Event Graphs - EUSecWest 2006
-
date post
18-Oct-2014 -
Category
Technology
-
view
673 -
download
2
description
Transcript of Event Graphs - EUSecWest 2006
![Page 1: Event Graphs - EUSecWest 2006](https://reader033.fdocuments.in/reader033/viewer/2022042623/544347c2b1af9f410a8b4935/html5/thumbnails/1.jpg)
A Visual Approach to Security Event Management
EuSecWest ‘06, LondonRaffael Marty, GCIA, CISSPSenior Security Engineer @ ArcSight
February 21th, 2006
*
![Page 2: Event Graphs - EUSecWest 2006](https://reader033.fdocuments.in/reader033/viewer/2022042623/544347c2b1af9f410a8b4935/html5/thumbnails/2.jpg)
Raffael Marty 2EuSecWest 2006 London
Raffael Marty, GCIA, CISSP
Enterprise Security Management (ESM) specialist
Strategic Application Solutions @ ArcSight, Inc.
Intrusion Detection Research @ IBM Research
See http://thor.cryptojail.net
IT Security Consultant @ PriceWaterhouse Coopers
Open Vulnerability and Assessment Language (OVAL) board member
Passion for Visual Security Event Analysis
![Page 3: Event Graphs - EUSecWest 2006](https://reader033.fdocuments.in/reader033/viewer/2022042623/544347c2b1af9f410a8b4935/html5/thumbnails/3.jpg)
Raffael Marty 3EuSecWest 2006 London
Table Of Contents
► Introduction
►Basics
►Examples of Graphs you can draw with AfterGlow
►AfterGlow
1.x – Event Graphs
2.0 – TreeMaps
Future – All in One!
![Page 4: Event Graphs - EUSecWest 2006](https://reader033.fdocuments.in/reader033/viewer/2022042623/544347c2b1af9f410a8b4935/html5/thumbnails/4.jpg)
Raffael Marty 4EuSecWest 2006 London
Introduction
![Page 5: Event Graphs - EUSecWest 2006](https://reader033.fdocuments.in/reader033/viewer/2022042623/544347c2b1af9f410a8b4935/html5/thumbnails/5.jpg)
Raffael Marty 5EuSecWest 2006 London
Disclaimer
IP addresses and host names showingup in event graphs and descriptions were obfuscated/changed. The addresses are
completely random and any resemblancewith well-known addresses or host names
are purely coincidental.
![Page 6: Event Graphs - EUSecWest 2006](https://reader033.fdocuments.in/reader033/viewer/2022042623/544347c2b1af9f410a8b4935/html5/thumbnails/6.jpg)
Raffael Marty 6EuSecWest 2006 London
Jun 17 09:42:30 rmarty ifup: Determining IP information for eth0...Jun 17 09:42:35 rmarty ifup: failed; no link present. Check cable?Jun 17 09:42:35 rmarty network: Bringing up interface eth0: failedJun 17 09:42:38 rmarty sendmail: sendmail shutdown succeededJun 17 09:42:38 rmarty sendmail: sm-client shutdown succeededJun 17 09:42:39 rmarty sendmail: sendmail startup succeededJun 17 09:42:39 rmarty sendmail: sm-client startup succeededJun 17 09:43:39 rmarty vmnet-dhcpd: DHCPINFORM from 172.16.48.128Jun 17 09:45:42 rmarty last message repeated 2 timesJun 17 09:45:47 rmarty vmnet-dhcpd: DHCPINFORM from 172.16.48.128Jun 17 09:56:02 rmarty vmnet-dhcpd: DHCPDISCOVER from 00:0c:29:b7:b2:47 via vmnet8Jun 17 09:56:03 rmarty vmnet-dhcpd: DHCPOFFER on 172.16.48.128 to 00:0c:29:b7:b2:47 