Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
squert – an open source UI for NSM data
Search
paulh
April 17, 2015
Technology
70
0
Share
Embed
Copy iframe code
Copy JS code
Copy link
Start on current slide
squert – an open source UI for NSM data
AtlSecCon, Halifax. 2015
paulh
April 17, 2015
More Decks by paulh
See All by paulh
Beginners Guide to OSINT
paulh
1
440
squert - an open source UI for NSM data
paulh
0
370
System Compliance on a Budget
paulh
0
59
Internet Safety
paulh
0
140
Situational Awareness with Open Source Tools
paulh
0
120
Network Security Monitoring with Open Source Tools
paulh
0
200
Other Decks in Technology
See All in Technology
AIDLC_ヤフーショッピングの取り組み
lycorptech_jp
PRO
0
560
生成AI活用によるODC欠陥分析の分類高速化の実践と導入効果 / 20260703 Suguru Ishii
shift_evolve
PRO
2
100
環境凍結という Toil を倒す -セルフサービス型 Ephemeral テスト環境の 設計と実践
shirouz
1
1.4k
地域 SRE コミュニティ最前線 / SRE NEXT 2026 Discussion Night Track C
muziyoshiz
0
150
そのタスクオンスケですか?
poropinai1966
0
140
SRE Lounge Hiroshimaへの招待
grimoh
0
390
SRE歴2ヶ月でも開発6年の知見を活かして、チームで止まっていた環境改善を前に進めた話
a_ono
1
220
cccccc
moznion
0
1.8k
Claude Code 珍プレー好プレー
shinyasaita
0
280
テスト設計の本質を改めて考えてみる~生成AIを活用する時代だからこそ、作ったテストの説明性を高めよう~
yamasaki696
1
390
AIペネトレーションテスト・ セキュリティ検証「AgenticSec」紹介資料
laysakura
2
8.1k
ポストモーテム! DDoSからサイトは守れた。 でもビジネスは守れなかった。
bengo4com
0
1.7k
Featured
See All Featured
jQuery: Nuts, Bolts and Bling
dougneiner
66
8.5k
How To Speak Unicorn (iThemes Webinar)
marktimemedia
1
500
How to Align SEO within the Product Triangle To Get Buy-In & Support - #RIMC
aleyda
2
1.6k
Hiding What from Whom? A Critical Review of the History of Programming languages for Music
tomoyanonymous
3
890
How to Think Like a Performance Engineer
csswizardry
28
2.7k
Measuring Dark Social's Impact On Conversion and Attribution
stephenakadiri
2
230
Groundhog Day: Seeking Process in Gaming for Health
codingconduct
0
240
The browser strikes back
jonoalderson
0
1.4k
Paper Plane (Part 1)
katiecoart
PRO
0
9.5k
Redefining SEO in the New Era of Traffic Generation
szymonslowik
1
350
How STYLIGHT went responsive
nonsquared
100
6.2k
Chrome DevTools: State of the Union 2024 - Debugging React & Beyond
addyosmani
10
1.2k
Transcript
None
None
None
None
None
None
None
None
5 to 10 MHz FTW! READY 10 PRINT HELLO ATLSECCON!
“ ” 20 GOTO 10 RUN
None
and security?
IRC PHRACK 2600 QUAKE HACKING EXPLORING BUGTRAQ #hack Road trip!
vegas
squert – an open source web interface for NSM data
paul halliday | AtlSecCon, Halifax 2015
we are going to talk about project history ~$ echo
'Big Data' | sed 's/Big/Just plain old/' interface design and UX
Sguil: The Analyst Console for Network Security Monitoring < tcl/tk
> sguild New York Toronto Halifax Tokyo ALERT! ALERT! ALERT! Analyst console(s) ACKNOWLEDGED
21 Locations 13 Campuses 2 Data Centers ..links, links, and
more links
so why make squert?
“Written By Analysts, For Analysts”
p r o b l e m no analysts lack
of summary information no visuals or helpers
s o l u t i o n
version 0.1.0 < php >
version 0.6.0 ip2c.tcl – afrinic | apnic | arin |
lacnic | ripe -> to MySQL
then in 2008 NSM in minutes! batteries included, no assembly
required enter
version 0.9.0
p r o b l e m static content missing
basic functionality no workflow
client server what's up? architecture fail questions answers
None
???
version 1.0.0 < js > missing a ton of stuff
-but- ready to grow
the data
Suricata: Open source Intrusion Detection System ids_agent disk sguild MySQL
client pcap_agent packet capture unified log realtime event context
Bro: Open source Network Security Monitor disk sguild MySQL client
bro_agent intel.log notice.log realtime event
Syslog-ng: Environment logs disk ElasticSearch client logstash LOGS syslog-ng context
The Bro Intel Framework #fields indicator indicator_type meta.source meta.url meta.do_notice
meta.if_in 000007.ru Intel::DOMAIN MalwareDomains http://malwaredomains.com/files/justdomains F - 01100001 00100000 01110111 01101000 01101111 01101100 01100101 00100000 01100010 01110101 01101110 01100011 01101000 00100000 01101111 01100110 00100000 01100100 01100001 01110100 01100001 00100000 01101000 01100101 01110010 01100101 00100001 00100001 intel metadata controls Intel::ADDR Intel::URL Intel::SOFTWARE Intel::EMAIL Intel::DOMAIN Intel::USER_NAME Intel::FILE_HASH Intel::FILE_NAME Intel::CERT_HASH Intel Types Intel.log !
where can I get intel? Search GitHub Reports (parsers available)
Critical Stack Intel Marketplace :)
None
None
None
the interface
using filters ip 10.0.0.5,192.168.0.6,172.16.0.7 stvl shell: explicit:
creating filters
None
Working in the queue when we first saw this grouped
by Signature grouped by IP
None
context menu
None
results pulled in from ElasticSearch
context menu
adding items to the context menu
Alert classification
summary tab
None
None
None
None
views tab
None
None
Twitter: @01110000 GitHub: int13h Thanks! www.pintumbler.org