DAVIX Visualization Bootcamp 25C3
|
|
- Calvin Mark Rogers
- 8 years ago
- Views:
Transcription
1 DAVIX Visualization Bootcamp 25C3 Visualize Your Network! Jan P. Monsch Marius Ciepluch About Your Hosts Jan P. Monsch DAVIX Project Initiator & Lead Engineer Marius Ciepluch DAVIX User & Workshop Assistant Senior Security Analyst Student in Security and Forensic Dublin City University Student in Computer University Lübeck
2 Workshop Preparation Get DAVIX Visit Download davix defcon16.iso.gz davix-manual pdf 25c3-workshop.lzm Recommended setup VMware Player or VMware Fusion Bridged or NAT networking Configure host to access 25C3 network See chapter & in manual for assistance Agenda Introduction DAVIX Visualization Walk-Through DAVIX Hands-on Lab Visualization Contest
3 Introduction DAVIX Initial Situation Security visualization is quite new Currently two books available [1, 2]
4 Initial Situation Many free visualization tools But installation is often cumbersome Compiler version and library issues Code difficult to build or broken Diverse runtime environments: Java, Perl, Ruby, Python, Windows Applications Huge hurdle for people to get start with security visualization Mission Statement DAVIX shall provide the audience with a workable and integrated tools set, enable them to immediately start with security visualization and motivate them to contribute to the security visualization community.
5 Inside the DAVIX Live CD Live Linux CD system based on SLAX 6 [3] Software packages are modularized Easy customizable Runs from CD/DVD, USB stick or hard drive Collection of free tools for processing & visualization Tools work out of the box No compilation or installation of tools required Comes with documentation [4] Quick start description for the most important tools Links to manuals and tutorials DAVIX Tools Capture Network Tools Argus Snort Wireshark Logging syslog-ng Fetching Data wget ftp scp Processing Shell Tools awk, grep, sed Visualization Preprocessing AfterGlow LGL Extraction Chaosreader Data Enrichment geoiplookup whois, gwhois Visualization Network Traffic EtherApe InetVis tnv Generic AfterGlow Graphviz LGL Viewer Mondrian R Project Treemap
6 Highlights Upcoming 1.0.5α Capture Network Tools Bro IDS Processing Integration Splunk NSM Console PCAP manipulation/ extraction ngrep tcpxtract tcpslice tcpflow Visualization Network Traffic FlowTag INAV NetGrok Zenmap Generic NAZAR Octave Visualization
7 Visualization Raffael Marty A picture is worth a thousand log records. [2] Ben Shneiderman The purpose of viz is insight, not pictures. [5] Information Seeking Mantra [6] Details on Demand Overview Zoom and Filter
8 Information Viz Process [2] Interface Issue Each visualization tool has its own file format interfaces Data must be converted to match the import interfaces These adapters are mostly self-written snippets of code Viz Tool 1 PCAP CSV? TM3 Viz Tool 2 Viz Tool 3?? Viz Tool 4
9 Walk-Through User Interface Menu organized around Info Viz Process Capture Process Visualize Tools often cover more than one category Afterglow Process, Visualize Additional tools/services Apache, MySQL, NTP
10 PDF User Manual Content Quick start guide Network setup information Tool usage examples Links to online resource Customizing DAVIX User Manual in the Menu The manual is browsable by chapter or individual tool chapters
11 Hands-on Lab Overview Lab built around Info Viz Process DAVIX Tools Processing Wireshark / tshark [7] p0f [8] awk [9], sed, uniq Snort [10] Visualization AfterGlow [11] Graphviz [12] Treemap [13] Problem Definition Details on Demand Visualize Overview Filter
12 Problem Definition Type of Traffic? Network Topology? Gateway? Team Server? Other Team Systems? Activities? Communication Pattern? Attacks? Type of Traffic
13 Overview - Background l CTF DEFCON 12 l l 6 teams l l l PCAP File 1 server per team with vulnerable services Many team member systems Symmetrical setup for all teams. Overview - Wireshark l Basic statistics l l l l 54 MB PCAP file Date min of traffic packets
14 Overview - Wireshark Packets Protocols Mostly IP Mostly TCP Some UDP Traffic Volume Mostly TCP Overview - Wireshark TCP Mostly HTTP Some DCE RPC Windows
15 Overview - Wireshark Traffic Shape Constant at begin Massive increase at the end. tcp.port==80 Network Topology
16 Visualize: AfterGlow / Graphviz Possible Gateways Not a Gateway Zoom & Filter - tshark 001_network_topology_gateway.sh CSV of source/destination IP to source/destination MAC addresses ,00:00:86:5b:e9:6a ,00:04:5a:a2:d4: ,00:c0:95:e0:0e:af ,00:c0:95:e0:0e:af ,00:c0:95:e0:0e:af ,00:09:6b:53:8a: ,00:c0:95:e0:0e:af...
