Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Situational Awareness with Open Source Tools

Sponsored · Ship Features Fearlessly Turn features on and off without deploys. Used by thousands of Ruby developers.
Avatar for paulh paulh
June 13, 2010
Technology
110
0

Situational Awareness with Open Source Tools

CANHEIT, Memorial University. 2010.

Avatar for paulh

paulh

June 13, 2010

More Decks by paulh

See All by paulh
Beginners Guide to OSINT
Avatar for paulh paulh
1
430
squert – an open source UI for NSM data
Avatar for paulh paulh
0
68
squert - an open source UI for NSM data
Avatar for paulh paulh
0
360
System Compliance on a Budget
Avatar for paulh paulh
0
56
Internet Safety
Avatar for paulh paulh
0
130
Network Security Monitoring with Open Source Tools
Avatar for paulh paulh
0
190

Other Decks in Technology

See All in Technology
JEP 522 Deep Dive - G1 GC同期コスト削減によるスループット向上を徹底検証&解説
Avatar for Daishi Tabata tabatad
1
190
Amazon CloudFrontにおけるAIボットアクセス制御のポイント
Avatar for t.kizawa kizawa2020
4
290
自作エディターをOSSにして分かった、一人に刺さる開発が世界を動かす理由
Avatar for Shinya Saita shinyasaita
1
440
Harnessing the Power of Mocks and Stubs in PHPUnit / #laravellivejp
Avatar for asumikam asumikam
0
700
基礎から解説!Icebergで紐解くSnowflake×Databricks連携の現在地
Avatar for TomokiYasuhara cm_yasuhara
0
340
『家族アルバム みてね』における インシデント対応との向き合い方 / Approach incident response in Family Album
Avatar for kohbis kohbis
2
230
OpenID Connectによるサービス間連携
Avatar for Shigeki Shoji takesection
0
130
Spring AI × MCP 入門〜AIエージェントへのツール公開、境界設計から始める最小構成 〜
Avatar for 宮本裕也 yuyamiyamoto
0
120
Java正規表現エンジン(NFA)の仕組みと パフォーマンスを維持するための最適化手法
Avatar for 竹内 雅和 takeuchi_132917
0
120
NFLコンペ2026 解法
Avatar for LINEヤフーTech (LY Corporation Tech) lycorptech_jp
PRO
0
120
OpenClawとHermesAgentでAI新入社員を作った話
Avatar for yanada takanoriyanada
0
130
はじめてのAI-DLC
Avatar for 吉田真吾 yoshidashingo
2
590

Featured

See All Featured
Leveraging LLMs for student feedback in introductory data science courses - posit::conf(2025)
Avatar for Mine Cetinkaya-Rundel minecr
1
270
Refactoring Trust on Your Teams (GOTO; Chicago 2020)
Avatar for Rebecca Miller-Webster rmw
35
3.5k
The Curious Case for Waylosing
Avatar for Cassini Nazir cassininazir
1
360
The Art of Programming - Codeland 2020
Avatar for Erika Heidi erikaheidi
57
14k
The SEO Collaboration Effect
Avatar for Kristina Bergwall kristinabergwall1
1
460
Dominate Local Search Results - an insider guide to GBP, reviews, and Local SEO
Avatar for Greg Gifford greggifford
PRO
0
170
ラッコキーワード サービス紹介資料
Avatar for ラッコ株式会社 rakko
1
3.4M
jQuery: Nuts, Bolts and Bling
Avatar for Doug Neiner dougneiner
66
8.5k
Crafting Experiences
Avatar for Bethany Jepchumba bethany
1
160
Exploring the relationship between traditional SERPs and Gen AI search
Avatar for Ray Grieselhuber raygrieselhuber
PRO
2
4k
The Director’s Chair: Orchestrating AI for Truly Effective Learning
Avatar for Mike Taylor tmiket
1
180
RailsConf 2023
Avatar for Aaron Patterson tenderlove
30
1.4k

Transcript

  1. Situational Awareness Paul Halliday | Security Analyst | NSCC |

    CANHEIT 2010

  2. • 20+ Sites (13 Campuses) • 5500 IP Devices •

    25,000 Full-time/Part-time & Online Students • 1,800 Employees About The Nova Scotia Community College

