Log Visualization - Bellua BCS 2006
-
date post
18-Oct-2014 -
Category
Technology
-
view
827 -
download
3
description
Transcript of Log Visualization - Bellua BCS 2006
![Page 1: Log Visualization - Bellua BCS 2006](https://reader034.fdocuments.in/reader034/viewer/2022042613/544347b0afaf9fe7098b48d7/html5/thumbnails/1.jpg)
Logfile Visualization– The Beauty of GraphsBCS 2006, Jakarta
Raffael Marty, GCIA, CISSPManager Solutions @ ArcSight
August 30th, 2006*
![Page 2: Log Visualization - Bellua BCS 2006](https://reader034.fdocuments.in/reader034/viewer/2022042613/544347b0afaf9fe7098b48d7/html5/thumbnails/2.jpg)
Raffael Marty 2BCS 2006 Jakarta
Raffael Marty, GCIA, CISSP
Enterprise Security Management (ESM) specialist
Strategic Application Solutions @ ArcSight, Inc. Intrusion Detection Research @ IBM Research
See http://thor.cryptojail.net
IT Security Consultant @ PriceWaterhouse Coopers Open Vulnerability and Assessment Language
(OVAL) board member Passion for Visual Security Event Analysis
![Page 3: Log Visualization - Bellua BCS 2006](https://reader034.fdocuments.in/reader034/viewer/2022042613/544347b0afaf9fe7098b48d7/html5/thumbnails/3.jpg)
Raffael Marty 3BCS 2006 Jakarta
Table Of Contents
► Introduction
►Graphing Basics
►Graph Use Cases
►Visual Analysis Process
►AfterGlow
►Firewall Log Visualization
![Page 4: Log Visualization - Bellua BCS 2006](https://reader034.fdocuments.in/reader034/viewer/2022042613/544347b0afaf9fe7098b48d7/html5/thumbnails/4.jpg)
Raffael Marty 4BCS 2006 Las Vegas
Introduction
![Page 5: Log Visualization - Bellua BCS 2006](https://reader034.fdocuments.in/reader034/viewer/2022042613/544347b0afaf9fe7098b48d7/html5/thumbnails/5.jpg)
Raffael Marty 5BCS 2006 Jakarta
Disclaimer
IP addresses and host names showingup in event graphs and descriptions were obfuscated/changed. The addresses are
completely random and any resemblancewith well-known addresses or host names
are purely coincidental.
![Page 6: Log Visualization - Bellua BCS 2006](https://reader034.fdocuments.in/reader034/viewer/2022042613/544347b0afaf9fe7098b48d7/html5/thumbnails/6.jpg)
Raffael Marty 6BCS 2006 Jakarta
A Picture is Worth a Thousand Log Entries
Detect the Expected & Discover the Unexpected
Detect the Expected & Discover the Unexpected
Make Better DecisionsMake Better Decisions
Reduce Analysis and Response TimesReduce Analysis and Response Times
![Page 7: Log Visualization - Bellua BCS 2006](https://reader034.fdocuments.in/reader034/viewer/2022042613/544347b0afaf9fe7098b48d7/html5/thumbnails/7.jpg)
Raffael Marty 7BCS 2006 Jakarta
Jun 17 09:42:30 rmarty ifup: Determining IP information for eth0...Jun 17 09:42:35 rmarty ifup: failed; no link present. Check cable?Jun 17 09:42:35 rmarty network: Bringing up interface eth0: failedJun 17 09:42:38 rmarty sendmail: sendmail shutdown succeededJun 17 09:42:38 rmarty sendmail: sm-client shutdown succeededJun 17 09:42:39 rmarty sendmail: sendmail startup succeededJun 17 09:42:39 rmarty sendmail: sm-client startup succeededJun 17 09:43:39 rmarty vmnet-dhcpd: DHCPINFORM from 172.16.48.128Jun 17 09:45:42 rmarty last message repeated 2 timesJun 17 