squert – an open source UI for NSM data

Slide 1

Slide 1 text

No content

Slide 2

Slide 2 text

No content

Slide 3

Slide 3 text

No content

Slide 4

Slide 4 text

No content

Slide 5

Slide 5 text

No content

Slide 6

Slide 6 text

No content

Slide 7

Slide 7 text

No content

Slide 8

Slide 8 text

No content

Slide 9

Slide 9 text

5 to 10 MHz FTW! READY 10 PRINT HELLO ATLSECCON! “ ” 20 GOTO 10 RUN

Slide 10

Slide 10 text

No content

Slide 11

Slide 11 text

and security?

Slide 12

Slide 12 text

IRC PHRACK 2600 QUAKE HACKING EXPLORING BUGTRAQ #hack Road trip!

Slide 13

Slide 13 text

vegas

Slide 14

Slide 14 text

squert – an open source web interface for NSM data paul halliday | AtlSecCon, Halifax 2015

Slide 15

Slide 15 text

we are going to talk about project history ~$ echo 'Big Data' | sed 's/Big/Just plain old/' interface design and UX

Slide 16

Slide 16 text

Sguil: The Analyst Console for Network Security Monitoring < tcl/tk > sguild New York Toronto Halifax Tokyo ALERT! ALERT! ALERT! Analyst console(s) ACKNOWLEDGED

Slide 17

Slide 17 text

21 Locations 13 Campuses 2 Data Centers ..links, links, and more links

Slide 18

Slide 18 text

so why make squert?

Slide 19

Slide 19 text

“Written By Analysts, For Analysts”

Slide 20

Slide 20 text

p r o b l e m no analysts lack of summary information no visuals or helpers

Slide 21

Slide 21 text

s o l u t i o n

Slide 22

Slide 22 text

version 0.1.0 < php >

Slide 23

Slide 23 text

version 0.6.0 ip2c.tcl – afrinic | apnic | arin | lacnic | ripe -> to MySQL

Slide 24

Slide 24 text

then in 2008 NSM in minutes! batteries included, no assembly required enter

Slide 25

Slide 25 text

version 0.9.0

Slide 26

Slide 26 text

p r o b l e m static content missing basic functionality no workflow

Slide 27

Slide 27 text

client server what's up? architecture fail questions answers

Slide 28

Slide 28 text

No content

Slide 29

Slide 29 text

???

Slide 30

Slide 30 text

version 1.0.0 < js > missing a ton of stuff -but- ready to grow

Slide 31

Slide 31 text

the data

Slide 32

Slide 32 text

Suricata: Open source Intrusion Detection System ids_agent disk sguild MySQL client pcap_agent packet capture unified log realtime event context

Slide 33

Slide 33 text

Bro: Open source Network Security Monitor disk sguild MySQL client bro_agent intel.log notice.log realtime event

Slide 34

Slide 34 text

Syslog-ng: Environment logs disk ElasticSearch client logstash LOGS syslog-ng context

Slide 35

Slide 35 text

The Bro Intel Framework #fields indicator indicator_type meta.source meta.url meta.do_notice meta.if_in 000007.ru Intel::DOMAIN MalwareDomains http://malwaredomains.com/files/justdomains F - 01100001 00100000 01110111 01101000 01101111 01101100 01100101 00100000 01100010 01110101 01101110 01100011 01101000 00100000 01101111 01100110 00100000 01100100 01100001 01110100 01100001 00100000 01101000 01100101 01110010 01100101 00100001 00100001 intel metadata controls Intel::ADDR Intel::URL Intel::SOFTWARE Intel::EMAIL Intel::DOMAIN Intel::USER_NAME Intel::FILE_HASH Intel::FILE_NAME Intel::CERT_HASH Intel Types Intel.log !

Slide 36

Slide 36 text

where can I get intel? Search GitHub Reports (parsers available) Critical Stack Intel Marketplace :)

Slide 37

Slide 37 text

No content

Slide 38

Slide 38 text

No content

Slide 39

Slide 39 text

No content

Slide 40

Slide 40 text

the interface

Slide 41

Slide 41 text

using filters ip 10.0.0.5,192.168.0.6,172.16.0.7 stvl shell: explicit:

Slide 42

Slide 42 text

creating filters

Slide 43

Slide 43 text

No content

Slide 44

Slide 44 text

Working in the queue when we first saw this grouped by Signature grouped by IP

Slide 45

Slide 45 text

No content

Slide 46

Slide 46 text

context menu

Slide 47

Slide 47 text

No content

Slide 48

Slide 48 text

results pulled in from ElasticSearch

Slide 49

Slide 49 text

context menu

Slide 50

Slide 50 text

adding items to the context menu

Slide 51

Slide 51 text

Alert classification

Slide 52

Slide 52 text

summary tab

Slide 53

Slide 53 text

No content

Slide 54

Slide 54 text

No content

Slide 55

Slide 55 text

No content

Slide 56

Slide 56 text

No content

Slide 57

Slide 57 text

views tab

Slide 58

Slide 58 text

No content

Slide 59

Slide 59 text

No content

Slide 60

Slide 60 text

Twitter: @01110000 GitHub: int13h Thanks! www.pintumbler.org