17 Zoom & Filter - tshark 001_network_topology_gateway.sh Extract IP addresses and their MAC addresses tshark -r davix_workshop_captures.pcap -e ip.src -e eth.src -Tfields -E separator=, -R ip > ip_mac.csv tshark -r davix_workshop_captures.pcap -e ip.dst -e eth.dst -Tfields -E separator=, -R ip >> ip_mac.csv cat ip_mac.csv sort uniq > ip_mac_distinct.csv 001_network_topology_gateway.sh Visualize: AfterGlow / Graphviz Visualize CSV file using AfterGlow cat ip_mac_distinct.csv afterglow.pl -t neato -Tpng -o ip_mac_distinct.png View resulting image gqview
18 001_network_topology_gateway.sh Visualize: AfterGlow / Graphviz Possible Gateways Not a Gateway Overview p0f 002_network_topology_operating_system.sh Other teams come through NAT Results ,FreeBSD (or MacOS X ) ,FreeBSD (or MacOS X ) ,Linux ,OpenBSD ,Windows 2000 SP4, XP SP ,Windows XP SP1+, 2000 SP ,Linux ,Linux ,Linux ,Linux ,Linux ,Linux ,Linux
19 Overview p0f 002_network_topology_operating_system.sh Identify Involved Operating Systems p0f -f /etc/p0f/p0f.fp -s davix_workshop_captures.pcap -N sed "s/ (up.*$//" sed "s/:[0-9]* - /,/" sort uniq Visualize Visio ;-) Topology Opponents :C0:95:E0:0E:AF NAT IP Linux 00:0B:5F:69:B2:01 CISCO 00:E0:98:08:F7:E2
20 Visualize Visio ;-) Our Team 00:0B:5F:69:B2:01 CISCO 00:E0:98:08:F7:E WIN WIN Linux ?Unix? Linux Linux Linux Linux Linux Linux Activities Linked Graphs
21 Visualize: AfterGlow / Graphviz Green Our team Red Other teams Yellow NAT IP Blue Neutral 003_activity_connections.sh Zoom & Filter - tshark 003_activity_connections.sh Extract source & destination IP addresses tshark -r davix_workshop_captures.pcap -e ip.src -e ip.dst -Tfields -E separator=, -R ip > ipsrc_ipdst.csv
22 Visualize: AfterGlow / Graphviz Visualize CSV file using AfterGlow cat ipsrc_ipdst.csv afterglow.pl -c color1.properties -t neato -Tpng -o ipsrc_ipdst.png View resulting image gqview 003_activity_connections.sh Visualize: AfterGlow / Graphviz AfterGlow color1.properties 003_activity_connections.sh color.source="khaki1" if ($fields[0]=~/^192\.168\.4\.1$/); color.source="palegreen" if ($fields[0]=~/^192\.168\.4\..*/); color.source="lightblue" if ($fields[0]=~/^0\.0\.0\.0$/); color.source="lightblue" if ($fields[0]=~/^255\.255\.255\.255$/); color.source="lightblue" if ($fields[0]=~/^198\.123\.30\.132$/); color.source="lightsalmon" color.target="khaki1" if ($fields[1]=~/^192\.168\.4\.1$/); color.target="palegreen" if ($fields[1]=~/^192\.168\.4\..*/); color.target="lightblue" if ($fields[1]=~/^0\.0\.0\.0$/); color.target="lightblue" if ($fields[1]=~/^255\.255\.255\.255$/); color.target="lightblue" if ($fields[1]=~/^198\.123\.30\.132$/); color.target="lightsalmon"
23 Visualize: AfterGlow / Graphviz Green Our team Red Other teams Yellow NAT IP Blue Neutral 003_activity_connections.sh Visualize: AfterGlow / Graphviz Zoom Image 003_activity_connections.sh /24 attacking other teams But who is the most active IP?
24 Visualize: AfterGlow / Graphviz Size of nodes dependent on volume of activity 004_activity_connections_volume.sh Visualize: AfterGlow / Graphviz AfterGlow color2.properties 004_activity_connections_volume.sh color.source="khaki1" if ($fields[0]=~/^192\.168\.4\.1$/); color.source="palegreen" if ($fields[0]=~/^192\.168\.4\..*/); color.source="lightblue" if ($fields[0]=~/^0\.0\.0\.0$/); color.source="lightblue" if ($fields[0]=~/^255\.255\.255\.255$/); color.source="lightblue" if ($fields[0]=~/^198\.123\.30\.132$/); color.source="lightsalmon" size.source=$sourcecount{$sourcename}; maxnodesize=1; color.target="khaki1" if ($fields[1]=~/^192\.168\.4\.1$/); color.target="palegreen" if ($fields[1]=~/^192\.168\.4\..*/); color.target="lightblue" if ($fields[1]=~/^0\.0\.0\.0$/); color.target="lightblue" if ($fields[1]=~/^255\.255\.255\.255$/); color.target="lightblue" if ($fields[1]=~/^198\.123\.30\.132$/); color.target="lightsalmon" size.target=$targetcount{$targetname};
25 Visualize: AfterGlow / Graphviz Visualize CSV file using AfterGlow cat ipsrc_ipdst.csv afterglow.pl -c color2.properties -t neato -Tpng -o ipsrc_ipdst_2.png View resulting image gqview 004_activity_connections_volume.sh Visualize: AfterGlow / Graphviz Most active talker is _activity_connections_volume.sh
26 Activities Communication Patterns Visualize: Treemap 005_activity_connections_treemap.sh
27 Visualize: Treemap 005_activity_connections_treemap.sh TM3 formatted file IP Src IP Dest Count STRING STRING INTEGER Zoom & Filter: tshark 005_activity_connections_treemap.sh Extract source/destination IP & packet count tshark -r davix_workshop_captures.pcap -e ip.src -e ip.dst -Tfields E separator=/t -R "ip" sort uniq -c awk '{print $2 "," $3 "," $1}' > ipsrc_ipdst_pktcount.csv
28 Visualize: Treemap Convert CSV to TM3 format 005_activity_connections_treemap.sh cat ipsrc_ipdst_pktcount.csv awk -F, 'BEGIN { print "IP Src\tIP Dest\tCount"; print "STRING\tSTRING\tINTEGER" } { print $1 "\t" $2 "\t" $3 }' > ipsrc_ipdst_pktcount.tm3 Visualize: Treemap Open TM3 file in Treemap In Legend tab Set Label to count Set Size to count Set Color to IP Dest In Hierarchy tab Add IP Src to Hierarchy Add IP Dest to Hierarchy 005_activity_connections_treemap.sh