09:45:47 rmarty vmnet-dhcpd: DHCPINFORM from 172.16.48.128Jun 17 09:56:02 rmarty vmnet-dhcpd: DHCPDISCOVER from 00:0c:29:b7:b2:47 via vmnet8Jun 17 09:56:03 rmarty vmnet-dhcpd: DHCPOFFER on 172.16.48.128 to 00:0c:29:b7:b2:47 via vmnet8Jun 17 09:56:03 rmarty vmnet-dhcpd: DHCPREQUEST for 172.16.48.128 from 00:0c:29:b7:b2:47 via vmnet8Jun 17 09:56:03 rmarty vmnet-dhcpd: DHCPACK on 172.16.48.128 to 00:0c:29:b7:b2:47 via vmnet8Jun 17 10:00:03 rmarty crond(pam_unix)[30534]: session opened for user root by (uid=0)Jun 17 10:00:10 rmarty crond(pam_unix)[30534]: session closed for user rootJun 17 10:01:02 rmarty crond(pam_unix)[30551]: session opened for user root by (uid=0)Jun 17 10:01:07 rmarty crond(pam_unix)[30551]: session closed for user rootJun 17 10:05:02 rmarty crond(pam_unix)[30567]: session opened for user idabench by (uid=0)Jun 17 10:05:05 rmarty crond(pam_unix)[30567]: session closed for user idabenchJun 17 10:13:05 rmarty portsentry[4797]: attackalert: UDP scan from host: 192.168.80.19/192.168.80.19 to UDP port: 192Jun 17 10:13:05 rmarty portsentry[4797]: attackalert: Host: 192.168.80.19/192.168.80.19 is already blocked IgnoringJun 17 10:14:09 rmarty portsentry[4797]: attackalert: UDP scan from host: 192.168.80.8/192.168.80.8 to UDP port: 68Jun 17 10:14:09 rmarty portsentry[4797]: attackalert: Host: 192.168.80.8/192.168.80.8 is already blocked IgnoringJun 17 10:14:09 rmarty portsentry[4797]: attackalert: UDP scan from host: 192.168.80.8/192.168.80.8 to UDP port: 68Jun 17 10:14:09 rmarty portsentry[4797]: attackalert: Host: 192.168.80.8/192.168.80.8 is already blocked IgnoringJun 17 10:21:30 rmarty portsentry[4797]: attackalert: UDP scan from host: 192.168.80.8/192.168.80.8 to UDP port: 68Jun 17 10:21:30 rmarty portsentry[4797]: attackalert: Host: 192.168.80.8/192.168.80.8 is already blocked IgnoringJun 17 10:28:40 rmarty vmnet-dhcpd: DHCPDISCOVER from 00:0c:29:b7:b2:47 via vmnet8Jun 17 10:28:41 rmarty vmnet-dhcpd: DHCPOFFER on 172.16.48.128 to 00:0c:29:b7:b2:47 via vmnet8Jun 17 10:28:41 rmarty vmnet-dhcpd: DHCPREQUEST for 172.16.48.128 from 00:0c:29:b7:b2:47 via vmnet8Jun 17 10:28:45 rmarty vmnet-dhcpd: DHCPACK on 172.16.48.128 to 00:0c:29:b7:b2:47 via vmnet8Jun 17 10:30:47 rmarty portsentry[4797]: attackalert: UDP scan from host: 192.168.80.8/192.168.80.8 to UDP port: 68Jun 17 10:30:47 rmarty portsentry[4797]: attackalert: Host: 192.168.80.8/192.168.80.8 is already blocked IgnoringJun 17 10:30:47 rmarty portsentry[4797]: attackalert: UDP scan from host: 192.168.80.8/192.168.80.8 to UDP port: 68Jun 17 10:30:47 rmarty portsentry[4797]: attackalert: Host: 192.168.80.8/192.168.80.8 is already blocked IgnoringJun 17 10:35:28 rmarty vmnet-dhcpd: DHCPINFORM from 172.16.48.128Jun 17 10:35:31 rmarty vmnet-dhcpd: DHCPINFORM from 172.16.48.128Jun 17 10:38:51 rmarty vmnet-dhcpd: DHCPREQUEST for 172.16.48.128 from 00:0c:29:b7:b2:47 via vmnet8Jun 17 10:38:52 rmarty vmnet-dhcpd: DHCPACK on 172.16.48.128 to 00:0c:29:b7:b2:47 via vmnet8Jun 17 10:42:35 rmarty vmnet-dhcpd: DHCPINFORM from 172.16.48.128Jun 17 10:42:38 rmarty vmnet-dhcpd: DHCPINFORM from 172.16.48.128
Text or Visuals?
