Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Situational Awareness with Open Source Tools
Search
paulh
June 13, 2010
Technology
0
95
Situational Awareness with Open Source Tools
CANHEIT, Memorial University. 2010.
paulh
June 13, 2010
Tweet
Share
More Decks by paulh
See All by paulh
Beginners Guide to OSINT
paulh
1
340
squert – an open source UI for NSM data
paulh
0
48
squert - an open source UI for NSM data
paulh
0
200
System Compliance on a Budget
paulh
0
34
Internet Safety
paulh
0
100
Network Security Monitoring with Open Source Tools
paulh
0
140
Other Decks in Technology
See All in Technology
Qiita埋め込み用スライド
naoki_0531
0
5.2k
どちらを使う?GitHub or Azure DevOps Ver. 24H2
kkamegawa
0
1.1k
[JAWS-UG新潟#20] re:Invent2024 -CloudOperationsアップデートについて-
shintaro_fukatsu
0
120
Microsoft Azure全冠になってみた ~アレを使い倒した者が試験を制す!?~/Obtained all Microsoft Azure certifications Those who use "that" to the full will win the exam! ?
yuj1osm
2
120
APIとはなにか
mikanichinose
0
110
多様なメトリックとシステムの健全性維持
masaaki_k
0
110
watsonx.ai Dojo #5 ファインチューニングとInstructLAB
oniak3ibm
PRO
0
190
終了の危機にあった15年続くWebサービスを全力で存続させる - phpcon2024
yositosi
27
23k
LINE Developersプロダクト(LIFF/LINE Login)におけるフロントエンド開発
lycorptech_jp
PRO
0
150
Yahoo! ズバトクにおけるフロントエンド開発
lycorptech_jp
PRO
0
100
re:Invent をおうちで楽しんでみた ~CloudWatch のオブザーバビリティ機能がスゴい!/ Enjoyed AWS re:Invent from Home and CloudWatch Observability Feature is Amazing!
yuj1osm
0
130
10個のフィルタをAXI4-Streamでつなげてみた
marsee101
0
180
Featured
See All Featured
Practical Orchestrator
shlominoach
186
10k
Creating an realtime collaboration tool: Agile Flush - .NET Oxford
marcduiker
26
1.9k
XXLCSS - How to scale CSS and keep your sanity
sugarenia
248
1.3M
Fantastic passwords and where to find them - at NoRuKo
philnash
50
2.9k
Dealing with People You Can't Stand - Big Design 2015
cassininazir
365
25k
The Cost Of JavaScript in 2023
addyosmani
46
7k
StorybookのUI Testing Handbookを読んだ
zakiyama
27
5.3k
Documentation Writing (for coders)
carmenintech
66
4.5k
Visualization
eitanlees
146
15k
Rails Girls Zürich Keynote
gr2m
94
13k
Music & Morning Musume
bryan
46
6.2k
Become a Pro
speakerdeck
PRO
26
5k
Transcript
Situational Awareness Paul Halliday | Security Analyst | NSCC |
CANHEIT 2010
• 20+ Sites (13 Campuses) • 5500 IP Devices •
25,000 Full-time/Part-time & Online Students • 1,800 Employees About The Nova Scotia Community College
About My Job
Warm Warm Warm Cold Cold Cold Session Data and PCAP
Metadata Event and alert Data Awareness About This presentation
Zabbix A very brief introduction
None
None
None
Data Sources Where the raw information comes from and how
None
None
None
None
None
• Easy to collect and process(SIAFI) • Clearly defned and
concise • Results should be consistent and verifable • Cheap (resource wise) • Preferably not proprietary Rules for data sources The rules I try to follow anyway
Putting it all together. Presentation status.nscc.ca
Links to sections within this tab Section Content (a graph
or stub or both) Section note Section Title … FLOW IDS NESS US URL ZABB IX 1 2 3 4 5 SH
Control #1 Control #2 Control #3 Section content A graph
created with RRDTool that shows Internet Trafc FLOW
Section content A graph created with Zabbix that shows flesystem
utilization ZABB IX
Section content A graph created with JpGraph that shows IDS
alert data IDS IP2C
Section content A graph created with Afterglow that shows IDS
alert data IDS
Section content A Stub created with a MySQL query that
shows blocked Email
A Section A graph and stub (fow-tools) combined that show
Blackhole activity FLOW
A Section in action Suspicious activity FLOW
A Section in action Suspicious activity 10.11.12.13 - - [29/May/2010:00:24:58
-0300] "GET /MaV2XmZP8T6Y2Us29ae3c2a404357831ccd07fc6a0aec04d18g HTTP/1.1" 404 122 "http://daybreak.com/key/? qs=52db268891d044c4fa128d4e06b660870c2fe9c4ca138597ad60562136102f407d68b576f42d29c7e 60320ff28a9667d&t=daypro+testimonials" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; OfficeLiveConnector.1.3; OfficeLivePatch.0.0; InfoPath.1)" 10.11.12.13 - - [29/May/2010:00:42:19 -0300] "GET/? xurl=http://cdn.mfdclk001.org/6vQ11Ovp8f7J1NO2fca2fef53de5ef21823110c774f7972617c&xref=http:/ /www.dogfleatreatment.com/default.pk? tsearch=auto+credit+loan+poor&search_button.x=48&search_button.y=12 HTTP/1.1" 200 1870 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; OfficeLiveConnector.1.3; OfficeLivePatch.0.0; InfoPath.1)" 10.11.12.13 - - [29/May/2010:00:42:26 -0300] "GET/? xurl=http://cdn.mfdclk001.org/VKw2IN5L7g4JXpS8460217bb4f66f154be9a6e568412b24f38h&xref=htt p://bagging.org/key/? qs=52db268891d044c4fa128d4e06b660870c2fe9c4ca138597ad60562136102f407d68b576f42d29c7e 60320ff28a9667d&t=auto+credit+loan+poor HTTP/1.1" 200 1870 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR
• Be consistent and conscious of fow • Be clear.
Use helpers • Be mindful of loading time • Don’t “dead end” the user • Think ahead Rules for data presentation Ok, maybe just suggestions
Tab C O M P L I A N C
E : Contains compliance related information
WWW NESS US ZABB IX
None
Nessus HTML output • BIG! 300K to 1.5M in size;
redundant • Difcult to navigate • Single option for host representation
Modifed HTML output • Small! Under 10K • Just report
relevant info • Sort option on column headings • Hostname and IP
Tab D E V I C E S : Contains
maps created by Zabbix
ZABB IX
None
Tab E M A I L : Contains SPAM summary
data and Exchange environment information
ZABB IX
IP2C
This link graph shows a typical day of spam:
This link graph shows a particularly heavy day of spam:
FLOW SH
Tab N E T W O R K : Contains
high level network information
FLOW
FLOW
FLOW
FLOW
SH
Tab S I T E S : Acts as a
loader for sensor content
SH
SH
SH
SH
SH
FLOW
FLOW
Tab S T U D E N T V L
A N : An example (last one, promise) of grouped content
FLOW
IDS SH
IP2C IDS
IDS
• URELLS • Visuals with more depth • New types
of visuals: - Wordmaps (tag clouds) - Circos • Hints in link area The Future? Where are we going