29 Visualize: Treemap 005_activity_connections_treemap.sh Contest Attacks
30 Zoom & Filter - Snort Extract Snort alerts 006_activity_attacks.sh snort -c /etc/snort/snort.bleeding.conf -r davix_workshop_captures.pcap Convert Snort alerts to CSV file cat /var/log/snort/alert snortalert2csv.pl "sip dip name" sort uniq Zoom & Filter - Snort Snort CSV file 006_activity_attacks.sh , ,(http_inspect) BARE BYTE UNICODE ENCODING , ,BLEEDING-EDGE PHPNuke general SQL injection attempt , ,BLEEDING-EDGE WEB-MISC Poison Null Byte , ,(http_inspect) OVERSIZE CHUNK ENCODING , ,BLEEDING-EDGE SCAN NMAP -sa (1) , ,(http_inspect) OVERSIZE CHUNK ENCODING , ,(http_inspect) WEBROOT DIRECTORY TRAVERSAL , ,BLEEDING-EDGE PHPNuke general SQL injection attempt , ,BLEEDING-EDGE SCAN NMAP -sa (1) , ,BLEEDING-EDGE WEB-MISC Poison Null Byte
31 006_activity_attacks.sh Visualize: Contest Modify existing workshop script 004_activity_connections_volume.sh and AfterGlow configuration color2.properties such that the shape of the nodes represent attacking nodes. the type of attack is visible in the linked graph. Visualize: Contest Terms and Conditions The best submission, which has solved exercise 1 AND 2, wins a copy of Raffael Marty's "Applied Security Visualization" book Result submissions must include a shell script that generates the graph be handed in until January 6, :59 UTC be sent to jan dot monsch ät iplosion dot com Legal recourse is excluded 006_activity_attacks.sh
32 Q & A davix.secviz.org References I [1] Conti G. Security Data Visualization. No Starch Press, [2] Marty R. Applied Security Visualization. Pearson Education, [3] Matějíček T. SLAX 6. [4] Monsch J. P., Marty R. DAVIX Manual pdf [5] Shneiderman B. Keynote VizSec. Boston: 2008 [6] Shneiderman B. The Eyes Have It: A Task by Data Type Taxonomy for Information Visualization. IEEE Visual Languages. pp
33 References II [7] Wireshark / tshark Manual [8] p0f [9] awk Tutorial [10] Snort Manual [11] AfterGlow Manual [12] Graphviz Documentation [13] Treemap Manual
DAVIX Visualization Workshop
DAVIX Visualization Workshop Jan P. Monsch jan.monsch@iplosion.com About Jan P. Monsch Currently Senior Security Analyst Technical Reviewer @ Pearson Education DAVIX Project Initiator & Lead Engineer On
More informationDAVIX Visualization. Workshop
V DAVIX Visualization D X Workshop V DAVIX Visualization D X Workshop Jan. Monsch at iplosion. com Raffael. Marty at secviz. org Chief Security Strategist @ Splunk> Passion for Visualization http://secviz.org
More informationIT Data Visualization
IT Data Visualization Raffael Marty, GCIA, CISSP Chief Security Strategist @ Splunk> SUMIT, Michigan - October 08 Raffael Marty Chief Security Strategist @ Splunk> Looked at logs/it data for over 10 years
More informationWireshark Deep packet inspection with Wireshark
Wireshark Deep packet inspection with Wireshark Wireshark is a free and open-source packet analyzer. It is commonly used to troubleshoot network issues and analysis. Originally named Ethereal, in May 2006
More informationNetwork visualization
Whether you are a security analyst, system administrator or technical manager, chances are you are confronted with an overwhelming sea of security related data. Typically, we analyze this data with textual
More informationCloud-based Log Analysis and Visualization
Cloud-based Log Analysis and Visualization DeepSec 2010, Vienna, Austria mobile-166 My syslog Raffael Marty - @zrlram Raffael (Raffy) Marty Founder @ Chief Security Strategist and Product Manager @ Splunk
More informationPICTURES. the flood of raw data generated by. Tools for visualizing IDS output. Cover story. Security Visualization Tools
Cover story Security Visualization Tools tasosk, 123RF Tools for visualizing IDS output PICTURES Spot intruders with these easy security visualization tools. BY RUSS MCREE the flood of raw data generated
More informationSafe network analysis
Safe network analysis Generating network traffic captures within a virtual network. Presented by Andrew Martin 1 Introduction What is a sniffer How does sniffing work Usages Scenarios Building safe repositories
More informationExercise 7 Network Forensics
Exercise 7 Network Forensics What Will You Learn? The network forensics exercise is aimed at introducing you to the post-mortem analysis of pcap file dumps and Cisco netflow logs. In particular you will:
More informationNetworks and Security Lab. Network Forensics
Networks and Security Lab Network Forensics Network Forensics - continued We start off from the previous week s exercises and analyze each trace file in detail. Tools needed: Wireshark and your favorite
More informationNetwork Forensics Network Traffic Analysis
Copyright: The development of this document is funded by Higher Education of Academy. Permission is granted to copy, distribute and /or modify this document under a license compliant with the Creative
More information6. INTRODUCTION TO THE LABORATORY: SOFTWARE TOOLS
6. INTRODUCTION TO THE LABORATORY: SOFTWARE TOOLS 6.1. Wireshark network sniffer Wireshark (originally called Ethereal) is a freeware network sniffer. A sniffer investigates and analyzes network traffic.