►What would you rather look at?
![Page 8: Log Visualization - Bellua BCS 2006](https://reader034.fdocuments.in/reader034/viewer/2022042613/544347b0afaf9fe7098b48d7/html5/thumbnails/8.jpg)
Raffael Marty 8BCS 2006 Las Vegas
Graphing Basics
![Page 9: Log Visualization - Bellua BCS 2006](https://reader034.fdocuments.in/reader034/viewer/2022042613/544347b0afaf9fe7098b48d7/html5/thumbnails/9.jpg)
Raffael Marty 9BCS 2006 Jakarta
How To Generate A Graph
ParserDevice Event Visualizer
... | Normalization | ...
Jun 17 09:42:30 rmarty ifup: Determining IP information for eth0...Jun 17 09:42:35 rmarty ifup: failed; no link present. Check cable?Jun 17 09:42:35 rmarty network: Bringing up interface eth0: failedJun 17 09:42:38 rmarty sendmail: sendmail shutdown succeededJun 17 09:42:38 rmarty sendmail: sm-client shutdown succeededJun 17 09:42:39 rmarty sendmail: sendmail startup succeededJun 17 09:42:39 rmarty sendmail: sm-client startup succeededJun 17 09:43:39 rmarty vmnet-dhcpd: DHCPINFORM from 172.16.48.128Jun 17 09:45:42 rmarty last message repeated 2 timesJun 17 09:45:47 rmarty vmnet-dhcpd: DHCPINFORM from 172.16.48.128Jun 17 09:56:02 rmarty vmnet-dhcpd: DHCPDISCOVER from 00:0c:29:b7:b2:47 via vmnet8Jun 17 09:56:03 rmarty vmnet-dhcpd: DHCPOFFER on 172.16.48.128 to 00:0c:29:b7:b2:47 via vmnet8NH
Log File
Visual
![Page 10: Log Visualization - Bellua BCS 2006](https://reader034.fdocuments.in/reader034/viewer/2022042613/544347b0afaf9fe7098b48d7/html5/thumbnails/10.jpg)
Raffael Marty 10BCS 2006 Jakarta
Visual Types
Link Graphs TreeMaps
AfterGlow 1.x - Perl AfterGlow 2.0 - JAVA
![Page 11: Log Visualization - Bellua BCS 2006](https://reader034.fdocuments.in/reader034/viewer/2022042613/544347b0afaf9fe7098b48d7/html5/thumbnails/11.jpg)
Raffael Marty 11BCS 2006 Jakarta
Link Graph Configurations
Raw Event:[**] [1:1923:2] RPC portmap UDP proxy attempt [**][Classification: Decode of an RPC Query] [Priority: 2] 06/04-15:56:28.219753 192.168.10.90:32859 -> 192.168.10.255:111UDP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:148 DFLen: 120
Different node configurations:
192.168.10.90 RPC portmap 192.168.10.255 192.168.10.90 192.168.10.255 111
192.168.10.90 32859 111 RPC portmap 192.168.10.90 192.168.10.255
SPortSIP DPort SIPName DIP
DIPSIP DPortNameSIP DIP
![Page 12: Log Visualization - Bellua BCS 2006](https://reader034.fdocuments.in/reader034/viewer/2022042613/544347b0afaf9fe7098b48d7/html5/thumbnails/12.jpg)
Raffael Marty 12BCS 2006 Jakarta
Tree Maps
All Network Traffic
![Page 13: Log Visualization - Bellua BCS 2006](https://reader034.fdocuments.in/reader034/viewer/2022042613/544347b0afaf9fe7098b48d7/html5/thumbnails/13.jpg)
Raffael Marty 13BCS 2006 Jakarta
Tree Maps
20% 80%
Configuration (Hierarchy): Protocol
UDP TCP
![Page 14: Log Visualization - Bellua BCS 2006](https://reader034.fdocuments.in/reader034/viewer/2022042613/544347b0afaf9fe7098b48d7/html5/thumbnails/14.jpg)
Raffael Marty 14BCS 2006 Jakarta
UDP TCP
Tree Maps
Configuration (Hierarchy): Protocol -> Service
HTTP
SSH
FTP
DNS
SNMP
UDP TCP
![Page 15: Log Visualization - Bellua BCS 2006](https://reader034.fdocuments.in/reader034/viewer/2022042613/544347b0afaf9fe7098b48d7/html5/thumbnails/15.jpg)
