DAVIX Visualization. Workshop

Similar documents
DAVIX Visualization Bootcamp 25C3

IT Data Visualization

DAVIX Visualization Workshop

Cloud-based Log Analysis and Visualization

Insider Threat The Visual Conviction

DAVIX. The Data Analysis and Visualization Linux. Version Authors: Jan P. Monsch, jan döt monsch ät iplosion döt com

Virtual machine W4M- Galaxy: Installation guide

Wireshark Deep packet inspection with Wireshark

CS197U: A Hands on Introduction to Unix

Accessing RCS IBM Console in Windows Using Linux Virtual Machine

How to use the VMware Workstation / Player to create an ISaGRAF (Ver. 3.55) development environment?

Asia Web Services Ltd. (vpshosting.com.hk)

CDH installation & Application Test Report

User Manual of the Pre-built Ubuntu 9 Virutal Machine

Overview. Remote access and file transfer. SSH clients by platform. Logging in remotely

Edge Configuration Series Reporting Overview

Intrusion Detection and Prevention: Network and IDS Configuration and Monitoring using Snort

ORACLE BUSINESS INTELLIGENCE WORKSHOP. Prerequisites for Oracle BI Workshop

Week Overview. Installing Linux Linux on your Desktop Virtualization Basic Linux system administration

About This Document 3. About the Migration Process 4. Requirements and Prerequisites 5. Requirements... 5 Prerequisites... 5

PRM and DRBD tutorial. Yves Trudeau October 2012

VMWare Workstation 11 Installation MICROSOFT WINDOWS SERVER 2008 R2 STANDARD ENTERPRISE ED.

Capture and analysis of wireless traffic

Kaltura On-Prem Evaluation Package - Getting Started

GETTING STARTED WITH DRUPAL. by Stephen Cross

BackTrack Hard Drive Installation

Katana: Portable Multi-Boot Security Suite. JP Dunning DefCon Shadow Cave LLC

IBM Software Hadoop Fundamentals

TORNADO Solution for Telecom Vertical

[Jet-Magento Integration]

Enterprise Erase LAN

13.1 Backup virtual machines running on VMware ESXi / ESX Server

Software installation and configuration IEC-line series

The BSN Hardware and Software Platform: Enabling Easy Development of Body Sensor Network Applications

1 Download & Installation Usernames and... Passwords

Visualization of PRADS Output Data Using Open-source Visualization Tools For Improved Log Analysis. Dawit Hailu Desta

Exercise 7 Network Forensics

Advanced Server Virtualization: Vmware and Microsoft Platforms in the Virtual Data Center

Enterprise Service Bus

Secure Shell. The Protocol

OS Installation Guide Red Hat Linux 9.0

Network Security, ISA 656, Angelos Stavrou. Snort Lab

Newton Linux User Group Graphing SNMP with Cacti and RRDtool

EventSentry Overview. Part I About This Guide 1. Part II Overview 2. Part III Installation & Deployment 4. Part IV Monitoring Architecture 13

Network visualization

VMware Horizon FLEX User Guide

PROGRAMMABLE LINUX GATEWAY WITH JAVA AND OSGI

Nesstar Server Nesstar WebView Version 3.5

Introduction. Interoperability & Tools Group. Existing Network Packet Capture Tools. Challenges for existing tools. Microsoft Message Analyzer

DiskPulse DISK CHANGE MONITOR

Practice Fusion API Client Installation Guide for Windows

Packet Sniffing and Spoofing Lab

USB HSPA Modem. User Manual

Restoring a Suse Linux Enterprise Server 9 64 Bit on Dissimilar Hardware with CBMR for Linux 1.02

Introduction to Linux and Cluster Basics for the CCR General Computing Cluster

Legal Notes. Regarding Trademarks KYOCERA Document Solutions Inc.

LICENSE4J FLOATING LICENSE SERVER USER GUIDE

Backup of ESXi Virtual Machines using Affa

StruxureWare Data Center Expert Release Notes

Using VirtualBox ACHOTL1 Virtual Machines

Labnet Services Summary

SSL Tunnels. Introduction

Linux VPS with cpanel. Getting Started Guide

HARFORD COMMUNITY COLLEGE 401 Thomas Run Road Bel Air, MD Course Outline CIS INTRODUCTION TO UNIX

Web Hosting: Pipeline Program Technical Self Study Guide

WA1625 Web Services Development Using WebLogic Server v10. Classroom Setup Guide. Web Age Solutions Inc. Copyright 2012 Web Age Solutions Inc.