More informationNetwork Intrusion Analysis (Hands-on)
Network Intrusion Analysis (Hands-on) TCP/IP protocol suite is the core of the Internet and it is vital to understand how it works together, its strengths and weaknesses and how it can be used to detect
More informationSecurity visualisation
Security visualisation This thesis provides a guideline of how to generate a visual representation of a given dataset and use visualisation in the evaluation of known security vulnerabilities by Marco
More informationEINTE LAB EXERCISES LAB EXERCISE #5 - SIP PROTOCOL
EINTE LAB EXERCISES LAB EXERCISE #5 - SIP PROTOCOL PREPARATIONS STUDYING SIP PROTOCOL The aim of this exercise is to study the basic aspects of the SIP protocol. Before executing the exercise you should
More informationNetFlow Analytics for Splunk
NetFlow Analytics for Splunk User Manual Version 3.5.1 September, 2015 Copyright 2012-2015 NetFlow Logic Corporation. All rights reserved. Patents Pending. Contents Introduction... 3 Overview... 3 Installation...
More informationPort Scanning. Objectives. Introduction: Port Scanning. 1. Introduce the techniques of port scanning. 2. Use port scanning audit tools such as Nmap.
Port Scanning Objectives 1. Introduce the techniques of port scanning. 2. Use port scanning audit tools such as Nmap. Introduction: All machines connected to a LAN or connected to Internet via a modem
More informationWeb Application Vulnerability Testing with Nessus
The OWASP Foundation http://www.owasp.org Web Application Vulnerability Testing with Nessus Rïk A. Jones, CISSP rikjones@computer.org Rïk A. Jones Web developer since 1995 (16+ years) Involved with information
More informationMonitoring System Status
CHAPTER 14 This chapter describes how to monitor the health and activities of the system. It covers these topics: About Logged Information, page 14-121 Event Logging, page 14-122 Monitoring Performance,
More informationTraffic visualization with Arista sflow and Splunk
Preface The need for real time traffic information is becoming a growing requirement within a majority of data centers today. Source and destination information, top talkers, top web sites, packet discards,
More informationPassive Network Traffic Analysis: Understanding a Network Through Passive Monitoring Kevin Timm,
Passive Network Traffic Analysis: Understanding a Network Through Passive Monitoring Kevin Timm, Network IDS devices use passive network monitoring extensively to detect possible threats. Through passive
More informationIntroduction to Network Security Lab 1 - Wireshark
Introduction to Network Security Lab 1 - Wireshark Bridges To Computing 1 Introduction: In our last lecture we discussed the Internet the World Wide Web and the Protocols that are used to facilitate communication
More informationIntroduction to Passive Network Traffic Monitoring
Introduction to Passive Network Traffic Monitoring CS459 ~ Internet Measurements Spring 2015 Despoina Antonakaki antonakd@csd.uoc.gr Active Monitoring Inject test packets into the network or send packets
More informationLab 8.4.2 Configuring Access Policies and DMZ Settings
Lab 8.4.2 Configuring Access Policies and DMZ Settings Objectives Log in to a multi-function device and view security settings. Set up Internet access policies based on IP address and application. Set
More informationUSE HONEYPOTS TO KNOW YOUR ENEMIES
USE HONEYPOTS TO KNOW YOUR ENEMIES SHERIF MOUSA (EG-CERT) 9 MAY 2012 WHAT ARE WE GOING TO TALK ABOUT? What exactly happens on the end of your Internet connection. Open Source tools to set up your own Honeypot
More informationDAVIX. The Data Analysis and Visualization Linux. Version 0.5.0. Authors: Jan P. Monsch, jan döt monsch ät iplosion döt com
DAVIX The Data Analysis and Visualization Linux Version 0.5.0 Authors: Jan P. Monsch, jan döt monsch ät iplosion döt com Raffael Marty, raffy ät secviz döt org 1 / 111 Contents 1. DAVIX - Visualize Your
More informationSOUTHERN POLYTECHNIC STATE UNIVERSITY. Snort and Wireshark. IT-6873 Lab Manual Exercises. Lucas Varner and Trevor Lewis Fall 2013
SOUTHERN POLYTECHNIC STATE UNIVERSITY Snort and Wireshark IT-6873 Lab Manual Exercises Lucas Varner and Trevor Lewis Fall 2013 This document contains instruction manuals for using the tools Wireshark and
More informationDuring your session you will have access to the following lab configuration. CLIENT1 (Windows XP Workstation) 192.168.0.2 /24
Introduction The Network Vulnerabilities module provides you with the instruction and Server hardware to develop your hands on skills in the defined topics. This module includes the following exercises:
More informationLab 8.4.2 Configuring Access Policies and DMZ Settings