via vmnet8Jun 17 09:56:03 rmarty vmnet-dhcpd: DHCPREQUEST for 172.16.48.128 from 00:0c:29:b7:b2:47 via vmnet8Jun 17 09:56:03 rmarty vmnet-dhcpd: DHCPACK on 172.16.48.128 to 00:0c:29:b7:b2:47 via vmnet8Jun 17 10:00:03 rmarty crond(pam_unix)[30534]: session opened for user root by (uid=0)Jun 17 10:00:10 rmarty crond(pam_unix)[30534]: session closed for user rootJun 17 10:01:02 rmarty crond(pam_unix)[30551]: session opened for user root by (uid=0)Jun 17 10:01:07 rmarty crond(pam_unix)[30551]: session closed for user rootJun 17 10:05:02 rmarty crond(pam_unix)[30567]: session opened for user idabench by (uid=0)Jun 17 10:05:05 rmarty crond(pam_unix)[30567]: session closed for user idabenchJun 17 10:13:05 rmarty portsentry[4797]: attackalert: UDP scan from host: 192.168.80.19/192.168.80.19 to UDP port: 192Jun 17 10:13:05 rmarty portsentry[4797]: attackalert: Host: 192.168.80.19/192.168.80.19 is already blocked IgnoringJun 17 10:14:09 rmarty portsentry[4797]: attackalert: UDP scan from host: 192.168.80.8/192.168.80.8 to UDP port: 68Jun 17 10:14:09 rmarty portsentry[4797]: attackalert: Host: 192.168.80.8/192.168.80.8 is already blocked IgnoringJun 17 10:14:09 rmarty portsentry[4797]: attackalert: UDP scan from host: 192.168.80.8/192.168.80.8 to UDP port: 68Jun 17 10:14:09 rmarty portsentry[4797]: attackalert: Host: 192.168.80.8/192.168.80.8 is already blocked IgnoringJun 17 10:21:30 rmarty portsentry[4797]: attackalert: UDP scan from host: 192.168.80.8/192.168.80.8 to UDP port: 68Jun 17 10:21:30 rmarty portsentry[4797]: attackalert: Host: 192.168.80.8/192.168.80.8 is already blocked IgnoringJun 17 10:28:40 rmarty vmnet-dhcpd: DHCPDISCOVER from 00:0c:29:b7:b2:47 via vmnet8Jun 17 10:28:41 rmarty vmnet-dhcpd: DHCPOFFER on 172.16.48.128 to 00:0c:29:b7:b2:47 via vmnet8Jun 17 10:28:41 rmarty vmnet-dhcpd: DHCPREQUEST for 172.16.48.128 from 00:0c:29:b7:b2:47 via vmnet8Jun 17 10:28:45 rmarty vmnet-dhcpd: DHCPACK on 172.16.48.128 to 00:0c:29:b7:b2:47 via vmnet8Jun 17 10:30:47 rmarty portsentry[4797]: attackalert: UDP scan from host: 192.168.80.8/192.168.80.8 to UDP port: 68Jun 17 10:30:47 rmarty portsentry[4797]: attackalert: Host: 192.168.80.8/192.168.80.8 is already blocked IgnoringJun 17 10:30:47 rmarty portsentry[4797]: attackalert: UDP scan from host: 192.168.80.8/192.168.80.8 to UDP port: 68Jun 17 10:30:47 rmarty portsentry[4797]: attackalert: Host: 192.168.80.8/192.168.80.8 is already blocked IgnoringJun 17 10:35:28 rmarty vmnet-dhcpd: DHCPINFORM from 172.16.48.128Jun 17 10:35:31 rmarty vmnet-dhcpd: DHCPINFORM from 172.16.48.128Jun 17 10:38:51 rmarty vmnet-dhcpd: DHCPREQUEST for 172.16.48.128 from 00:0c:29:b7:b2:47 via vmnet8Jun 17 10:38:52 rmarty vmnet-dhcpd: DHCPACK on 172.16.48.128 to 00:0c:29:b7:b2:47 via vmnet8Jun 17 10:42:35 rmarty vmnet-dhcpd: DHCPINFORM from 172.16.48.128Jun 17 10:42:38 rmarty vmnet-dhcpd: DHCPINFORM from 172.16.48.128
Text or Visuals?
►What would you rather look at?
