• No results found

DAVIX Visualization. Workshop

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "DAVIX Visualization. Workshop"

Copied!
32
0
0

Loading.... (view fulltext now)

Download now ( 32 Page )

Full text

(1)

DAVIX Visualization

Workshop

D

V

(2)

DAVIX Visualization

Workshop

Jan . Monsch at iplosion . com

Raffael . Marty at secviz . org

D

V

(3)

Chief Security Strategist @ Splunk>

Passion for Visualization

http://secviz.org

http://afterglow.sourceforge.net

Senior Security Analyst

DAVIX initiator and engineer

http://davix.secviz.org

http://www.iplosion.com

Applied Security Visualization

Paperback: 552 pages

Publisher: Addison Wesley (August, 2008) ISBN: 0321510100

(4)

Chief Security Strategist @ Splunk>

Passion for Visualization

http://secviz.org

http://afterglow.sourceforge.net

Raffael Marty

Jan P. Monsch

Senior Security Analyst

DAVIX initiator and engineer

http://davix.secviz.org

http://www.iplosion.com

Applied Security Visualization

Paperback: 552 pages

Publisher: Addison Wesley (August, 2008) ISBN: 0321510100

(5)

Workshop Preparation

• 30 DAVIX CDs

- DAVIX image - DAVIX manual

- PCAP file for analysis in /root

• Recommended setup

• VMware Player or VMware Fusion

• Bridged or NAT networking

• Configure host to access DEFCON wireless network

Copy files to your disk and

hand the CD to your neighbor!

VM setup assistance:

Chapter 6.1.1 and 6.1.2

in the manual

(6)

Agenda

DAVIX

Visualization

Example analysis

Hands-on analysis

Show us what you got

(7)

Agenda

DAVIX

Visualization

Example analysis

Hands-on analysis

Show us what you got

4

Goal:

You

can use DAVIX

to analyze your data!

(8)

Visualization Questions

• Who analyzes logs?

• Who uses visualization for log analysis?

• Who has used DAVIX?

• Have you heard of SecViz.org?

• What tools are you using for log analysis?

(9)

Data Analysis and Visualization Linux

DAVIX

D

V

(10)

What is DAVIX?

• Live Linux CD system based on SLAX 6

- Software packages are modularized - Easy customizable

- Runs from CD/DVD, USB stick or hard drive

• Collection of free tools for data processing & visualization

- Tools work out of the box

- No compilation or installation of tools required

• Comes with documentation

- Quick start description for the most important tools - Links to manuals and tutorials

(11)

Why Did We Build DAVIX?

• No free solution offering wide range of visualization tools

- Huge hurdle for people to get start with visualization

• Cumbersome to get tools running

- Compiler issues, e.g. gcc 3 vs. gcc 4

- Dependencies with uncommon and old libraries - Different runtime environments

• DAVIX Goals

- Getting tools running is simple  User can concentrate on analysis

- Easy customizable  Users can add missing things

(12)

User Interface - Menu Organization

• Menu organized around the information visualization process

• Tools often cover more than one category

- Afterglow  Process, Visualize

• Additional tools/services:

- Apache, MySQL, NTP

(13)

Tools

Capture

-

Network tools

‣ Argus ‣ Snort ‣ Wireshark

-

Logging

‣ syslog-ng

-

Fetching data

‣ wget ‣ ftp ‣ scp

Processing

-

Shell tools

‣ awk, grep, sed

-

Graphic preprocessing

‣ Afterglow ‣ LGL

-

Date enrichment

‣ geoiplookup ‣ whois/gwhois

Visualization

-

Network Traffic

‣ EtherApe ‣ InetVis ‣ tnv

-

Generic

‣ Afterglow ‣ LGL Viewer ‣ Mondrian ‣ R Project
(14)

PDF User Manual

• Quick start guide

• Network setup information

• Tool usage examples

• Links to online resource: Tool home pages, manuals, tutorials

• Customizing DAVIX

-

Customizing ISO image

-

Creating new modules

(15)

User Manual in the Menu

• The manual is browsable by

chapter …

(16)

The Manual Is Not

• Not an introduction to security analysis methodologies

• Not a collection of security analysis use-cases

• Not covering exhaustive examples

-

The usage examples are not security related

-

It is a quick usage guide for the tools

(17)

Customizations

• The DAVIX and SLAX can be modified in two ways

- LZM modules

‣ Adding or removing modules in the directory slax/modules

‣ Modules are highly compressed software packages

- rootcopy

‣ Overwrite or add individual files of LZM modules by copying modified files to the directory slax/rootcopy

• LZM modules can be generated out of standard Slackware or

dropline GNOME packages using

tgz2lzm

(18)
(19)

Information Visualization Process

16

(20)