Lab 8.4.2 Configuring Access Policies and DMZ Settings Objectives Log in to a multi-function device and view security settings. Set up Internet access policies based on IP address and application. Set
More information1 Log visualization at CNES (Part II)
1 Log visualization at CNES (Part II) 1.1 Background For almost 2 years now, CNES has set up a team dedicated to "log analysis". Its role is multiple: This team is responsible for analyzing the logs after
More informationSecurity Correlation Server Quick Installation Guide
orrelogtm Security Correlation Server Quick Installation Guide This guide provides brief information on how to install the CorreLog Server system on a Microsoft Windows platform. This information can also
More informationEdge Configuration Series Reporting Overview
Reporting Edge Configuration Series Reporting Overview The Reporting portion of the Edge appliance provides a number of enhanced network monitoring and reporting capabilities. WAN Reporting Provides detailed
More informationNetwork Security Monitoring
Network Security Coleman Kane Coleman.Kane@ge.com September 24, 2014 Cyber Defense Overview Network Security 1 / 23 Passive Passive 2 Alert Alert Passive monitoring analyzes traffic with the intention
More informationNetwork Probe User Guide
Network Probe User Guide Network Probe User Guide Table of Contents 1. Introduction...1 2. Installation...2 Windows installation...2 Linux installation...3 Mac installation...4 License key...5 Deployment...5
More informationDetecting Threats in Network Security by Analyzing Network Packets using Wireshark
1 st International Conference of Recent Trends in Information and Communication Technologies Detecting Threats in Network Security by Analyzing Network Packets using Wireshark Abdulalem Ali *, Arafat Al-Dhaqm,
More informationOpen Source Security Tool Overview
Open Source Security Tool Overview Presented by Kitch Spicer & Douglas Couch Security Engineers for ITaP 1 Introduction Vulnerability Testing Network Security Passive Network Detection Firewalls Anti-virus/Anti-malware
More informationWeb Application Threats and Vulnerabilities Web Server Hacking and Web Application Vulnerability
Web Application Threats and Vulnerabilities Web Server Hacking and Web Application Vulnerability WWW Based upon HTTP and HTML Runs in TCP s application layer Runs on top of the Internet Used to exchange
More informationIntrusion Detection in AlienVault
Complete. Simple. Affordable Copyright 2014 AlienVault. All rights reserved. AlienVault, AlienVault Unified Security Management, AlienVault USM, AlienVault Open Threat Exchange, AlienVault OTX, Open Threat
More informationNetwork Monitoring. By: Delbert Thompson Network & Network Security Supervisor Basin Electric Power Cooperative
Network Monitoring By: Delbert Thompson Network & Network Security Supervisor Basin Electric Power Cooperative Overview of network Logical network view Goals of Network Monitoring Determine overall health
More informationNetworks & Security Course. Web of Trust and Network Forensics
Networks & Security Course Web of Trust and Network Forensics Virtual Machine Virtual Machine Internet connection You need to connect the VM to the Internet for some of the Web of Trust exercises. Make
More informationhttps://elearn.zdresearch.com https://training.zdresearch.com/course/pentesting
https://elearn.zdresearch.com https://training.zdresearch.com/course/pentesting Chapter 1 1. Introducing Penetration Testing 1.1 What is penetration testing 1.2 Different types of test 1.2.1 External Tests
More informationBy Jascha Wanger (jaschawanger@bse-inc.com) (jascha@localareasecurity.com)
Managing Data Center Functions with Open Source Tools By Jascha Wanger (jaschawanger@bse-inc.com) (jascha@localareasecurity.com) Outline Firewalls IDS (Intrusion Detection) Monitoring/Administration Auditing
More informationTransformation of honeypot raw data into structured data
Transformation of honeypot raw data into structured data 1 Majed SANAN, Mahmoud RAMMAL 2,Wassim RAMMAL 3 1 Lebanese University, Faculty of Sciences. 2 Lebanese University, Director of center of Research
More informationF i r e s ec tm F i r e w a l l R u l e b a s e A n a l y s i s T o o l
F i r e s ec tm F i r e w a l l R u l e b a s e A n a l y s i s T o o l P C I D S S C o m p l i a n c e Usage guide Comprehensive rule base analysis for medium to large enterprise environments The large
More informationFeatures Overview Guide About new features in WhatsUp Gold v14
Features Overview Guide About new features in WhatsUp Gold v14 Contents New Features in Ipswitch WhatsUp Gold v14 Welcome to WhatsUp Gold v14!... 1 About the Welcome Center About the Quick Setup Assistant...