![Page 7: Event Graphs - EUSecWest 2006](https://reader033.fdocuments.in/reader033/viewer/2022042623/544347c2b1af9f410a8b4935/html5/thumbnails/7.jpg)
Raffael Marty 7EuSecWest 2006 London
A Picture is Worth a Thousand Log Entries
Detect the Expected & Discover the Unexpected
Detect the Expected & Discover the Unexpected
Make Better DecisionsMake Better Decisions
Reduce Analysis and Response TimesReduce Analysis and Response Times
![Page 8: Event Graphs - EUSecWest 2006](https://reader033.fdocuments.in/reader033/viewer/2022042623/544347c2b1af9f410a8b4935/html5/thumbnails/8.jpg)
Raffael Marty 8EuSecWest 2006 London
Three Aspects of Visual Security Event Analysis
► Situational Awareness• What is happening in a specific business area
(e.g., compliance monitoring)• What is happening on a specific network• What are certain servers doing
► Real-Time Monitoring and Incident Response• Capture important activities and take action• Event Workflow• Collaboration
► Forensic and Historic Investigation• Selecting arbitrary set of events for investigation• Understanding big picture• Analyzing relationships - Exploration• Reporting
![Page 9: Event Graphs - EUSecWest 2006](https://reader033.fdocuments.in/reader033/viewer/2022042623/544347c2b1af9f410a8b4935/html5/thumbnails/9.jpg)
Raffael Marty 9EuSecWest 2006 London
Basics
![Page 10: Event Graphs - EUSecWest 2006](https://reader033.fdocuments.in/reader033/viewer/2022042623/544347c2b1af9f410a8b4935/html5/thumbnails/10.jpg)
Raffael Marty 10EuSecWest 2006 London
How To Generate A Graph?
ParserDevice Event Visualizer
... | Normalization | ...
Jun 17 09:42:30 rmarty ifup: Determining IP information for eth0...Jun 17 09:42:35 rmarty ifup: failed; no link present. Check cable?Jun 17 09:42:35 rmarty network: Bringing up interface eth0: failedJun 17 09:42:38 rmarty sendmail: sendmail shutdown succeededJun 17 09:42:38 rmarty sendmail: sm-client shutdown succeededJun 17 09:42:39 rmarty sendmail: sendmail startup succeededJun 17 09:42:39 rmarty sendmail: sm-client startup succeededJun 17 09:43:39 rmarty vmnet-dhcpd: DHCPINFORM from 172.16.48.128Jun 17 09:45:42 rmarty last message repeated 2 timesJun 17 09:45:47 rmarty vmnet-dhcpd: DHCPINFORM from 172.16.48.128Jun 17 09:56:02 rmarty vmnet-dhcpd: DHCPDISCOVER from 00:0c:29:b7:b2:47 via vmnet8Jun 17 09:56:03 rmarty vmnet-dhcpd: DHCPOFFER on 172.16.48.128 to 00:0c:29:b7:b2:47 via vmnet8NH
Log File
Visual
![Page 11: Event Graphs - EUSecWest 2006](https://reader033.fdocuments.in/reader033/viewer/2022042623/544347c2b1af9f410a8b4935/html5/thumbnails/11.jpg)
Raffael Marty 11EuSecWest 2006 London
Visual Types I
►Will focus on visuals that AfterGlow supports:
Event Graphs (Link Graphs)
TreeMaps
AfterGlow 1.x - Perl AfterGlow 2.0 - JAVA
![Page 12: Event Graphs - EUSecWest 2006](https://reader033.fdocuments.in/reader033/viewer/2022042623/544347c2b1af9f410a8b4935/html5/thumbnails/12.jpg)
Raffael Marty 12EuSecWest 2006 London
Visual Types II
Event Graphs (Link Graphs)
TreeMaps
NameSIP DIP
Block
►Node Configuration
►Node Coloring
►Edge Coloring
►Hierarchy
►”Box” Coloring
►“Box” Size
Pass
UDP
TCP
UDP
TCP
![Page 13: Event Graphs - EUSecWest 2006](https://reader033.fdocuments.in/reader033/viewer/2022042623/544347c2b1af9f410a8b4935/html5/thumbnails/13.jpg)
Raffael Marty 13EuSecWest 2006 London
Link Graph Configurations
Raw Event:[**] [1:1923:2] RPC portmap UDP proxy attempt [**][Classification: Decode of an RPC Query] [Priority: 2] 06/04-15:56:28.219753 192.168.10.90:32859 -> 192.168.10.255:111UDP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:148 DFLen: 120
