squert - an open source UI for NSM data

Transcript

1. squert - an open source web interface for NSM data

   paul halliday | NSCC | SOC, Augusta 2014

2. project history types of data the interface I am going

   to talk about

3. “…I was trying to lookup squert at work but the

   search was blocked by our web proxy” “…while I was researching information for this post I very quickly realized that safe search is a requirement!” Got any freaky new genres in the pipe Ron?

4. sguil (circa 2003) event driven distributed scales well < tcl/tk

   >

5. my job

6. None
7. None

8. 21 locations 13 campuses 2 data centers ERP, finance links

   everywhere

9. perception =

10. turn this into this

11. step 1: build step 2: deploy and configure step 3:

    open the flood gates tedious frustrating overwhelming

12. “Written By Analysts, For Analysts”

13. None

14. problem wrong audience timestamps (yeah you UTC!) lack of summary

    information no visuals/helpers

15. solution

16. version 0.1.0 < php >

17. version 0.6.0 ip2c.tcl – afrinic|apnic|arin|lacnic -> to MySQL

18. enter NSM in seconds even Mom can do it! then

    in 2009 obscurity can be good no more hiding but

19. version 0.9.0 STOP! time to regroup

20. problems slow… long load times static content no plan lots

    of duplication generally inefficient

21. architecture (original) client server we good?

22. < js >

23. { “id”: 1, “signature”:”bad guys”, “src_ip”:”65.55.58.201”, “dst_ip”:”10.0.0.1” } architecture (now)

    client server JSON we still good?

24. version 1.0 JavaScript a plan! survey says: “we hate it!”

25. Edward R. Tufte: books on displaying information data first don't

    layer decorations 1 + 1 = 3 graphical excellence

26. Graphical Excellence (or how not to invade Russia) - size

    of army - 2D location - direction of travel - location on certain dates - temp. on certain dates

27. Graphical Excellence as explained by Tufte a well designed presentation

    of interesting data that which gives the viewer the greatest number of ideas in the shortest amount of time complex ideas communicated with clarity this is where I want squert to be

28. version 1.4 < js >

29. so what can it do?

30. suricata ids bro network security monitor bro agent for sguil

    PCAP (selective) windows eventlogs/app logs barracuda spam firewall the data

31. MySQL ElasticSearch Bro Suricata Disk PCAP Sguil Intrusion Detection System

    (IDS). Uses Signatures to detect bad stuf Network Security Monitor. Comprehensive log collector Alerts squert Client requests Disk Logstash Windows Servers Spam Firewall Peak: 2500 entries / second (notice log only) Sguil agent syslog syslog syslog Logs Logs Logs Alerts Sguil agent Sguil agent Client requests

32. the interface

33. content links feature icons toggles summary click history

34. grouping - ON allows us to produce stats for each

    signature

35. grouping - OFF provides a time-line of events in context

36. the event frequency and intensity

37. event expansion payload transcript

38. event expansion - payload *

39. MySQL ElasticSearch Bro Suricata Disk PCAP Sguil Intrusion Detection System

    (IDS). Uses Signatures to detect bad stuf Network Security Monitor. Comprehensive log collector Alerts squert Client requests Disk Logstash Windows Servers Spam Firewall Peak: 2500 entries / second (notice log only) Sguil agent syslog syslog syslog Logs Logs Logs Alerts Sguil agent Sguil agent Client requests

40. event expansion - transcript summary P0f output

41. event expansion - transcript

42. event expansion – external source

43. MySQL ElasticSearch Bro Suricata Disk PCAP Sguil Intrusion Detection System

    (IDS). Uses Signatures to detect bad stuf Network Security Monitor. Comprehensive log collector Alerts squert Client requests Disk Logstash Windows Servers Spam Firewall Peak: 2500 entries / second (notice log only) Sguil agent syslog syslog syslog Logs Logs Logs Alerts Sguil agent Sguil agent Client requests

44. event expansion – external source

45. event expansion – external source

46. event categorization

47. option 1 – class only function keys: F1…F8

48. option 2 – class & comment

49. auto categorization

50. auto categorization

51. filters and URLs

52. filters – explicit or shell

53. explicit

54. shell

55. seems complicated.. No. This was complicated

56. URLs

57. URLs

58. content tabs

59. summary

60. summary

61. views

62. None

63. Squert: http://www.squertproject.org Sguil: http://sguil.net Secuity Onion: http://blog.securityonion.net Suricata: http://suricata-ids.org Bro:

    http://www.bro.org Me: int13h - GitHub @01110000