More information10. Exercise: Automation in Incident Handling
107 10. Exercise: Automation in Incident Handling Main Objective Targeted Audience Total Duration Time Schedule Frequency The purpose of this exercise is to develop students abilities to create custom
More informationLab 2: Secure Network Administration Principles - Log Analysis
CompTIA Security+ Lab Series Lab 2: Secure Network Administration Principles - Log Analysis CompTIA Security+ Domain 1 - Network Security Objective 1.2: Apply and implement secure network administration
More informationEmerald. Network Collector Version 4.0. Emerald Management Suite IEA Software, Inc.
Emerald Network Collector Version 4.0 Emerald Management Suite IEA Software, Inc. Table Of Contents Purpose... 3 Overview... 3 Modules... 3 Installation... 3 Configuration... 3 Filter Definitions... 4
More informationNVisionIP: An Interactive Network Flow Visualization Tool for Security
NVisionIP: An Interactive Network Flow Visualization Tool for Security Kiran Lakkaraju William Yurcik Ratna Bearavolu Adam J. Lee National Center for Supercomputing Applications (NCSA) University of Illinois,
More informationSCADA Security Example
SCADA Security Example Christian Paulino and Janusz Zalewski Florida Gulf Coast University December 2012 1. Introduction SCADA systems are always connected to a network, so they are vulnerable to attack.
More informationNetwork Traffic Analysis
2013 Network Traffic Analysis Gerben Kleijn and Terence Nicholls 6/21/2013 Contents Introduction... 3 Lab 1 - Installing the Operating System (OS)... 3 Lab 2 Working with TCPDump... 4 Lab 3 - Installing
More informationApplication Discovery Manager User s Guide vcenter Application Discovery Manager 6.2.1
Application Discovery Manager User s Guide vcenter Application Discovery Manager 6.2.1 This document supports the version of each product listed and supports all subsequent versions until the document
More informationIntrusion Detection and Prevention: Network and IDS Configuration and Monitoring using Snort
License Intrusion Detection and Prevention: Network and IDS Configuration and Monitoring using Snort This work by Z. Cliffe Schreuders at Leeds Metropolitan University is licensed under a Creative Commons
More informationChapter 14 Analyzing Network Traffic. Ed Crowley
Chapter 14 Analyzing Network Traffic Ed Crowley 10 Topics Finding Network Based Evidence Network Analysis Tools Ethereal Reassembling Sessions Using Wireshark Network Monitoring Intro Once full content
More informationHoneyBOT User Guide A Windows based honeypot solution
HoneyBOT User Guide A Windows based honeypot solution Visit our website at http://www.atomicsoftwaresolutions.com/ Table of Contents What is a Honeypot?...2 How HoneyBOT Works...2 Secure the HoneyBOT Computer...3
More informationNetwork Monitoring Tool with LAMP Architecture
Network Monitoring Tool with LAMP Architecture Shuchi Sharma KIIT College of Engineering Gurgaon, India Dr. Rajesh Kumar Tyagi JIMS, Vasant Kunj New Delhi, India Abstract Network Monitoring Tool enables
More informationSAIP 2012 Performance Engineering
SAIP 2012 Performance Engineering Author: Jens Edlef Møller (jem@cs.au.dk) Instructions for installation, setup and use of tools. Introduction For the project assignment a number of tools will be used.
More informationThe Bro Network Intrusion Detection System
The Bro Network Intrusion Detection System Robin Sommer International Computer Science Institute, & Lawrence Berkeley National Laboratory robin@icsi.berkeley.edu http://www.icir.org System Philosophy Bro
More informationLinux Network Security
Linux Network Security Course ID SEC220 Course Description This extremely popular class focuses on network security, and makes an excellent companion class to the GL550: Host Security course. Protocols
More informationIntrusion Detection Systems (IDS)
Intrusion Detection Systems (IDS) What are They and How do They Work? By Wayne T Work Security Gauntlet Consulting 56 Applewood Lane Naugatuck, CT 06770 203.217.5004 Page 1 6/12/2003 1. Introduction Intrusion
More informationLinux: 20 Iptables Examples For New SysAdmins
Copyrighted material Linux: 20 Iptables Examples For New SysAdmins Posted By nixcraft On December 13, 2011 @ 8:29 am [ 64 Comments ] L inux comes with a host based firewall called
More informationVulnerability Assessment and Penetration Testing
Vulnerability Assessment and Penetration Testing Module 1: Vulnerability Assessment & Penetration Testing: Introduction 1.1 Brief Introduction of Linux 1.2 About Vulnerability Assessment and Penetration
More informationCSE331: Introduction to Networks and Security. Lecture 12 Fall 2006
CSE331: Introduction to Networks and Security Lecture 12 Fall 2006 Announcements Midterm I will be held Friday, Oct. 6th. True/False Multiple Choice Calculation Short answer Short essay Project 2 is on
More informationEFFECTIVE IMPLEMENTATION OF DYNAMIC CLASSIFICATION FOR NETWORK FORENSIC AND TRAFFIC ANALYSIS
EFFECTIVE IMPLEMENTATION OF DYNAMIC CLASSIFICATION FOR NETWORK FORENSIC AND TRAFFIC ANALYSIS Manu Bansal Assistant Professor Department of IT University Institute of Engineering & Technology Panjab University,
More informationNetwork Security Platform 7.5
M series Release Notes Network Security Platform 7.5 Revision B Contents About this document New features Resolved issues Known issues Installation instructions Product documentation About this document
More informationVolume SYSLOG JUNCTION. User s Guide. User s Guide
Volume 1 SYSLOG JUNCTION User s Guide User s Guide SYSLOG JUNCTION USER S GUIDE Introduction I n simple terms, Syslog junction is a log viewer with graphing capabilities. It can receive syslog messages
More informationPractical Network Forensics
BCS-ISSG Practical Network Forensics Day BCS, London Practical Network Forensics Alan Woodroffe issg@securesystemssupport.co.uk www.securesystemssupport.co.uk Copyright Secure Systems Support Limited.