Different node configurations:
192.168.10.90 RPC portmap 192.168.10.255 192.168.10.90 192.168.10.255 111
192.168.10.90 32859 111 RPC portmap 192.168.10.90 192.168.10.255
SPortSIP DPort SIPName DIP
DIPSIP DPortNameSIP DIP
![Page 14: Event Graphs - EUSecWest 2006](https://reader033.fdocuments.in/reader033/viewer/2022042623/544347c2b1af9f410a8b4935/html5/thumbnails/14.jpg)
Raffael Marty 14EuSecWest 2006 London
TreeMap Configurations
Raw Event:[**] [1:1923:2] RPC portmap UDP proxy attempt [**][Classification: Decode of an RPC Query] [Priority: 2] 06/04-15:56:28.219753 192.168.10.90:32859 -> 192.168.10.255:111UDP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:148 DFLen: 120
Different configurations:SIP
Name
DIP
SIP
Sport
DIP
SIP
DIP
Dport
Name
SIP
DIP192.168.10.255
![Page 15: Event Graphs - EUSecWest 2006](https://reader033.fdocuments.in/reader033/viewer/2022042623/544347c2b1af9f410a8b4935/html5/thumbnails/15.jpg)
Raffael Marty 15EuSecWest 2006 London
Graph Use Cases
Things You Can Do With AfterGlow
![Page 16: Event Graphs - EUSecWest 2006](https://reader033.fdocuments.in/reader033/viewer/2022042623/544347c2b1af9f410a8b4935/html5/thumbnails/16.jpg)
Raffael Marty 16EuSecWest 2006 London
Situational Awareness Dashboard
![Page 17: Event Graphs - EUSecWest 2006](https://reader033.fdocuments.in/reader033/viewer/2022042623/544347c2b1af9f410a8b4935/html5/thumbnails/17.jpg)
Raffael Marty 17EuSecWest 2006 London
Vulnerability Awareness I
DIP
Vuln
Score
One Machine
One Machine
A Vulnerability
A Vulnerability
![Page 18: Event Graphs - EUSecWest 2006](https://reader033.fdocuments.in/reader033/viewer/2022042623/544347c2b1af9f410a8b4935/html5/thumbnails/18.jpg)
Raffael Marty 18EuSecWest 2006 London
Vulnerability Awareness II
DIP
Score
Vuln
![Page 19: Event Graphs - EUSecWest 2006](https://reader033.fdocuments.in/reader033/viewer/2022042623/544347c2b1af9f410a8b4935/html5/thumbnails/19.jpg)
Raffael Marty 19EuSecWest 2006 London
AfterGlow - LGL
![Page 20: Event Graphs - EUSecWest 2006](https://reader033.fdocuments.in/reader033/viewer/2022042623/544347c2b1af9f410a8b4935/html5/thumbnails/20.jpg)
Raffael Marty 20EuSecWest 2006 London
Monitoring Web Servers
Traffic to WebServers
![Page 21: Event Graphs - EUSecWest 2006](https://reader033.fdocuments.in/reader033/viewer/2022042623/544347c2b1af9f410a8b4935/html5/thumbnails/21.jpg)
Raffael Marty 21EuSecWest 2006 London
Suspicious Activity?
![Page 22: Event Graphs - EUSecWest 2006](https://reader033.fdocuments.in/reader033/viewer/2022042623/544347c2b1af9f410a8b4935/html5/thumbnails/22.jpg)
Raffael Marty 22EuSecWest 2006 London
Network Scan
![Page 23: Event Graphs - EUSecWest 2006](https://reader033.fdocuments.in/reader033/viewer/2022042623/544347c2b1af9f410a8b4935/html5/thumbnails/23.jpg)
Raffael Marty 23EuSecWest 2006 London
Port Scan
►Port scan or something else?
![Page 24: Event Graphs - EUSecWest 2006](https://reader033.fdocuments.in/reader033/viewer/2022042623/544347c2b1af9f410a8b4935/html5/thumbnails/24.jpg)
Raffael Marty 24EuSecWest 2006 London
PortScan
SIP
DIP
DPort
![Page 25: Event Graphs - EUSecWest 2006](https://reader033.fdocuments.in/reader033/viewer/2022042623/544347c2b1af9f410a8b4935/html5/thumbnails/25.jpg)
Raffael Marty 25EuSecWest 2006 London
Firewall Activity
External Machine
Internal Machine
Outgoing
Incoming
Rule#
Rule# DIPSIP
Next Steps: 1. Visualize “FW Blocks” of outgoing traffic
-> Why do internal machines trigger blocks?2. Visualize “FW Blocks” of incoming traffic
-> Who and what tries to enter my network?3. Visualize “FW Passes” of outgoing traffic
-> What is leaving the network?