Raffael Marty 15BCS 2006 Las Vegas
Graph Use Cases
![Page 16: Log Visualization - Bellua BCS 2006](https://reader034.fdocuments.in/reader034/viewer/2022042613/544347b0afaf9fe7098b48d7/html5/thumbnails/16.jpg)
Raffael Marty 16BCS 2006 Jakarta
Situational Awareness DashboardGraph Use-Cases
![Page 17: Log Visualization - Bellua BCS 2006](https://reader034.fdocuments.in/reader034/viewer/2022042613/544347b0afaf9fe7098b48d7/html5/thumbnails/17.jpg)
Raffael Marty 17BCS 2006 Jakarta
Suspicious Activity?Graph Use-Cases
![Page 18: Log Visualization - Bellua BCS 2006](https://reader034.fdocuments.in/reader034/viewer/2022042613/544347b0afaf9fe7098b48d7/html5/thumbnails/18.jpg)
Raffael Marty 18BCS 2006 Jakarta
Network ScanGraph Use-Cases
![Page 19: Log Visualization - Bellua BCS 2006](https://reader034.fdocuments.in/reader034/viewer/2022042613/544347b0afaf9fe7098b48d7/html5/thumbnails/19.jpg)
Raffael Marty 19BCS 2006 Jakarta
Port Scan ?
►Port scan or something else?
Graph Use-Cases
![Page 20: Log Visualization - Bellua BCS 2006](https://reader034.fdocuments.in/reader034/viewer/2022042613/544347b0afaf9fe7098b48d7/html5/thumbnails/20.jpg)
Raffael Marty 20BCS 2006 Jakarta
PortScan
SIP
DIP
DPort
Graph Use-Cases
![Page 21: Log Visualization - Bellua BCS 2006](https://reader034.fdocuments.in/reader034/viewer/2022042613/544347b0afaf9fe7098b48d7/html5/thumbnails/21.jpg)
Raffael Marty 21BCS 2006 Jakarta
Telecom Malicious Code Propagation
FromPhone#
ToPhone#
ContentType|Size
Graph Use-Cases
![Page 22: Log Visualization - Bellua BCS 2006](https://reader034.fdocuments.in/reader034/viewer/2022042613/544347b0afaf9fe7098b48d7/html5/thumbnails/22.jpg)
Raffael Marty 22BCS 2006 Jakarta
Email Relays
From: My Domain
From: Other Domain
To: Other Domain
From To
To: My Domain
Do you run an open relay?
Grey out emails to and from “my domain”
Make “my domain” invisible
Graph Use-Cases
![Page 23: Log Visualization - Bellua BCS 2006](https://reader034.fdocuments.in/reader034/viewer/2022042613/544347b0afaf9fe7098b48d7/html5/thumbnails/23.jpg)
Raffael Marty 23BCS 2006 Las Vegas
Visual Analysis Process
![Page 24: Log Visualization - Bellua BCS 2006](https://reader034.fdocuments.in/reader034/viewer/2022042613/544347b0afaf9fe7098b48d7/html5/thumbnails/24.jpg)
Raffael Marty 24BCS 2006 Jakarta
Event Feedback LoopVisual Analysis Process
Device
Normalization
Filter
Correlation
Visual
Feb 18 13:39:15.598491 rule 71/0(match): pass in on xl0: 195.27.249.139.63263 > 195.141.69.42.80: S 492525755:492525755(0) win 32768 <mss 1460,nop,wscale 0,nop,nop,timestamp 24053 0> (DF)Feb 18 13:39:15.899644 rule 71/0(match): pass in on xl0: 195.27.249.139.63264 > 195.141.69.42.80: S 875844783:875844783(0) win 32768 <mss 1460,nop,wscale 0,nop,nop,timestamp 24054 0> (DF)
195.27.249.139,195.141.69.42,80195.27.249.139,195.141.69.42,80
195.27.249.139,195.141.69.42,80 Service stopped
![Page 25: Log Visualization - Bellua BCS 2006](https://reader034.fdocuments.in/reader034/viewer/2022042613/544347b0afaf9fe7098b48d7/html5/thumbnails/25.jpg)
Raffael Marty 25BCS 2006 Jakarta
Visual Detection