More informationPowering Monitoring Analytics with ELK stack
Powering Monitoring Analytics with ELK stack Abdelkader Lahmadi, Frédéric Beck INRIA Nancy Grand Est, University of Lorraine, France 2015 (compiled on: June 23, 2015) References online Tutorials Elasticsearch
More informationWireshark Hands-On Exercises
Wireshark Hands-On Exercises Step 1. Plug in the Airpcap USB device. Step 2. Step 3. Open Wireshark Start Wireless Tools Wireshark. Click on Capture Interfaces. Step 4. Choose the AirPcap USB adapter and
More informationMake a folder named Lab3. We will be using Unix redirection commands to create several output files in that folder.
CMSC 355 Lab 3 : Penetration Testing Tools Due: September 31, 2010 In the previous lab, we used some basic system administration tools to figure out which programs where running on a system and which files
More information19. Exercise: CERT participation in incident handling related to the Article 13a obligations
CERT Exercises Handbook 223 223 19. Exercise: CERT participation in incident handling related to the Article 13a obligations Main Objective Targeted Audience Total Duration This exercise provides students
More informationAppSec DC November 13, 2009. The OWASP Foundation http://www.owasp.org. Custom Intrusion Detection Techniques for Monitoring Web Applications
Custom Intrusion Detection Techniques for Monitoring Web Applications AppSec DC November 13, 2009 Matthew Olney Sourcefire VRT molney@sourcefire.com The OWASP Foundation http://www.owasp.org GIVE YOUR
More informationPANDORA FMS NETWORK DEVICES MONITORING
NETWORK DEVICES MONITORING pag. 2 INTRODUCTION This document aims to explain how Pandora FMS can monitor all the network devices available in the market, like Routers, Switches, Modems, Access points,
More information19531 - Telematics. 14th Tutorial - Proxies, Firewalls, P2P
19531 - Telematics 14th Tutorial - Proxies, Firewalls, P2P Bastian Blywis Department of Mathematics and Computer Science Institute of Computer Science 10. February, 2011 Institute of Computer Science Telematics
More informationIBM. Vulnerability scanning and best practices
IBM Vulnerability scanning and best practices ii Vulnerability scanning and best practices Contents Vulnerability scanning strategy and best practices.............. 1 Scan types............... 2 Scan duration
More informationCS197U: A Hands on Introduction to Unix
CS197U: A Hands on Introduction to Unix Lecture 10: Security Issues and Traffic Monitoring Tian Guo University of Massachusetts Amherst CICS 1 Reminders Assignment 5 is due Thursday (Oct. 22) Part 1 (tracking
More informationNetwork Security. Network Packet Analysis
Network Security Network Packet Analysis Module 3 Keith A. Watson, CISSP, CISA IA Research Engineer, CERIAS kaw@cerias.purdue.edu 1 Network Packet Analysis Definition: Examining network packets to determine
More informationSome Tools for Computer Security Incident Response Team (CSIRT)
Some Tools for Computer Security Incident Response Team (CSIRT) AfNOG 12 30 th May 2011 10 th June 2011 Tanzania By Marcus K. G. Adomey Overview Some Unix Commands Some Selected Tools Snort AirSnort hping
More informationNmap: Scanning the Internet
Nmap: Scanning the Internet by Fyodor Black Hat Briefings USA August 6, 2008; 10AM Defcon 16 August 8, 2008; 4PM Abstract The Nmap Security Scanner was built to efficiently scan large networks, but Nmap's
More informationITTC Communication Networks Laboratory The University of Kansas EECS 780 Introduction to Protocol Analysis with Wireshark
Communication Networks Laboratory The University of Kansas EECS 780 Introduction to Protocol Analysis with Wireshark Trúc Anh N. Nguyễn, Egemen K. Çetinkaya, Mohammed Alenazi, and James P.G. Sterbenz Department
More informationPacket Sniffing and Spoofing Lab
SEED Labs Packet Sniffing and Spoofing Lab 1 Packet Sniffing and Spoofing Lab Copyright c 2014 Wenliang Du, Syracuse University. The development of this document is/was funded by the following grants from
More informationVisualizing Network Security
Visualizing Network Security Project Goals Log information is gathered by computer systems constantly, especially alert logs by security tools. These logs are textual and it is hard to get a big picture
More informationPenetration Testing with Kali Linux
Penetration Testing with Kali Linux PWK Copyright 2014 Offensive Security Ltd. All rights reserved. Page 1 of 11 All rights reserved to Offensive Security, 2014 No part of this publication, in whole or
More informationPRI (T1/E1) Call Recorder User Manual Rev 1.0 (December 2013)
PRI (T1/E1) Call Recorder User Manual Rev 1.0 (December 2013) 1. Call Recording Architecture Overview PRI Call recording solution consists of two major components: Passive T1/E1 Tap Adapter and server