![Page 26: Event Graphs - EUSecWest 2006](https://reader033.fdocuments.in/reader033/viewer/2022042623/544347c2b1af9f410a8b4935/html5/thumbnails/26.jpg)
Raffael Marty 26EuSecWest 2006 London
Firewall Rule-set Analysis
pass block
![Page 27: Event Graphs - EUSecWest 2006](https://reader033.fdocuments.in/reader033/viewer/2022042623/544347c2b1af9f410a8b4935/html5/thumbnails/27.jpg)
Raffael Marty 27EuSecWest 2006 London
Load Balancer
![Page 28: Event Graphs - EUSecWest 2006](https://reader033.fdocuments.in/reader033/viewer/2022042623/544347c2b1af9f410a8b4935/html5/thumbnails/28.jpg)
Raffael Marty 28EuSecWest 2006 London
Worms
![Page 29: Event Graphs - EUSecWest 2006](https://reader033.fdocuments.in/reader033/viewer/2022042623/544347c2b1af9f410a8b4935/html5/thumbnails/29.jpg)
Raffael Marty 29EuSecWest 2006 London
DefCon 2004 Capture The Flag
DstPort < 1024
DstPort > 1024
Source Of Evil
Other Team's Target
DIP
Internal Target
Internal Source
Internet Target
DPortSIP
Our Servers
Exposed Services
![Page 30: Event Graphs - EUSecWest 2006](https://reader033.fdocuments.in/reader033/viewer/2022042623/544347c2b1af9f410a8b4935/html5/thumbnails/30.jpg)
Raffael Marty 30EuSecWest 2006 London
DefCon 2004 Capture The Flag – TTL Games
TTL
Source Of Evil
Internal Target
DIP TTLSIP
Internal Source
Offender TTL
Our Servers
![Page 31: Event Graphs - EUSecWest 2006](https://reader033.fdocuments.in/reader033/viewer/2022042623/544347c2b1af9f410a8b4935/html5/thumbnails/31.jpg)
Raffael Marty 31EuSecWest 2006 London
DefCon 2004 Capture The Flag – More TTL
Flags TTLDPort
Show Node Counts
![Page 32: Event Graphs - EUSecWest 2006](https://reader033.fdocuments.in/reader033/viewer/2022042623/544347c2b1af9f410a8b4935/html5/thumbnails/32.jpg)
Raffael Marty 32EuSecWest 2006 London
Telecom Malicious Code Propagation
FromPhone#
ToPhone#
ContentType|Size
![Page 33: Event Graphs - EUSecWest 2006](https://reader033.fdocuments.in/reader033/viewer/2022042623/544347c2b1af9f410a8b4935/html5/thumbnails/33.jpg)
Raffael Marty 33EuSecWest 2006 London
Email Cliques
From: My Domain
From: Other Domain
To: Other Domain
From To
To: My Domain
![Page 34: Event Graphs - EUSecWest 2006](https://reader033.fdocuments.in/reader033/viewer/2022042623/544347c2b1af9f410a8b4935/html5/thumbnails/34.jpg)
Raffael Marty 34EuSecWest 2006 London
Email Relays
From: My Domain
From: Other Domain
To: Other Domain
From To
To: My Domain
Do you run an open relay?
Grey out emails to and from “my domain”
Make “my domain” invisible
![Page 35: Event Graphs - EUSecWest 2006](https://reader033.fdocuments.in/reader033/viewer/2022042623/544347c2b1af9f410a8b4935/html5/thumbnails/35.jpg)
Raffael Marty 35EuSecWest 2006 London
Email SPAM?
To Size
Size > 10.000Omit threshold = 1
Multiple recipients withsame-size messages
![Page 36: Event Graphs - EUSecWest 2006](https://reader033.fdocuments.in/reader033/viewer/2022042623/544347c2b1af9f410a8b4935/html5/thumbnails/36.jpg)
Raffael Marty 36EuSecWest 2006 London
Email SPAM?
From nrcpt
nrcpt => 2Omit threshold = 1
![Page 37: Event Graphs - EUSecWest 2006](https://reader033.fdocuments.in/reader033/viewer/2022042623/544347c2b1af9f410a8b4935/html5/thumbnails/37.jpg)
Raffael Marty 37EuSecWest 2006 London
BIG Emails
From
Size > 100.000Omit Threshold = 2
To Size
Documents leaving the network?
![Page 38: Event Graphs - EUSecWest 2006](https://reader033.fdocuments.in/reader033/viewer/2022042623/544347c2b1af9f410a8b4935/html5/thumbnails/38.jpg)
Raffael Marty 38EuSecWest 2006 London
Email Server Problems?
