Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Situational Awareness with Open Source Tools
Search
paulh
June 13, 2010
Technology
0
92
Situational Awareness with Open Source Tools
CANHEIT, Memorial University. 2010.
paulh
June 13, 2010
Tweet
Share
More Decks by paulh
See All by paulh
Beginners Guide to OSINT
paulh
1
300
squert – an open source UI for NSM data
paulh
0
47
squert - an open source UI for NSM data
paulh
0
140
System Compliance on a Budget
paulh
0
26
Internet Safety
paulh
0
98
Network Security Monitoring with Open Source Tools
paulh
0
120
Other Decks in Technology
See All in Technology
AWS人材を育てる3つのステップ / Three Steps to Developing AWS Talent
cmhiranofumio
0
210
Columinity (旧Scrum Team Survey) を使ってチームの継続的な改善活動を始めよう / Scrum Fest Osaka 2024
ama_ch
1
120
アウトプット エンジニアリング 〜 インプット偏重から脱却して飛躍するための発想 /20240621-AWS-Summit-hatano-output
opelab
5
390
RubyKaigiのプロポーザルを通したい。 / rubykaigi-proposal
toshimaru
3
470
組織全体で品質を担保するための品管メンバーとしてのさまざまな役割
tarappo
3
890
品質活動を事業に結びつけるためのQA文化の築き方 / how to build QA culture
mii3king
1
1k
Cloud Nativeを支える要素技術・プロダクト・プラクティスの歩み / infrastudy-returns-01-amsy810
masayaaoyama
0
300
feature flag と OpenTelemetry
biwashi
4
860
120リポジトリを1つのMonorepoに統合した理由
disc99
1
330
エンジニアとして成長するための持続可能なアウトプット戦略 / Sustainable Output Strategy
iselegant
3
610
AWSセキュリティを「日本語で」学習していくための良いコンテンツをまとめてみた
cmusudakeisuke
0
12k
良いユニットテストの性質を整理してたら考えるべき設計も見えてきたの
bun913
12
5.1k
Featured
See All Featured
The Cult of Friendly URLs
andyhume
74
5.8k
Adopting Sorbet at Scale
ufuk
69
8.7k
Put a Button on it: Removing Barriers to Going Fast.
kastner
58
3.2k
How to Create Impact in a Changing Tech Landscape [PerfNow 2023]
tammyeverts
28
1.8k
Statistics for Hackers
jakevdp
791
220k
Large-scale JavaScript Application Architecture
addyosmani
505
110k
Principles of Awesome APIs and How to Build Them.
keavy
122
16k
Bash Introduction
62gerente
606
210k
[RailsConf 2023] Rails as a piece of cake
palkan
31
4.2k
Building Your Own Lightsaber
phodgson
101
5.8k
Writing Fast Ruby
sferik
623
60k
Cheating the UX When There Is Nothing More to Optimize - PixelPioneers
stephaniewalter
275
13k
Transcript
Situational Awareness Paul Halliday | Security Analyst | NSCC |
CANHEIT 2010
• 20+ Sites (13 Campuses) • 5500 IP Devices •
25,000 Full-time/Part-time & Online Students • 1,800 Employees About The Nova Scotia Community College
About My Job
Warm Warm Warm Cold Cold Cold Session Data and PCAP
Metadata Event and alert Data Awareness About This presentation
Zabbix A very brief introduction
None
None
None
Data Sources Where the raw information comes from and how
None
None
None
None
None
• Easy to collect and process(SIAFI) • Clearly defned and
concise • Results should be consistent and verifable • Cheap (resource wise) • Preferably not proprietary Rules for data sources The rules I try to follow anyway
Putting it all together. Presentation status.nscc.ca
Links to sections within this tab Section Content (a graph
or stub or both) Section note Section Title … FLOW IDS NESS US URL ZABB IX 1 2 3 4 5 SH
Control #1 Control #2 Control #3 Section content A graph
created with RRDTool that shows Internet Trafc FLOW
Section content A graph created with Zabbix that shows flesystem
utilization ZABB IX
Section content A graph created with JpGraph that shows IDS
alert data IDS IP2C
Section content A graph created with Afterglow that shows IDS
alert data IDS
Section content A Stub created with a MySQL query that
shows blocked Email
A Section A graph and stub (fow-tools) combined that show
Blackhole activity FLOW
A Section in action Suspicious activity FLOW
A Section in action Suspicious activity 10.11.12.13 - - [29/May/2010:00:24:58
-0300] "GET /MaV2XmZP8T6Y2Us29ae3c2a404357831ccd07fc6a0aec04d18g HTTP/1.1" 404 122 "http://daybreak.com/key/? qs=52db268891d044c4fa128d4e06b660870c2fe9c4ca138597ad60562136102f407d68b576f42d29c7e 60320ff28a9667d&t=daypro+testimonials" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; OfficeLiveConnector.1.3; OfficeLivePatch.0.0; InfoPath.1)" 10.11.12.13 - - [29/May/2010:00:42:19 -0300] "GET/? xurl=http://cdn.mfdclk001.org/6vQ11Ovp8f7J1NO2fca2fef53de5ef21823110c774f7972617c&xref=http:/ /www.dogfleatreatment.com/default.pk? tsearch=auto+credit+loan+poor&search_button.x=48&search_button.y=12 HTTP/1.1" 200 1870 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; OfficeLiveConnector.1.3; OfficeLivePatch.0.0; InfoPath.1)" 10.11.12.13 - - [29/May/2010:00:42:26 -0300] "GET/? xurl=http://cdn.mfdclk001.org/VKw2IN5L7g4JXpS8460217bb4f66f154be9a6e568412b24f38h&xref=htt p://bagging.org/key/? qs=52db268891d044c4fa128d4e06b660870c2fe9c4ca138597ad60562136102f407d68b576f42d29c7e 60320ff28a9667d&t=auto+credit+loan+poor HTTP/1.1" 200 1870 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR
• Be consistent and conscious of fow • Be clear.
Use helpers • Be mindful of loading time • Don’t “dead end” the user • Think ahead Rules for data presentation Ok, maybe just suggestions
Tab C O M P L I A N C
E : Contains compliance related information
WWW NESS US ZABB IX
None
Nessus HTML output • BIG! 300K to 1.5M in size;
redundant • Difcult to navigate • Single option for host representation
Modifed HTML output • Small! Under 10K • Just report
relevant info • Sort option on column headings • Hostname and IP
Tab D E V I C E S : Contains
maps created by Zabbix
ZABB IX
None
Tab E M A I L : Contains SPAM summary
data and Exchange environment information
ZABB IX
IP2C
This link graph shows a typical day of spam:
This link graph shows a particularly heavy day of spam:
FLOW SH
Tab N E T W O R K : Contains
high level network information
FLOW
FLOW
FLOW
FLOW
SH
Tab S I T E S : Acts as a
loader for sensor content
SH
SH
SH
SH
SH
FLOW
FLOW
Tab S T U D E N T V L
A N : An example (last one, promise) of grouped content
FLOW
IDS SH
IP2C IDS
IDS
• URELLS • Visuals with more depth • New types
of visuals: - Wordmaps (tag clouds) - Circos • Hints in link area The Future? Where are we going