Application Note: FTP Server Setup on computers running Windows-7 For use with 2500P-ACP1

JustClust User Manual

Altaro Hyper-V Backup V4 - User Manual

Using VMware Player. VMware Player. What Is VMware Player?

Altaro Hyper-V Backup - Getting Started

StruxureWare Data Center Expert Release Notes

CSSIA CompTIA Security+ Domain. Network Security. Network Security. Network Security. Network Security. Network Security

JovianDSS Evaluation and Product Training. Presentation updated: October 2015

Learning and Playing: Integrating Competition Experiences Into Formal Curriculum CS Palos Hills, IL

Information Security Training. Assignment 1 Networking

HOW TO BUILD A VMWARE APPLIANCE: A CASE STUDY

How To Manage A Wireless Network With Avaya Wlan 9100 Series (Wlan) System (Wos)

WHITE PAPER. ClusterWorX 2.1 from Linux NetworX. Cluster Management Solution C ONTENTS INTRODUCTION

Metasploit Pro Getting Started Guide

Tutorial. Reference for more thorough Mininet walkthrough if desired

ORACLE BUSINESS INTELLIGENCE WORKSHOP

CYCLOPE let s talk productivity

Safe network analysis

CS5331 Web Security - Assignment 0

Host Configuration (Linux)

FUJITSU Software ServerView Cloud Monitoring Manager V1 Introduction

New Technology Introduction: Android Studio with PushBot

W H I T E P A P E R. Best Practices for Building Virtual Appliances

Parallels Plesk Panel

Alinto Mail Server Pro

Getting Started Guide

User Guide. CTERA Agent. August 2011 Version 3.0

OnCommand Performance Manager 1.1

Configuring Sun StorageTek SL500 tape library for Amanda Enterprise backup software

Bitrix Site Manager. VMBitrix Virtual Machine. Quick Start And Usage Guide

Transcription:

V DAVIX Visualization D X Workshop

V DAVIX Visualization D X Workshop Jan. Monsch at iplosion. com Raffael. Marty at secviz. org

Chief Security Strategist @ Splunk> Passion for Visualization http://secviz.org http://afterglow.sourceforge.net Senior Security Analyst DAVIX initiator and engineer http://davix.secviz.org http://www.iplosion.com Applied Security Visualization Paperback: 552 pages Publisher: Addison Wesley (August, 2008) ISBN: 0321510100

Raffael Marty Jan P. Monsch Chief Security Strategist @ Splunk> Passion for Visualization http://secviz.org http://afterglow.sourceforge.net Senior Security Analyst DAVIX initiator and engineer http://davix.secviz.org http://www.iplosion.com Applied Security Visualization Paperback: 552 pages Publisher: Addison Wesley (August, 2008) ISBN: 0321510100

Workshop Preparation 30 DAVIX CDs - DAVIX image - DAVIX manual Copy files to your disk and hand the CD to your neighbor! - PCAP file for analysis in /root Recommended setup VMware Player or VMware Fusion Bridged or NAT networking VM setup assistance: Chapter 6.1.1 and 6.1.2 in the manual Configure host to access DEFCON wireless network

Agenda DAVIX Visualization Example analysis Hands-on analysis Show us what you got 4

Agenda DAVIX Visualization Example analysis Goal: You can use DAVIX to analyze your data! Hands-on analysis Show us what you got 4

Visualization Questions Who analyzes logs? Who uses visualization for log analysis? Who has used DAVIX? Have you heard of SecViz.org? What tools are you using for log analysis? 5

V D X Data Analysis and Visualization Linux DAVIX

What is DAVIX? Live Linux CD system based on SLAX 6 - Software packages are modularized - Easy customizable - Runs from CD/DVD, USB stick or hard drive Collection of free tools for data processing & visualization - Tools work out of the box - No compilation or installation of tools required Comes with documentation - Quick start description for the most important tools - Links to manuals and tutorials

Why Did We Build DAVIX? No free solution offering wide range of visualization tools - Huge hurdle for people to get start with visualization Cumbersome to get tools running - Compiler issues, e.g. gcc 3 vs. gcc 4 - Dependencies with uncommon and old libraries - Different runtime environments DAVIX Goals - Getting tools running is simple User can concentrate on analysis - Easy customizable Users can add missing things - Perfect workspace to get you started with visualization!

