, 2010
More Decks by paulh
See All by paulh
Beginners Guide to OSINT
paulh
1
440
squert – an open source UI for NSM data
paulh
0
70
squert - an open source UI for NSM data
paulh
0
370
System Compliance on a Budget
paulh
0
59
Internet Safety
paulh
0
140
Network Security Monitoring with Open Source Tools
paulh
0
200
Other Decks in Technology
See All in Technology
ZOZOTOWNの進化と信頼性を両立する負荷試験
zozotech
PRO
0
140
Foxgloveについて 実際にExtensionを開発して公開するまでの話 / About Foxglove: The Story of Developing and Releasing an Extension
ry0_ka
0
180
ヘルスケア領域における AI 活用と その安全性担保のための取り組み (Leveraging AI in Healthcare and Our Efforts to Ensure Its Safety) - Google I/O Extended Tokyo 2026, July 11, 2026
zettaittenani
0
160
AWS Blocks を触ってみた/first-tach-aws-blocks
fossamagna
2
150
cccccc
moznion
0
1.8k
最適な自走を最小限の支援で — M&Aで拡大する組織で少人数SREが挑んだ1年 / SRE NEXT 2026
genda
0
240
知見・人・API・DB・予算 ─ ナイナイ尽くしだった人事データ整備 with dbt、5年間の学び
ken6377
1
170
依頼文化をやめる日 EM視点で語るPlatform EngineeringとInclusive SRE / Discussing Platform Engineering and Inclusive SRE from an EM's Perspective
shin1988
4
4.1k
Compose 新機能総まとめ / What's New in Jetpack Compose
yanzm
0
150
キャリアの中で本を作る / Making a Book During Your Career
ak1210
0
110
“ID沼入口” - 基本とセキュリティから始める、考え続けるためのID管理技術勉強会 告知&イントロ
ritou
0
440
生成AIの活用/high_school2026
okana2ki
0
110
Featured
See All Featured
[RailsConf 2023 Opening Keynote] The Magic of Rails
eileencodes
31
10k
Sharpening the Axe: The Primacy of Toolmaking
bcantrill
46
2.9k
Effective software design: The role of men in debugging patriarchy in IT @ Voxxed Days AMS
baasie
0
440
Hiding What from Whom? A Critical Review of the History of Programming languages for Music
tomoyanonymous
3
890
Design of three-dimensional binary manipulators for pick-and-place task avoiding obstacles (IECON2024)
konakalab
0
480
I Don’t Have Time: Getting Over the Fear to Launch Your Podcast
jcasabona
34
2.8k
Building AI with AI
inesmontani
PRO
1
1.1k
"I'm Feeling Lucky" - Building Great Search Experiences for Today's Users (#IAC19)
danielanewman
230
23k
Stewardship and Sustainability of Urban and Community Forests
pwiseman
0
250
The Straight Up "How To Draw Better" Workshop
denniskardys
239
140k
技術選定の審美眼(2025年版) / Understanding the Spiral of Technologies 2025 edition
twada
PRO
118
120k
ReactJS: Keep Simple. Everything can be a component!
pedronauck
666
130k
Transcript
Situational Awareness Paul Halliday | Security Analyst | NSCC |
CANHEIT 2010
• 20+ Sites (13 Campuses) • 5500 IP Devices •
25,000 Full-time/Part-time & Online Students • 1,800 Employees About The Nova Scotia Community College
About My Job
Warm Warm Warm Cold Cold Cold Session Data and PCAP
Metadata Event and alert Data Awareness About This presentation
Zabbix A very brief introduction
None
None
None
Data Sources Where the raw information comes from and how
None
None
None
None
None
• Easy to collect and process(SIAFI) • Clearly defned and
concise • Results should be consistent and verifable • Cheap (resource wise) • Preferably not proprietary Rules for data sources The rules I try to follow anyway
Putting it all together. Presentation status.nscc.ca
Links to sections within this tab Section Content (a graph
or stub or both) Section note Section Title … FLOW IDS NESS US URL ZABB IX 1 2 3 4 5 SH
Control #1 Control #2 Control #3 Section content A graph
created with RRDTool that shows Internet Trafc FLOW
Section content A graph created with Zabbix that shows flesystem
utilization ZABB IX
Section content A graph created with JpGraph that shows IDS
alert data IDS IP2C
Section content A graph created with Afterglow that shows IDS
alert data IDS
Section content A Stub created with a MySQL query that
shows blocked Email
A Section A graph and stub (fow-tools) combined that show
Blackhole activity FLOW
A Section in action Suspicious activity FLOW
A Section in action Suspicious activity 10.11.12.13 - - [29/May/2010:00:24:58
-0300] "GET /MaV2XmZP8T6Y2Us29ae3c2a404357831ccd07fc6a0aec04d18g HTTP/1.1" 404 122 "http://daybreak.com/key/? qs=52db268891d044c4fa128d4e06b660870c2fe9c4ca138597ad60562136102f407d68b576f42d29c7e 60320ff28a9667d&t=daypro+testimonials" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; OfficeLiveConnector.1.3; OfficeLivePatch.0.0; InfoPath.1)" 10.11.12.13 - - [29/May/2010:00:42:19 -0300] "GET/? xurl=http://cdn.mfdclk001.org/6vQ11Ovp8f7J1NO2fca2fef53de5ef21823110c774f7972617c&xref=http:/ /www.dogfleatreatment.com/default.pk? tsearch=auto+credit+loan+poor&search_button.x=48&search_button.y=12 HTTP/1.1" 200 1870 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; OfficeLiveConnector.1.3; OfficeLivePatch.0.0; InfoPath.1)" 10.11.12.13 - - [29/May/2010:00:42:26 -0300] "GET/? xurl=http://cdn.mfdclk001.org/VKw2IN5L7g4JXpS8460217bb4f66f154be9a6e568412b24f38h&xref=htt p://bagging.org/key/? qs=52db268891d044c4fa128d4e06b660870c2fe9c4ca138597ad60562136102f407d68b576f42d29c7e 60320ff28a9667d&t=auto+credit+loan+poor HTTP/1.1" 200 1870 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR
• Be consistent and conscious of fow • Be clear.
Use helpers • Be mindful of loading time • Don’t “dead end” the user • Think ahead Rules for data presentation Ok, maybe just suggestions
Tab C O M P L I A N C
E : Contains compliance related information
WWW NESS US ZABB IX
None
Nessus HTML output • BIG! 300K to 1.5M in size;
redundant • Difcult to navigate • Single option for host representation
Modifed HTML output • Small! Under 10K • Just report
relevant info • Sort option on column headings • Hostname and IP
Tab D E V I C E S : Contains
maps created by Zabbix
ZABB IX
None
Tab E M A I L : Contains SPAM summary
data and Exchange environment information
ZABB IX
IP2C
This link graph shows a typical day of spam:
This link graph shows a particularly heavy day of spam:
FLOW SH
Tab N E T W O R K : Contains
high level network information
FLOW
FLOW
FLOW
FLOW
SH
Tab S I T E S : Acts as a
loader for sensor content
SH
SH
SH
SH
SH
FLOW
FLOW
Tab S T U D E N T V L
A N : An example (last one, promise) of grouped content
FLOW
IDS SH
IP2C IDS
IDS
• URELLS • Visuals with more depth • New types
of visuals: - Wordmaps (tag clouds) - Circos • Hints in link area The Future? Where are we going