Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Situational Awareness with Open Source Tools
Search
paulh
June 13, 2010
Technology
0
94
Situational Awareness with Open Source Tools
CANHEIT, Memorial University. 2010.
paulh
June 13, 2010
Tweet
Share
More Decks by paulh
See All by paulh
Beginners Guide to OSINT
paulh
1
340
squert – an open source UI for NSM data
paulh
0
48
squert - an open source UI for NSM data
paulh
0
190
System Compliance on a Budget
paulh
0
33
Internet Safety
paulh
0
100
Network Security Monitoring with Open Source Tools
paulh
0
140
Other Decks in Technology
See All in Technology
なんで、私がAWS Heroに!? 〜社外の広い世界に一歩踏み出そう〜
minorun365
PRO
6
1.1k
新卒1年目が挑む!生成AI × マルチエージェントで実現する次世代オンボーディング / operation-ai-onboarding
cyberagentdevelopers
PRO
1
170
Autify Company Deck
autifyhq
1
39k
スプリントゴールにチームの状態も設定する背景とその効果 / Team state in sprint goals why and impact
kakehashi
2
100
現地でMeet Upをやる場合の注意点〜反省点を添えて〜
shotashiratori
0
530
Amazon FSx for NetApp ONTAPを利用するにあたっての要件整理と設計のポイント
non97
1
160
2024-10-30-reInventStandby_StudyGroup_Intro
shinichirokawano
1
630
プロダクトチームへのSystem Risk Records導入・運用事例の紹介/Introduction and Case Studies on Implementing and Operating System Risk Records for Product Teams
taddy_919
1
170
プロダクト成長に対応するプラットフォーム戦略:Authleteによる共通認証基盤の移行事例 / Building an authentication platform using Authlete and AWS
kakehashi
1
150
Automated Promptingを目指すその前に / Before we can aim for Automated Prompting
rkaga
0
110
分布で見る効果検証入門 / ai-distributional-effect
cyberagentdevelopers
PRO
4
700
カメラを用いた店内計測におけるオプトインの仕組みの実現 / ai-optin-camera
cyberagentdevelopers
PRO
1
120
Featured
See All Featured
Side Projects
sachag
452
42k
Practical Orchestrator
shlominoach
186
10k
A better future with KSS
kneath
238
17k
Fight the Zombie Pattern Library - RWD Summit 2016
marcelosomers
231
17k
Building an army of robots
kneath
302
42k
Visualizing Your Data: Incorporating Mongo into Loggly Infrastructure
mongodb
42
9.2k
Speed Design
sergeychernyshev
24
570
Cheating the UX When There Is Nothing More to Optimize - PixelPioneers
stephaniewalter
280
13k
Done Done
chrislema
181
16k
KATA
mclloyd
29
13k
Performance Is Good for Brains [We Love Speed 2024]
tammyeverts
3
370
What’s in a name? Adding method to the madness
productmarketing
PRO
22
3.1k
Transcript
Situational Awareness Paul Halliday | Security Analyst | NSCC |
CANHEIT 2010
• 20+ Sites (13 Campuses) • 5500 IP Devices •
25,000 Full-time/Part-time & Online Students • 1,800 Employees About The Nova Scotia Community College
About My Job
Warm Warm Warm Cold Cold Cold Session Data and PCAP
Metadata Event and alert Data Awareness About This presentation
Zabbix A very brief introduction
None
None
None
Data Sources Where the raw information comes from and how
None
None
None
None
None
• Easy to collect and process(SIAFI) • Clearly defned and
concise • Results should be consistent and verifable • Cheap (resource wise) • Preferably not proprietary Rules for data sources The rules I try to follow anyway
Putting it all together. Presentation status.nscc.ca
Links to sections within this tab Section Content (a graph
or stub or both) Section note Section Title … FLOW IDS NESS US URL ZABB IX 1 2 3 4 5 SH
Control #1 Control #2 Control #3 Section content A graph
created with RRDTool that shows Internet Trafc FLOW
Section content A graph created with Zabbix that shows flesystem
utilization ZABB IX
Section content A graph created with JpGraph that shows IDS
alert data IDS IP2C
Section content A graph created with Afterglow that shows IDS
alert data IDS
Section content A Stub created with a MySQL query that
shows blocked Email
A Section A graph and stub (fow-tools) combined that show
Blackhole activity FLOW
A Section in action Suspicious activity FLOW
A Section in action Suspicious activity 10.11.12.13 - - [29/May/2010:00:24:58
-0300] "GET /MaV2XmZP8T6Y2Us29ae3c2a404357831ccd07fc6a0aec04d18g HTTP/1.1" 404 122 "http://daybreak.com/key/? qs=52db268891d044c4fa128d4e06b660870c2fe9c4ca138597ad60562136102f407d68b576f42d29c7e 60320ff28a9667d&t=daypro+testimonials" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; OfficeLiveConnector.1.3; OfficeLivePatch.0.0; InfoPath.1)" 10.11.12.13 - - [29/May/2010:00:42:19 -0300] "GET/? xurl=http://cdn.mfdclk001.org/6vQ11Ovp8f7J1NO2fca2fef53de5ef21823110c774f7972617c&xref=http:/ /www.dogfleatreatment.com/default.pk? tsearch=auto+credit+loan+poor&search_button.x=48&search_button.y=12 HTTP/1.1" 200 1870 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; OfficeLiveConnector.1.3; OfficeLivePatch.0.0; InfoPath.1)" 10.11.12.13 - - [29/May/2010:00:42:26 -0300] "GET/? xurl=http://cdn.mfdclk001.org/VKw2IN5L7g4JXpS8460217bb4f66f154be9a6e568412b24f38h&xref=htt p://bagging.org/key/? qs=52db268891d044c4fa128d4e06b660870c2fe9c4ca138597ad60562136102f407d68b576f42d29c7e 60320ff28a9667d&t=auto+credit+loan+poor HTTP/1.1" 200 1870 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR
• Be consistent and conscious of fow • Be clear.
Use helpers • Be mindful of loading time • Don’t “dead end” the user • Think ahead Rules for data presentation Ok, maybe just suggestions
Tab C O M P L I A N C
E : Contains compliance related information
WWW NESS US ZABB IX
None
Nessus HTML output • BIG! 300K to 1.5M in size;
redundant • Difcult to navigate • Single option for host representation
Modifed HTML output • Small! Under 10K • Just report
relevant info • Sort option on column headings • Hostname and IP
Tab D E V I C E S : Contains
maps created by Zabbix
ZABB IX
None
Tab E M A I L : Contains SPAM summary
data and Exchange environment information
ZABB IX
IP2C
This link graph shows a typical day of spam:
This link graph shows a particularly heavy day of spam:
FLOW SH
Tab N E T W O R K : Contains
high level network information
FLOW
FLOW
FLOW
FLOW
SH
Tab S I T E S : Acts as a
loader for sensor content
SH
SH
SH
SH
SH
FLOW
FLOW
Tab S T U D E N T V L
A N : An example (last one, promise) of grouped content
FLOW
IDS SH
IP2C IDS
IDS
• URELLS • Visuals with more depth • New types
of visuals: - Wordmaps (tag clouds) - Circos • Hints in link area The Future? Where are we going