User Interface - Menu Organization Menu organized around the information visualization process Capture Process Visualize Tools often cover more than one category - Afterglow Process, Visualize Additional tools/services: - Apache, MySQL, NTP

Tools Capture - Network tools Argus Snort Wireshark - Logging syslog-ng - Fetching data wget ftp scp Processing - Shell tools awk, grep, sed - Graphic preprocessing Afterglow LGL - Date enrichment geoiplookup whois/gwhois Visualization - Network Traffic EtherApe InetVis tnv - Generic Afterglow LGL Viewer Mondrian R Project * Non-concluding list of tools

PDF User Manual Quick start guide Network setup information Tool usage examples Links to online resource: Tool home pages, manuals, tutorials Customizing DAVIX - Customizing ISO image - Creating new modules - Installation on USB stick or hard drive

User Manual in the Menu The manual is browsable by chapter or individual tool chapters

The Manual Is Not Not an introduction to security analysis methodologies Not a collection of security analysis use-cases Not covering exhaustive examples - The usage examples are not security related - It is a quick usage guide for the tools Look at Raffael s book to get these details!

Customizations The DAVIX and SLAX can be modified in two ways - LZM modules Adding or removing modules in the directory slax/modules Modules are highly compressed software packages - rootcopy Overwrite or add individual files of LZM modules by copying modified files to the directory slax/rootcopy LZM modules can be generated out of standard Slackware or dropline GNOME packages using tgz2lzm

Visualization

Information Visualization Process Capture Process Visualize 16

Data Formats CSV / TSV 10.0.0.2,80,23.2.1.2,failed 10.0.0.2,80,23.2.1.5,success TM3 Source Port Destination Action STRING INTEGER STRING STRING DOT digraph structs { graph [label= My Graph ]; node [shape=ellipse]; edge [len=1]; ram -> activity 1 ; 10.0.0.2 80 23.2.1.2 failed GML } ram [fillcolor=white]; 17

AfterGlow 1.x Parser CSV File AfterGlow Graph LanguageFile Grapher aaelenes,printing Resume abbe,information Encrytion aanna,patent Access aatharuy,ping digraph structs { graph [label="afterglow 1.5.8", fontsize=8]; node [shape=ellipse, style=filled, fontsize=10, width=1, height=1, fixedsize=true]; edge [len=1.6]; } "aaelenes" -> "Printing Resume" ; "abbe" -> "Information Encryption" ; "aanna" -> "Patent Access" ; "aatharuv" -> "Ping" ;

AfterGlow 1.x Parser CSV File AfterGlow Graph LanguageFile Grapher aaelenes,printing Resume abbe,information Encrytion aanna,patent Access aatharuy,ping digraph structs { graph [label="afterglow 1.5.8", fontsize=8]; node [shape=ellipse, style=filled, fontsize=10, width=1, height=1, fixedsize=true]; edge [len=1.6]; } "aaelenes" -> "Printing Resume" ; "abbe" -> "Information Encryption" ; "aanna" -> "Patent Access" ; "aatharuv" -> "Ping" ;

An Example Analysis

Worms in Mobile Networks Problem: Find worms in mobile networks Data: Call Detail Records (CDR) 20051117225657 GMT 20051117225657 GMT 4179543xxxx 4176448xxxx 0 63517 20051117225657 GMT 19700101000000 GMT image/jpeg CHEC1_MMSC1 MM4Rrecord 0 1 MM.1 22801351822xxxx 22802071035xxxx 2 1132 26821763098xxxx Process: cat mms.cdr awk -o VFS=, {print $5, $6} Visual Transformation:

Multimedia Message Service 21

Multimedia Message Service Service Numbers? 21

Multimedia Message Service 22

Multimedia Message Service Long Chains 22

Hands-on Analysis

Let s Go Captures are in /root/davix_workshop_captures.pcap Find something interesting? Come show! Hints: tcpdump -nlr /root/davix_workshop_captures.pcap tcpdump2csv.pl afterglow.pl -h bar.pl -h

AfterGlow # Variable and Color variable=@violation=("backdoor Access", "HackerTool Download ); color.target="orange" if (grep(/$fields[1]/,@violation)); color.target="palegreen" # Node Size and Threshold maxnodesize=1; size.source=$fields[2] size=0.5 sum.target=0; threshold.source=14; # Color and Cluster color.source="palegreen" if ($fields[0] =~ /^111/) color.source="red" color.target="palegreen" cluster.source=regex_replace("(\\d\+)\\.\\d+")."/8"

Thank You S secviz. org E V C I Z davix. secviz. org