Upgrade to Pro — share decks privately, control downloads, hide ads and more …

squert - an open source UI for NSM data

paulh
September 11, 2014

squert - an open source UI for NSM data

Security Onion Conference, Augusta. 2014.

paulh

September 11, 2014
Tweet

More Decks by paulh

Other Decks in Technology

Transcript

  1. squert - an open source web interface for NSM data

    paul halliday | NSCC | SOC, Augusta 2014
  2. “…I was trying to lookup squert at work but the

    search was blocked by our web proxy” “…while I was researching information for this post I very quickly realized that safe search is a requirement!” Got any freaky new genres in the pipe Ron?
  3. step 1: build step 2: deploy and configure step 3:

    open the flood gates tedious frustrating overwhelming
  4. enter NSM in seconds even Mom can do it! then

    in 2009 obscurity can be good no more hiding but
  5. Edward R. Tufte: books on displaying information data first don't

    layer decorations 1 + 1 = 3 graphical excellence
  6. Graphical Excellence (or how not to invade Russia) - size

    of army - 2D location - direction of travel - location on certain dates - temp. on certain dates
  7. Graphical Excellence as explained by Tufte a well designed presentation

    of interesting data that which gives the viewer the greatest number of ideas in the shortest amount of time complex ideas communicated with clarity this is where I want squert to be
  8. suricata ids bro network security monitor bro agent for sguil

    PCAP (selective) windows eventlogs/app logs barracuda spam firewall the data
  9. MySQL ElasticSearch Bro Suricata Disk PCAP Sguil Intrusion Detection System

    (IDS). Uses Signatures to detect bad stuf Network Security Monitor. Comprehensive log collector Alerts squert Client requests Disk Logstash Windows Servers Spam Firewall Peak: 2500 entries / second (notice log only) Sguil agent syslog syslog syslog Logs Logs Logs Alerts Sguil agent Sguil agent Client requests
  10. MySQL ElasticSearch Bro Suricata Disk PCAP Sguil Intrusion Detection System

    (IDS). Uses Signatures to detect bad stuf Network Security Monitor. Comprehensive log collector Alerts squert Client requests Disk Logstash Windows Servers Spam Firewall Peak: 2500 entries / second (notice log only) Sguil agent syslog syslog syslog Logs Logs Logs Alerts Sguil agent Sguil agent Client requests
  11. MySQL ElasticSearch Bro Suricata Disk PCAP Sguil Intrusion Detection System

    (IDS). Uses Signatures to detect bad stuf Network Security Monitor. Comprehensive log collector Alerts squert Client requests Disk Logstash Windows Servers Spam Firewall Peak: 2500 entries / second (notice log only) Sguil agent syslog syslog syslog Logs Logs Logs Alerts Sguil agent Sguil agent Client requests