Assign to Content Author
Visual Investigation
Creation of new Filtersand Correlation Components
Real-timeData
ProcessingForensic and Historical Analysis
Event Feedback LoopVisual Analysis Process
![Page 26: Log Visualization - Bellua BCS 2006](https://reader034.fdocuments.in/reader034/viewer/2022042613/544347b0afaf9fe7098b48d7/html5/thumbnails/26.jpg)
Raffael Marty 26BCS 2006 Jakarta
Beginning of Analyst’s shift
Visual DetectionVisual Analysis Process
![Page 27: Log Visualization - Bellua BCS 2006](https://reader034.fdocuments.in/reader034/viewer/2022042613/544347b0afaf9fe7098b48d7/html5/thumbnails/27.jpg)
Raffael Marty 27BCS 2006 Jakarta
Scan Events
Firewall Blocks
Scanning activity is displayed
Visual DetectionVisual Analysis Process
![Page 28: Log Visualization - Bellua BCS 2006](https://reader034.fdocuments.in/reader034/viewer/2022042613/544347b0afaf9fe7098b48d7/html5/thumbnails/28.jpg)
Raffael Marty 28BCS 2006 Jakarta
Visual InvestigationVisual Analysis Process
![Page 29: Log Visualization - Bellua BCS 2006](https://reader034.fdocuments.in/reader034/viewer/2022042613/544347b0afaf9fe7098b48d7/html5/thumbnails/29.jpg)
Raffael Marty 29BCS 2006 Jakarta
Assign for further analysis if
More than 20 firewall drops
from an external machine
to an internal machine
1. Correlation
• Internal machines on white-list• connecting to active directory servers
2. Filter
3. Open a ticket for Operations to quarantine and clean infected machines
Defining New ContentVisual Analysis Process
![Page 30: Log Visualization - Bellua BCS 2006](https://reader034.fdocuments.in/reader034/viewer/2022042613/544347b0afaf9fe7098b48d7/html5/thumbnails/30.jpg)
Raffael Marty 30BCS 2006 Jakarta
AfterGlow
http://afterglow.sourceforge.net
►Two Versions:
• AfterGlow 1.x – Perl for Link Graphs
• AfterGlow 2.0 – Java for TreeMaps
►Collection of Parsers:
• pf2csv.pl BSD PacketFilter (pf)
• tcpdump2csv.pl tcpdump 3.9
• sendmail2csv.pl Sendmail transaction logs
![Page 31: Log Visualization - Bellua BCS 2006](https://reader034.fdocuments.in/reader034/viewer/2022042613/544347b0afaf9fe7098b48d7/html5/thumbnails/31.jpg)
Raffael Marty 31BCS 2006 Las Vegas
AfterGlowafterglow.sourceforge.net
![Page 32: Log Visualization - Bellua BCS 2006](https://reader034.fdocuments.in/reader034/viewer/2022042613/544347b0afaf9fe7098b48d7/html5/thumbnails/32.jpg)
Raffael Marty 32BCS 2006 Jakarta
► tcpdump2csv.pl
• Takes care of swapping response source and targets
tcpdump -vttttnnelr /tmp/log.tcpdump | ./tcpdump2csv.pl
►sendmail_parser.pl
• Reassemble email conversations:
►pf2csv.pl
• Parsing OpenBSD pf output
AfterGlowParsers
Jul 24 21:01:16 rmarty sendmail[17072]: j6P41Gqt017072: from=<[email protected]>, size=650, class=0, nrcpts=1,Jul 24 21:01:16 rmarty sendmail[17073]: j6P41Gqt017072: to=ram, ctladdr=<[email protected]> (0/0), delay=00:00:00, xdelay=00:00:00, mailer=local, pri=30881, dsn=2.0.0, stat=Sent
"sip dip sport"
![Page 33: Log Visualization - Bellua BCS 2006](https://reader034.fdocuments.in/reader034/viewer/2022042613/544347b0afaf9fe7098b48d7/html5/thumbnails/33.jpg)
Raffael Marty 33BCS 2006 Jakarta
AfterGlow 1.x - Perl