2:00 < Delay < 10:00
Delay > 10:00
To Delay
To
![Page 39: Event Graphs - EUSecWest 2006](https://reader033.fdocuments.in/reader033/viewer/2022042623/544347c2b1af9f410a8b4935/html5/thumbnails/39.jpg)
Raffael Marty 39EuSecWest 2006 London
AfterGlow
afterglow.sourceforge.net
![Page 40: Event Graphs - EUSecWest 2006](https://reader033.fdocuments.in/reader033/viewer/2022042623/544347c2b1af9f410a8b4935/html5/thumbnails/40.jpg)
Raffael Marty 40EuSecWest 2006 London
AfterGlow
►http://afterglow.sourceforge.net
►Two Versions:
• AfterGlow 1.x – Perl for Event Graphs
• AfterGlow 2.0 – Java for TreeMaps
![Page 41: Event Graphs - EUSecWest 2006](https://reader033.fdocuments.in/reader033/viewer/2022042623/544347c2b1af9f410a8b4935/html5/thumbnails/41.jpg)
Raffael Marty 41EuSecWest 2006 London
AfterGlow 1.x - Perl
►Supported graphing tools:
• GraphViz from AT&T (dot and neato) http://www.research.att.com/sw/tools/graphviz/
• LGL (Large Graph Layout) by Alex Adaihttp://bioinformatics.icmb.utexas.edu/lgl/
CSV File
Parser AfterGlow Graph LanguageFile
Grapher
![Page 42: Event Graphs - EUSecWest 2006](https://reader033.fdocuments.in/reader033/viewer/2022042623/544347c2b1af9f410a8b4935/html5/thumbnails/42.jpg)
Raffael Marty 42EuSecWest 2006 London
AfterGlow 1.x – Command Line Parameters
● Some command line arguments:-h : help
-t : two node mode
-d : print count on nodes
-e : edge length
-n : no node labels
-o threshold : omit threshold (fan-out for nodes to be displayed)
-c configfile : color configuration file
![Page 43: Event Graphs - EUSecWest 2006](https://reader033.fdocuments.in/reader033/viewer/2022042623/544347c2b1af9f410a8b4935/html5/thumbnails/43.jpg)
Raffael Marty 43EuSecWest 2006 London
AfterGlow 1.x – color.properties
color.[source|event|target|edge]=
<perl expression returning a color name>● Array @fields contains input-line, split into tokens:
color.event=“red” if ($fields[1] =~ /^192\..*)
● Special color “invisible”:
color.target=“invisible” if ($fields[0] eq
“IIS Action”)
● Edge color
color.edge=“blue”
![Page 44: Event Graphs - EUSecWest 2006](https://reader033.fdocuments.in/reader033/viewer/2022042623/544347c2b1af9f410a8b4935/html5/thumbnails/44.jpg)
Raffael Marty 44EuSecWest 2006 London
AfterGlow 1.x – color.properties - Example
color.source="olivedrab" if ($fields[0]=~/191\.141\.69\.4/);
color.source="olivedrab" if ($fields[0]=~/211\.254\.110\./);
color.source="orangered1"
color.event="slateblue4"
color.target="olivedrab" if ($fields[2]=~/191\.141\.69\.4/);
color.target="olivedrab" if ($fields[2]=~/211\.254\.110\./);
color.target="orangered1"
color.edge="firebrick" if (($fields[0]=~/191\.141\.69.\.4/) or ($fields[2]=~/191\.141\.69\.4/))
color.edge="cyan4"
![Page 45: Event Graphs - EUSecWest 2006](https://reader033.fdocuments.in/reader033/viewer/2022042623/544347c2b1af9f410a8b4935/html5/thumbnails/45.jpg)
Raffael Marty 45EuSecWest 2006 London
AfterGlow 2.0 - Java
►Command line arguments:
-h : help
-c file : property file
-f file : data file
CSV File
Parser AfterGlow - Java
![Page 46: Event Graphs - EUSecWest 2006](https://reader033.fdocuments.in/reader033/viewer/2022042623/544347c2b1af9f410a8b4935/html5/thumbnails/46.jpg)
Raffael Marty 46EuSecWest 2006 London
Target System Type,SIP,DIP,User,OutcomeDevelopment,192.168.10.1,10.10.2.1,ram,failureVPN,192.168.10.1,10.10.2.1,ram,successFinancial System,192.168.20.1,10.0.3.1,drob,successVPN,192.168.10.1,10.10.2.1,ram,successVPN,192.168.10.1,10.10.2.1,jmoe,failureFinancial System,192.168.10.1,10.10.2.1,jmoe,successFinancial System,192.168.10.1,10.10.2.1,jmoe,failure