More informationNetwork forensics 101 Network monitoring with Netflow, nfsen + nfdump
Network forensics 101 Network monitoring with Netflow, nfsen + nfdump www.enisa.europa.eu Agenda Intro to netflow Metrics Toolbox (Nfsen + Nfdump) Demo www.enisa.europa.eu 2 What is Netflow Netflow = Netflow
More informationUSING WIRESHARK TO CAPTURE AND ANALYZE NETWORK DATA
USING WIRESHARK TO CAPTURE AND ANALYZE NETWORK DATA CPSC 441 TUTORIAL JANUARY 30, 2012 TA: RUITING ZHOU The content of these slides are taken from CPSC 526 TUTORIAL by Nashd Safa (Extended and partially
More informationPANDORA FMS NETWORK DEVICE MONITORING
NETWORK DEVICE MONITORING pag. 2 INTRODUCTION This document aims to explain how Pandora FMS is able to monitor all network devices available on the marke such as Routers, Switches, Modems, Access points,
More informationZEN LOAD BALANCER EE v3.04 DATASHEET The Load Balancing made easy
ZEN LOAD BALANCER EE v3.04 DATASHEET The Load Balancing made easy OVERVIEW The global communication and the continuous growth of services provided through the Internet or local infrastructure require to
More informationIntrusion Detection System Visualization of Network Alerts
Intrusion Detection System Visualization of Network Alerts Dolores M. Zage and Wayne M. Zage Ball State University Final Report July 2010 Sponsor: U.S. Army Research Laboratory 20101115030 DEFENSE TECHNICAL
More informationVMware vcenter Log Insight Security Guide
VMware vcenter Log Insight Security Guide vcenter Log Insight 2.0 This document supports the version of each product listed and supports all subsequent versions until the document is replaced by a new
More informationIntroduction to Network Security Lab 2 - NMap
Introduction to Network Security Lab 2 - NMap 1 Introduction: Nmap as an Offensive Network Security Tool Nmap, short for Network Mapper, is a very versatile security tool that should be included in every
More informationEventSentry Overview. Part I About This Guide 1. Part II Overview 2. Part III Installation & Deployment 4. Part IV Monitoring Architecture 13
Contents I Part I About This Guide 1 Part II Overview 2 Part III Installation & Deployment 4 1 Installation... with Setup 5 2 Management... Console 6 3 Configuration... 7 4 Remote... Update 10 Part IV
More informationAn Open Source IPS. IIT Network Security Project Project Team: Mike Smith, Sean Durkin, Kaebin Tan
An Open Source IPS IIT Network Security Project Project Team: Mike Smith, Sean Durkin, Kaebin Tan Introduction IPS or Intrusion Prevention System Uses a NIDS or Network Intrusion Detection System Includes
More informationWebsense Web Security Gateway: What to do when a Web site does not load as expected
Websense Web Security Gateway: What to do when a Web site does not load as expected Websense Support Webinar November 2011 web security data security email security Support Webinars 2009 Websense, Inc.
More informationDNS FLOODER V1.1. akamai s [state of the internet] / Threat Advisory
GSI ID: 1065 DNS FLOODER V1.1 RISK FACTOR - HIGH 1.1 OVERVIEW / PLXSert has observed the release and rapid deployment of a new DNS reflection toolkit for distributed denial of service (DDoS) attacks. The
More informationMinimal network traffic is the result of SiteAudit s design. The information below explains why network traffic is minimized.
SiteAudit Knowledge Base Network Traffic March 2012 In This Article: SiteAudit s Traffic Impact How SiteAudit Discovery Works Why Traffic is Minimal How to Measure Traffic Minimal network traffic is the
More informationWireshark. Fakrul (Pappu) Alam fakrul@dhakacom.com
Wireshark Fakrul (Pappu) Alam fakrul@dhakacom.com What is Wireshark? Wireshark is a network packet/protocol analyzer. A network packet analyzer will try to capture network packets and tries to display
More informationSecurity Correlation Server Quick Installation Guide
orrelog Security Correlation Server Quick Installation Guide This guide provides brief information on how to install the CorreLog Server system on a Microsoft Windows platform. This information can also
More informationFREQUENTLY ASKED QUESTIONS
FREQUENTLY ASKED QUESTIONS Secure Bytes, October 2011 This document is confidential and for the use of a Secure Bytes client only. The information contained herein is the property of Secure Bytes and may
More informationIDS and Penetration Testing Lab ISA656 (Attacker)
IDS and Penetration Testing Lab ISA656 (Attacker) Ethics Statement Network Security Student Certification and Agreement I,, hereby certify that I read the following: University Policy Number 1301: Responsible
More information