►Supported graphing tools:
• GraphViz from AT&T (dot, neato, circo, twopi) http://www.graphviz.org
• LGL (Large Graph Layout) by Alex Adaihttp://bioinformatics.icmb.utexas.edu/lgl/
CSV File
Parser AfterGlow Graph LanguageFile
Grapher
![Page 34: Log Visualization - Bellua BCS 2006](https://reader034.fdocuments.in/reader034/viewer/2022042613/544347b0afaf9fe7098b48d7/html5/thumbnails/34.jpg)
Raffael Marty 34BCS 2006 Jakarta
AfterGlow 1.xFeatures
►Generate Link Graphs
►Filtering Nodes
• Based on name
• Based on number of occurrences
►Fan Out Filtering►Coloring
• Edges
• Nodes
►Clustering
Fan Out: 3
![Page 35: Log Visualization - Bellua BCS 2006](https://reader034.fdocuments.in/reader034/viewer/2022042613/544347b0afaf9fe7098b48d7/html5/thumbnails/35.jpg)
Raffael Marty 35BCS 2006 Jakarta
a
b
c
d
e
AfterGlow 1.xHello World
Output:
Input Data:a,ba,cb,cd,e
a
b
c
d
e
Command:cat file | ./afterglow –c simple.properties –t \neato –Tgif –o test.gif
simple.properties:color.source=“green” if ($fields[0] ne “d”)color.target=“blue” if ($fields[1] ne “e”)
color.source=“red”
color=“green”
![Page 36: Log Visualization - Bellua BCS 2006](https://reader034.fdocuments.in/reader034/viewer/2022042613/544347b0afaf9fe7098b48d7/html5/thumbnails/36.jpg)
Raffael Marty 36BCS 2006 Jakarta
AfterGlow 1.xProperty File – Color Definition
Coloring:
color.[source|event|target|edge]=
<perl expression returning a color name> Array @fields contains input-line, split into tokens:
color.event=“red” if ($fields[1] =~ /^192\..*)
Filter nodes with “invisible” color:
color.target=“invisible” if ($fields[0] eq
“IIS Action”)
![Page 37: Log Visualization - Bellua BCS 2006](https://reader034.fdocuments.in/reader034/viewer/2022042613/544347b0afaf9fe7098b48d7/html5/thumbnails/37.jpg)
Raffael Marty 37BCS 2006 Jakarta
AfterGlow 1.xProperty File - Clustering
Clustering:
cluster.[source|event|target]=
<perl expression returning a cluster name>
![Page 38: Log Visualization - Bellua BCS 2006](https://reader034.fdocuments.in/reader034/viewer/2022042613/544347b0afaf9fe7098b48d7/html5/thumbnails/38.jpg)
Raffael Marty 38BCS 2006 Jakarta
AfterGlow 2.0 - Java
►Command line arguments:
-h : help
-c file : property file
-f file : data file
CSV File
Parser AfterGlow - Java
![Page 39: Log Visualization - Bellua BCS 2006](https://reader034.fdocuments.in/reader034/viewer/2022042613/544347b0afaf9fe7098b48d7/html5/thumbnails/39.jpg)
Raffael Marty 39BCS 2006 Jakarta
Target System Type,SIP,DIP,User,OutcomeDevelopment,192.168.10.1,10.10.2.1,ram,failureVPN,192.168.10.1,10.10.2.1,ram,successFinancial System,192.168.20.1,10.0.3.1,drob,successVPN,192.168.10.1,10.10.2.1,ram,successVPN,192.168.10.1,10.10.2.1,jmoe,failureFinancial System,192.168.10.1,10.10.2.1,jmoe,successFinancial System,192.168.10.1,10.10.2.1,jmoe,failure
AfterGlow 2.0 Example
►Data:
►Launch:
./afterglow-java.sh –c afterglow.properties
# AfterGlow - JAVA 2.0# Properties File
# File to loadfile.name=/home/ram/afterglow/data/sample.csv
# Column Types (default is STRING), start with 0!# Valid values:# STRING# INTEGER# CATEGORICAL
column.type.count=4column.type[0].column=0column.type[0].type=INTEGERcolumn.type[1].column=1column.type[1].type=CATEGORICALcolumn.type[2].column=2column.type[2].type=CATEGORICALcolumn.type[3].column=3column.type[3].type=CATEGORICAL