Data Formats

• CSV / TSV

10.0.0.2,80,23.2.1.2,failed

10.0.0.2,80,23.2.1.5,success

• TM3

Source Port Destination Action

STRING INTEGER STRING STRING

10.0.0.2 80 23.2.1.2 failed

• GML

17

• DOT

digraph structs {

graph [label=”My Graph”]; node [shape=ellipse]; edge [len=1]; “ram” -> “activity 1”; “ram” [fillcolor=white]; }

(21)

AfterGlow 1.x

CSV File

AfterGlow

Graph LanguageFile digraph structs {

graph [label="AfterGlow 1.5.8", fontsize=8]; node [shape=ellipse, style=filled,

fontsize=10, width=1, height=1, fixedsize=true];

edge [len=1.6];

"aaelenes" -> "Printing Resume" ; "abbe" -> "Information Encryption" ; "aanna" -> "Patent Access" ;

"aatharuv" -> "Ping" ; } aaelenes,Printing Resume abbe,Information Encrytion aanna,Patent Access aatharuy,Ping Parser Grapher

(22)

AfterGlow 1.x

CSV File

AfterGlow

Graph LanguageFile digraph structs {

graph [label="AfterGlow 1.5.8", fontsize=8]; node [shape=ellipse, style=filled,

fontsize=10, width=1, height=1, fixedsize=true];

edge [len=1.6];

"aaelenes" -> "Printing Resume" ; "abbe" -> "Information Encryption" ; "aanna" -> "Patent Access" ;

"aatharuv" -> "Ping" ; } aaelenes,Printing Resume abbe,Information Encrytion aanna,Patent Access aatharuy,Ping Parser Grapher

(23)
(24)

Worms in Mobile Networks

Problem

: Find worms in mobile networks

Data

: Call Detail Records (CDR)

20051117225657 GMT 20051117225657 GMT 4179543xxxx 4176448xxxx 0 63517 20051117225657 GMT 19700101000000 GMT image/jpeg CHEC1_MMSC1 MM4Rrecord 0 1 MM.1 22801351822xxxx 22802071035xxxx 2 1132 26821763098xxxx

Process

:

cat mms.cdr | awk -o VFS=, ‘{print $5, $6}’

(25)

Multimedia Message Service

(26)

Multimedia Message Service

21

(27)

Multimedia Message Service

(28)

Multimedia Message Service

22

(29)
(30)

Let’s Go

• Captures are in /root/davix_workshop_captures.pcap

• Find something interesting? Come show!

• Hints:

• tcpdump -nlr /root/davix_workshop_captures.pcap

• tcpdump2csv.pl

• afterglow.pl -h

• bar.pl -h

(31)

AfterGlow

# Variable and Color

variable=@violation=("Backdoor Access", "HackerTool Download”); color.target="orange" if (grep(/$fields[1]/,@violation));

color.target="palegreen" # Node Size and Threshold maxnodesize=1;

size.source=$fields[2] size=0.5

sum.target=0;

threshold.source=14; # Color and Cluster

color.source="palegreen" if ($fields[0] =~ /^111/) color.source="red"

color.target="palegreen"

(32)

Thank You

davix . secviz . org

S

E

C

I

V

Z

secviz . org

http://afterglow.sourceforge.net http://www.iplosion.com

References

Download now ( PDF - 32 Page - 2.90 MB )

Related documents

TSScan - Usage Guide. Usage Guide. TerminalWorks TSScan 2.5 Usage Guide.

Once you install TSScan on your remote desktop server it will create 10 data sources (virtual scanners). Later on TSScan will look up what scanners you have locally available and

Busy yet socially engaged: volunteering, work-life balance, and health in the working population

Results: After controlling for job char- acteristics, volunteering was associated with less work–life conflict, burnout and stress, and better positive mental health.. Results

Examining Intellectual Clout on A Taken Action

Being set out from the ethical decision making model mentioned above, in addition to investigate the effectiveness of contemporary literature in accounting ethics education,

STANDING COMMISSION ON LIFELONG CHRISTIAN FORMATION AND EDUCATION

Resolved, the House of _____ concurring, That the 78th General Convention direct that the 2004 Model Policies developed by The Church Insurance Agency Corporation for

Training Manual December 2019

Usage Allows customer with unlimited plan to look up their current data usage. Videos Allows the customer to get access to videos for further assistance

Town of Oakville Capital Forecast & Financial Plan Summary by Department and Program DEPARTMENT

In addition to the $28 million in new tax supported debt required to fund the capital forecast, this includes the $43 million approved to interim finance the Quad Pad in North

The human bacterial pathogen group A Streptococcus (GAS) causes a diverse range. crossm

Cytoplasmic proteins from four different GAS strains, i.e., parental strain MGAS2221, rivR deletion mutant 2221 ΔrivR, and complemented strains that were complemented with either

Audio MCT. RUSS Warner. Copyright Converus Inc. 2021

Protocols Total # Topics Relevant Topics Primary Usage Secondary Usage