DAVIX Visualization. Workshop

V DAVIX Visualization D X Workshop

V DAVIX Visualization D X Workshop Jan. Monsch at iplosion. com Raffael. Marty at secviz. org

Chief Security Strategist @ Splunk> Passion for Visualization http://secviz.org http://afterglow.sourceforge.net Senior Security Analyst DAVIX initiator and engineer http://davix.secviz.org http://www.iplosion.com Applied Security Visualization Paperback: 552 pages Publisher: Addison Wesley (August, 2008) ISBN: 0321510100

Raffael Marty Jan P. Monsch Chief Security Strategist @ Splunk> Passion for Visualization http://secviz.org http://afterglow.sourceforge.net Senior Security Analyst DAVIX initiator and engineer http://davix.secviz.org http://www.iplosion.com Applied Security Visualization Paperback: 552 pages Publisher: Addison Wesley (August, 2008) ISBN: 0321510100

Workshop Preparation 30 DAVIX CDs - DAVIX image - DAVIX manual Copy files to your disk and hand the CD to your neighbor! - PCAP file for analysis in /root Recommended setup VMware Player or VMware Fusion Bridged or NAT networking VM setup assistance: Chapter 6.1.1 and 6.1.2 in the manual Configure host to access DEFCON wireless network

Agenda DAVIX Visualization Example analysis Hands-on analysis Show us what you got 4

Agenda DAVIX Visualization Example analysis Goal: You can use DAVIX to analyze your data! Hands-on analysis Show us what you got 4

Visualization Questions Who analyzes logs? Who uses visualization for log analysis? Who has used DAVIX? Have you heard of SecViz.org? What tools are you using for log analysis? 5

V D X Data Analysis and Visualization Linux DAVIX

What is DAVIX? Live Linux CD system based on SLAX 6 - Software packages are modularized - Easy customizable - Runs from CD/DVD, USB stick or hard drive Collection of free tools for data processing & visualization - Tools work out of the box - No compilation or installation of tools required Comes with documentation - Quick start description for the most important tools - Links to manuals and tutorials

Why Did We Build DAVIX? No free solution offering wide range of visualization tools - Huge hurdle for people to get start with visualization Cumbersome to get tools running - Compiler issues, e.g. gcc 3 vs. gcc 4 - Dependencies with uncommon and old libraries - Different runtime environments DAVIX Goals - Getting tools running is simple User can concentrate on analysis - Easy customizable Users can add missing things - Perfect workspace to get you started with visualization!

User Interface - Menu Organization Menu organized around the information visualization process Capture Process Visualize Tools often cover more than one category - Afterglow Process, Visualize Additional tools/services: - Apache, MySQL, NTP

Tools Capture - Network tools Argus Snort Wireshark - Logging syslog-ng - Fetching data wget ftp scp Processing - Shell tools awk, grep, sed - Graphic preprocessing Afterglow LGL - Date enrichment geoiplookup whois/gwhois Visualization - Network Traffic EtherApe InetVis tnv - Generic Afterglow LGL Viewer Mondrian R Project * Non-concluding list of tools

PDF User Manual Quick start guide Network setup information Tool usage examples Links to online resource: Tool home pages, manuals, tutorials Customizing DAVIX - Customizing ISO image - Creating new modules - Installation on USB stick or hard drive

User Manual in the Menu The manual is browsable by chapter or individual tool chapters

The Manual Is Not Not an introduction to security analysis methodologies Not a collection of security analysis use-cases Not covering exhaustive examples - The usage examples are not security related - It is a quick usage guide for the tools Look at Raffael s book to get these details!

Customizations The DAVIX and SLAX can be modified in two ways - LZM modules Adding or removing modules in the directory slax/modules Modules are highly compressed software packages - rootcopy Overwrite or add individual files of LZM modules by copying modified files to the directory slax/rootcopy LZM modules can be generated out of standard Slackware or dropline GNOME packages using tgz2lzm

Visualization

Information Visualization Process Capture Process Visualize 16

Data Formats CSV / TSV 10.0.0.2,80,23.2.1.2,failed 10.0.0.2,80,23.2.1.5,success TM3 Source Port Destination Action STRING INTEGER STRING STRING DOT digraph structs { graph [label= My Graph ]; node [shape=ellipse]; edge [len=1]; ram -> activity 1 ; 10.0.0.2 80 23.2.1.2 failed GML } ram [fillcolor=white]; 17

AfterGlow 1.x Parser CSV File AfterGlow Graph LanguageFile Grapher aaelenes,printing Resume abbe,information Encrytion aanna,patent Access aatharuy,ping digraph structs { graph [label="afterglow 1.5.8", fontsize=8]; node [shape=ellipse, style=filled, fontsize=10, width=1, height=1, fixedsize=true]; edge [len=1.6]; } "aaelenes" -> "Printing Resume" ; "abbe" -> "Information Encryption" ; "aanna" -> "Patent Access" ; "aatharuv" -> "Ping" ;

AfterGlow 1.x Parser CSV File AfterGlow Graph LanguageFile Grapher aaelenes,printing Resume abbe,information Encrytion aanna,patent Access aatharuy,ping digraph structs { graph [label="afterglow 1.5.8", fontsize=8]; node [shape=ellipse, style=filled, fontsize=10, width=1, height=1, fixedsize=true]; edge [len=1.6]; } "aaelenes" -> "Printing Resume" ; "abbe" -> "Information Encryption" ; "aanna" -> "Patent Access" ; "aatharuv" -> "Ping" ;

An Example Analysis

Worms in Mobile Networks Problem: Find worms in mobile networks Data: Call Detail Records (CDR) 20051117225657 GMT 20051117225657 GMT 4179543xxxx 4176448xxxx 0 63517 20051117225657 GMT 19700101000000 GMT image/jpeg CHEC1_MMSC1 MM4Rrecord 0 1 MM.1 22801351822xxxx 22802071035xxxx 2 1132 26821763098xxxx Process: cat mms.cdr awk -o VFS=, {print $5, $6} Visual Transformation:

Multimedia Message Service 21

Multimedia Message Service Service Numbers? 21

Multimedia Message Service 22

Multimedia Message Service Long Chains 22

Hands-on Analysis

Let s Go Captures are in /root/davix_workshop_captures.pcap Find something interesting? Come show! Hints: tcpdump -nlr /root/davix_workshop_captures.pcap tcpdump2csv.pl afterglow.pl -h bar.pl -h

AfterGlow # Variable and Color variable=@violation=("backdoor Access", "HackerTool Download ); color.target="orange" if (grep(/$fields[1]/,@violation)); color.target="palegreen" # Node Size and Threshold maxnodesize=1; size.source=$fields[2] size=0.5 sum.target=0; threshold.source=14; # Color and Cluster color.source="palegreen" if ($fields[0] =~ /^111/) color.source="red" color.target="palegreen" cluster.source=regex_replace("(\\d\+)\\.\\d+")."/8"

Thank You S secviz. org E V C I Z davix. secviz. org