squert – an open source UI for NSM data

Transcript

1. None
2. None
3. None
4. None
5. None
6. None
7. None
8. None

9. 5 to 10 MHz FTW! READY 10 PRINT HELLO ATLSECCON!

   “ ” 20 GOTO 10 RUN
10. None

11. and security?

12. IRC PHRACK 2600 QUAKE HACKING EXPLORING BUGTRAQ #hack Road trip!

13. vegas

14. squert – an open source web interface for NSM data

    paul halliday | AtlSecCon, Halifax 2015

15. we are going to talk about project history ~$ echo

    'Big Data' | sed 's/Big/Just plain old/' interface design and UX

16. Sguil: The Analyst Console for Network Security Monitoring < tcl/tk

    > sguild New York Toronto Halifax Tokyo ALERT! ALERT! ALERT! Analyst console(s) ACKNOWLEDGED

17. 21 Locations 13 Campuses 2 Data Centers ..links, links, and

    more links

18. so why make squert?

19. “Written By Analysts, For Analysts”

20. p r o b l e m no analysts lack

    of summary information no visuals or helpers

21. s o l u t i o n

22. version 0.1.0 < php >

23. version 0.6.0 ip2c.tcl – afrinic | apnic | arin |

    lacnic | ripe -> to MySQL

24. then in 2008 NSM in minutes! batteries included, no assembly

    required enter

25. version 0.9.0

26. p r o b l e m static content missing

    basic functionality no workflow

27. client server what's up? architecture fail questions answers

28. None

29. ???

30. version 1.0.0 < js > missing a ton of stuff

    -but- ready to grow

31. the data

32. Suricata: Open source Intrusion Detection System ids_agent disk sguild MySQL

    client pcap_agent packet capture unified log realtime event context

33. Bro: Open source Network Security Monitor disk sguild MySQL client

    bro_agent intel.log notice.log realtime event

34. Syslog-ng: Environment logs disk ElasticSearch client logstash LOGS syslog-ng context

35. The Bro Intel Framework #fields indicator indicator_type meta.source meta.url meta.do_notice

    meta.if_in 000007.ru Intel::DOMAIN MalwareDomains http://malwaredomains.com/files/justdomains F - 01100001 00100000 01110111 01101000 01101111 01101100 01100101 00100000 01100010 01110101 01101110 01100011 01101000 00100000 01101111 01100110 00100000 01100100 01100001 01110100 01100001 00100000 01101000 01100101 01110010 01100101 00100001 00100001 intel metadata controls Intel::ADDR Intel::URL Intel::SOFTWARE Intel::EMAIL Intel::DOMAIN Intel::USER_NAME Intel::FILE_HASH Intel::FILE_NAME Intel::CERT_HASH Intel Types Intel.log !

36. where can I get intel? Search GitHub Reports (parsers available)

    Critical Stack Intel Marketplace :)
37. None
38. None
39. None

40. the interface

41. using filters ip 10.0.0.5,192.168.0.6,172.16.0.7 stvl shell: explicit:

42. creating filters

43. None

44. Working in the queue when we first saw this grouped

    by Signature grouped by IP
45. None

46. context menu

47. None

48. results pulled in from ElasticSearch

49. context menu

50. adding items to the context menu

51. Alert classification

52. summary tab

53. None
54. None
55. None
56. None

57. views tab

58. None
59. None

60. Twitter: @01110000 GitHub: int13h Thanks! www.pintumbler.org