  3. About My Job

  4. Warm Warm Warm Cold Cold Cold Session Data and PCAP

    Metadata Event and alert Data Awareness About This presentation

  5. Zabbix A very brief introduction

  6. None
  7. None
  8. None

  9. Data Sources Where the raw information comes from and how

  10. None
  11. None
  12. None
  13. None
  14. None

  15. • Easy to collect and process(SIAFI) • Clearly defned and

    concise • Results should be consistent and verifable • Cheap (resource wise) • Preferably not proprietary Rules for data sources The rules I try to follow anyway

  16. Putting it all together. Presentation status.nscc.ca

  17. Links to sections within this tab Section Content (a graph

    or stub or both) Section note Section Title … FLOW IDS NESS US URL ZABB IX 1 2 3 4 5 SH

  18. Control #1 Control #2 Control #3 Section content A graph

    created with RRDTool that shows Internet Trafc FLOW

  19. Section content A graph created with Zabbix that shows flesystem

    utilization ZABB IX

  20. Section content A graph created with JpGraph that shows IDS

    alert data IDS IP2C

  21. Section content A graph created with Afterglow that shows IDS

    alert data IDS

  22. Section content A Stub created with a MySQL query that

    shows blocked Email

  23. A Section A graph and stub (fow-tools) combined that show

    Blackhole activity FLOW

  24. A Section in action Suspicious activity FLOW

  25. A Section in action Suspicious activity 10.11.12.13 - - [29/May/2010:00:24:58

    -0300] "GET /MaV2XmZP8T6Y2Us29ae3c2a404357831ccd07fc6a0aec04d18g HTTP/1.1" 404 122 "http://daybreak.com/key/? qs=52db268891d044c4fa128d4e06b660870c2fe9c4ca138597ad60562136102f407d68b576f42d29c7e 60320ff28a9667d&t=daypro+testimonials" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; OfficeLiveConnector.1.3; OfficeLivePatch.0.0; InfoPath.1)" 10.11.12.13 - - [29/May/2010:00:42:19 -0300] "GET/? xurl=http://cdn.mfdclk001.org/6vQ11Ovp8f7J1NO2fca2fef53de5ef21823110c774f7972617c&xref=http:/ /www.dogfleatreatment.com/default.pk? tsearch=auto+credit+loan+poor&search_button.x=48&search_button.y=12 HTTP/1.1" 200 1870 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; OfficeLiveConnector.1.3; OfficeLivePatch.0.0; InfoPath.1)" 10.11.12.13 - - [29/May/2010:00:42:26 -0300] "GET/? xurl=http://cdn.mfdclk001.org/VKw2IN5L7g4JXpS8460217bb4f66f154be9a6e568412b24f38h&xref=htt p://bagging.org/key/? qs=52db268891d044c4fa128d4e06b660870c2fe9c4ca138597ad60562136102f407d68b576f42d29c7e 60320ff28a9667d&t=auto+credit+loan+poor HTTP/1.1" 200 1870 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR

  26. • Be consistent and conscious of fow • Be clear.

    Use helpers • Be mindful of loading time • Don’t “dead end” the user • Think ahead Rules for data presentation Ok, maybe just suggestions

  27. Tab C O M P L I A N C

    E : Contains compliance related information

  28. WWW NESS US ZABB IX

  29. None

  30. Nessus HTML output • BIG! 300K to 1.5M in size;

    redundant • Difcult to navigate • Single option for host representation

  31. Modifed HTML output • Small! Under 10K • Just report

    relevant info • Sort option on column headings • Hostname and IP

  32. Tab D E V I C E S : Contains

    maps created by Zabbix

  33. ZABB IX

  34. None

  35. Tab E M A I L : Contains SPAM summary

    data and Exchange environment information

  36. ZABB IX

  37. IP2C

  38. This link graph shows a typical day of spam:

  39. This link graph shows a particularly heavy day of spam:

  40. FLOW SH

  41. Tab N E T W O R K : Contains

    high level network information

  42. FLOW

  43. FLOW

  44. FLOW

  45. FLOW

  46. SH

  47. Tab S I T E S : Acts as a

    loader for sensor content

  48. SH

  49. SH

  50. SH

  51. SH

  52. SH

  53. FLOW

  54. FLOW

  55. Tab S T U D E N T V L

    A N : An example (last one, promise) of grouped content

  56. FLOW

  57. IDS SH

  58. IP2C IDS

  59. IDS

  60. • URELLS • Visuals with more depth • New types

    of visuals: - Wordmaps (tag clouds) - Circos • Hints in link area The Future? Where are we going