# Size Column (default is 0)size.column=0
# Color Column (default is 0)color.column=2
# AfterGlow - JAVA 2.0# Properties File
# File to loadfile.name=/home/ram/afterglow/data/sample.csv
# Column Types (default is STRING), start with 0!# Valid values:# STRING# INTEGER# CATEGORICAL
column.type.count=4column.type[0].column=0column.type[0].type=INTEGERcolumn.type[1].column=1column.type[1].type=CATEGORICALcolumn.type[2].column=2column.type[2].type=CATEGORICALcolumn.type[3].column=3column.type[3].type=CATEGORICAL
# Size Column (default is 0)size.column=0
# Color Column (default is 0)color.column=2
![Page 40: Log Visualization - Bellua BCS 2006](https://reader034.fdocuments.in/reader034/viewer/2022042613/544347b0afaf9fe7098b48d7/html5/thumbnails/40.jpg)
Raffael Marty 40BCS 2006 Jakarta
AfterGlow 2.0Output
![Page 41: Log Visualization - Bellua BCS 2006](https://reader034.fdocuments.in/reader034/viewer/2022042613/544347b0afaf9fe7098b48d7/html5/thumbnails/41.jpg)
Raffael Marty 41BCS 2006 Jakarta
AfterGlow 2.0Interaction
►Left-click:
• Zoom in
►Right-click:
• Zoom all the way out
►Middle-click
• Change Coloring to currentdepth
(Hack: Use SHIFT for leafs)
![Page 42: Log Visualization - Bellua BCS 2006](https://reader034.fdocuments.in/reader034/viewer/2022042613/544347b0afaf9fe7098b48d7/html5/thumbnails/42.jpg)
Raffael Marty 42BCS 2006 Jakarta
AfterGlowFirewall Log Analysis Example
Command:
cat pflog | pf2csv.pl “sip dip dport”
Feb 18 13:39:15.598491 rule 71/0(match): pass in on xl0: 195.27.249.139.63263 > 195.141.69.42.80: S 492525755:492525755(0) win 32768 <mss 1460,nop,wscale 0,nop,nop,timestamp 24053 0> (DF)Feb 18 13:39:15.899644 rule 71/0(match): pass in on xl0: 195.27.249.139.63264 > 195.141.69.42.80: S 875844783:875844783(0) win 32768 <mss 1460,nop,wscale 0,nop,nop,timestamp 24054 0> (DF)
Input (pflog):
Output:195.27.249.139,195.141.69.42,80195.27.249.139,195.141.69.42,80
AfterGlow InputVisualization:
cat pflog | pf2csv.pl “sip dip dport” | \afterglow –c properties | neato –Tgif –o foo.gif
![Page 43: Log Visualization - Bellua BCS 2006](https://reader034.fdocuments.in/reader034/viewer/2022042613/544347b0afaf9fe7098b48d7/html5/thumbnails/43.jpg)
Raffael Marty 43BCS 2006 Jakarta
AfterGlowFirewall Log Analysis Example
Command:cat log | grep pass_in | ./afterglow –c properties –d | dot –Tgif –o foo.gif
Properties:cluster.source="External" if (!match("^195\.141\.69"))color=“red” if (field() eq “External”)color.event=“blue" if (regex("^195\.141\.69"))color.event=“lightblue”color="red"
Port 100 access
![Page 44: Log Visualization - Bellua BCS 2006](https://reader034.fdocuments.in/reader034/viewer/2022042613/544347b0afaf9fe7098b48d7/html5/thumbnails/44.jpg)
Raffael Marty 44BCS 2006 Jakarta
Summary
►Quickly Visualize Log Files
• Understand Relationships
• Find Outliers
• Spot suspicious activity
►Visual Data Analysis Process►AfterGlow►Firewall Log File Analysis
Don’t Read Log Files
Visualize Them!!
Don’t Read Log Files
Visualize Them!!