AfterGlow 2.0 - Example
►Data:
►Launch:
./afterglow-java.sh –c afterglow.properties
# AfterGlow - JAVA 2.0# Properties File
# File to loadfile.name=/home/ram/afterglow/data/sample.csv
# Column Types (default is STRING), start with 0!# Valid values:# STRING# INTEGER# CATEGORICAL
column.type.count=4column.type[0].column=0column.type[0].type=INTEGERcolumn.type[1].column=1column.type[1].type=CATEGORICALcolumn.type[2].column=2column.type[2].type=CATEGORICALcolumn.type[3].column=3column.type[3].type=CATEGORICAL
# Size Column (default is 0)size.column=0
# Color Column (default is 0)color.column=2
# AfterGlow - JAVA 2.0# Properties File
# File to loadfile.name=/home/ram/afterglow/data/sample.csv
# Column Types (default is STRING), start with 0!# Valid values:# STRING# INTEGER# CATEGORICAL
column.type.count=4column.type[0].column=0column.type[0].type=INTEGERcolumn.type[1].column=1column.type[1].type=CATEGORICALcolumn.type[2].column=2column.type[2].type=CATEGORICALcolumn.type[3].column=3column.type[3].type=CATEGORICAL
# Size Column (default is 0)size.column=0
# Color Column (default is 0)color.column=2
![Page 47: Event Graphs - EUSecWest 2006](https://reader033.fdocuments.in/reader033/viewer/2022042623/544347c2b1af9f410a8b4935/html5/thumbnails/47.jpg)
Raffael Marty 47EuSecWest 2006 London
AfterGlow 2.0 – Java - Output
![Page 48: Event Graphs - EUSecWest 2006](https://reader033.fdocuments.in/reader033/viewer/2022042623/544347c2b1af9f410a8b4935/html5/thumbnails/48.jpg)
Raffael Marty 48EuSecWest 2006 London
AfterGlow 2.0 – Java - Interaction
►Left-click:
• Zoom in
►Right-click:
• Zoom all the way out
►Middle-click
• Change Coloring to currentdepth
(Hack: Use SHIFT for leafs)
![Page 49: Event Graphs - EUSecWest 2006](https://reader033.fdocuments.in/reader033/viewer/2022042623/544347c2b1af9f410a8b4935/html5/thumbnails/49.jpg)
Raffael Marty 49EuSecWest 2006 London
AfterGlow 3.0 – The Future
► Generating LinkGraphs with the Java version
► Adding more output formats
► Saving output as image file
► Animation
![Page 50: Event Graphs - EUSecWest 2006](https://reader033.fdocuments.in/reader033/viewer/2022042623/544347c2b1af9f410a8b4935/html5/thumbnails/50.jpg)
Raffael Marty 50EuSecWest 2006 London
AfterGlow – Parsers
► tcpdump2csv.pl
• Takes care of swapping response source and targets
tcpdump -vttttnnelr /tmp/log.tcpdump | ./tcpdump2csv.pl "sip dip sport"
►sendmail_parser.pl
• Reassemble email conversations:Jul 24 21:01:16 rmarty sendmail[17072]: j6P41Gqt017072: from=<[email protected]>, size=650, class=0, nrcpts=1,Jul 24 21:01:16 rmarty sendmail[17073]: j6P41Gqt017072: to=ram, ctladdr=<[email protected]> (0/0), delay=00:00:00, xdelay=00:00:00, mailer=local, pri=30881, dsn=2.0.0, stat=Sent
![Page 51: Event Graphs - EUSecWest 2006](https://reader033.fdocuments.in/reader033/viewer/2022042623/544347c2b1af9f410a8b4935/html5/thumbnails/51.jpg)
Raffael Marty 51EuSecWest 2006 London
Summary
Detect the expected
& discover the unexpected
Make better decisions
Reduce analysis and response times
![Page 52: Event Graphs - EUSecWest 2006](https://reader033.fdocuments.in/reader033/viewer/2022042623/544347c2b1af9f410a8b4935/html5/thumbnails/52.jpg)
Raffael Marty 52EuSecWest 2006 London
THANKS!
Raffael Marty 52EuSecWest 2006 Lodon