Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Situational Awareness with Open Source Tools
Search
paulh
June 13, 2010
Technology
0
100
Situational Awareness with Open Source Tools
CANHEIT, Memorial University. 2010.
paulh
June 13, 2010
Tweet
Share
More Decks by paulh
See All by paulh
Beginners Guide to OSINT
paulh
1
410
squert – an open source UI for NSM data
paulh
0
57
squert - an open source UI for NSM data
paulh
0
290
System Compliance on a Budget
paulh
0
41
Internet Safety
paulh
0
110
Network Security Monitoring with Open Source Tools
paulh
0
180
Other Decks in Technology
See All in Technology
Pure Goで体験するWasmの未来
askua
1
180
生成AIを活用したZennの取り組み事例
ryosukeigarashi
0
200
【新卒研修資料】LLM・生成AI研修 / Large Language Model・Generative AI
brainpadpr
24
17k
GA technologiesでのAI-Readyの取り組み@DataOps Night
yuto16
0
270
LLMアプリケーション開発におけるセキュリティリスクと対策 / LLM Application Security
flatt_security
7
1.9k
リーダーになったら未来を語れるようになろう/Speak the Future
sanogemaru
0
280
許しとアジャイル
jnuank
1
130
後進育成のしくじり〜任せるスキルとリーダーシップの両立〜
matsu0228
7
2.4k
AI駆動開発を推進するためにサービス開発チームで 取り組んでいること
noayaoshiro
0
180
o11yで育てる、強い内製開発組織
_awache
3
120
Escaping_the_Kraken_-_October_2025.pdf
mdalmijn
0
140
extension 現場で使えるXcodeショートカット一覧
ktombow
0
210
Featured
See All Featured
Refactoring Trust on Your Teams (GOTO; Chicago 2020)
rmw
35
3.2k
Navigating Team Friction
lara
189
15k
What’s in a name? Adding method to the madness
productmarketing
PRO
23
3.7k
Visualization
eitanlees
148
16k
Put a Button on it: Removing Barriers to Going Fast.
kastner
60
4k
A Modern Web Designer's Workflow
chriscoyier
697
190k
The Language of Interfaces
destraynor
162
25k
Building a Modern Day E-commerce SEO Strategy
aleyda
43
7.7k
[RailsConf 2023 Opening Keynote] The Magic of Rails
eileencodes
31
9.7k
How To Stay Up To Date on Web Technology
chriscoyier
791
250k
Balancing Empowerment & Direction
lara
4
680
Building Flexible Design Systems
yeseniaperezcruz
329
39k
Transcript
Situational Awareness Paul Halliday | Security Analyst | NSCC |
CANHEIT 2010
• 20+ Sites (13 Campuses) • 5500 IP Devices •
25,000 Full-time/Part-time & Online Students • 1,800 Employees About The Nova Scotia Community College
About My Job
Warm Warm Warm Cold Cold Cold Session Data and PCAP
Metadata Event and alert Data Awareness About This presentation
Zabbix A very brief introduction
None
None
None
Data Sources Where the raw information comes from and how
None
None
None
None
None
• Easy to collect and process(SIAFI) • Clearly defned and
concise • Results should be consistent and verifable • Cheap (resource wise) • Preferably not proprietary Rules for data sources The rules I try to follow anyway
Putting it all together. Presentation status.nscc.ca
Links to sections within this tab Section Content (a graph
or stub or both) Section note Section Title … FLOW IDS NESS US URL ZABB IX 1 2 3 4 5 SH
Control #1 Control #2 Control #3 Section content A graph
created with RRDTool that shows Internet Trafc FLOW
Section content A graph created with Zabbix that shows flesystem
utilization ZABB IX
Section content A graph created with JpGraph that shows IDS
alert data IDS IP2C
Section content A graph created with Afterglow that shows IDS
alert data IDS
Section content A Stub created with a MySQL query that
shows blocked Email
A Section A graph and stub (fow-tools) combined that show
Blackhole activity FLOW
A Section in action Suspicious activity FLOW
A Section in action Suspicious activity 10.11.12.13 - - [29/May/2010:00:24:58
-0300] "GET /MaV2XmZP8T6Y2Us29ae3c2a404357831ccd07fc6a0aec04d18g HTTP/1.1" 404 122 "http://daybreak.com/key/? qs=52db268891d044c4fa128d4e06b660870c2fe9c4ca138597ad60562136102f407d68b576f42d29c7e 60320ff28a9667d&t=daypro+testimonials" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; OfficeLiveConnector.1.3; OfficeLivePatch.0.0; InfoPath.1)" 10.11.12.13 - - [29/May/2010:00:42:19 -0300] "GET/? xurl=http://cdn.mfdclk001.org/6vQ11Ovp8f7J1NO2fca2fef53de5ef21823110c774f7972617c&xref=http:/ /www.dogfleatreatment.com/default.pk? tsearch=auto+credit+loan+poor&search_button.x=48&search_button.y=12 HTTP/1.1" 200 1870 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; OfficeLiveConnector.1.3; OfficeLivePatch.0.0; InfoPath.1)" 10.11.12.13 - - [29/May/2010:00:42:26 -0300] "GET/? xurl=http://cdn.mfdclk001.org/VKw2IN5L7g4JXpS8460217bb4f66f154be9a6e568412b24f38h&xref=htt p://bagging.org/key/? qs=52db268891d044c4fa128d4e06b660870c2fe9c4ca138597ad60562136102f407d68b576f42d29c7e 60320ff28a9667d&t=auto+credit+loan+poor HTTP/1.1" 200 1870 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR
• Be consistent and conscious of fow • Be clear.
Use helpers • Be mindful of loading time • Don’t “dead end” the user • Think ahead Rules for data presentation Ok, maybe just suggestions
Tab C O M P L I A N C
E : Contains compliance related information
WWW NESS US ZABB IX
None
Nessus HTML output • BIG! 300K to 1.5M in size;
redundant • Difcult to navigate • Single option for host representation
Modifed HTML output • Small! Under 10K • Just report
relevant info • Sort option on column headings • Hostname and IP
Tab D E V I C E S : Contains
maps created by Zabbix
ZABB IX
None
Tab E M A I L : Contains SPAM summary
data and Exchange environment information
ZABB IX
IP2C
This link graph shows a typical day of spam:
This link graph shows a particularly heavy day of spam:
FLOW SH
Tab N E T W O R K : Contains
high level network information
FLOW
FLOW
FLOW
FLOW
SH
Tab S I T E S : Acts as a
loader for sensor content
SH
SH
SH
SH
SH
FLOW
FLOW
Tab S T U D E N T V L
A N : An example (last one, promise) of grouped content
FLOW
IDS SH
IP2C IDS
IDS
• URELLS • Visuals with more depth • New types
of visuals: - Wordmaps (tag clouds) - Circos • Hints in link area The Future? Where are we going