Visual Log Analysis - DefCon 2006
-
date post
18-Oct-2014 -
Category
Technology
-
view
1.592 -
download
0
description
Transcript of Visual Log Analysis - DefCon 2006
![Page 1: Visual Log Analysis - DefCon 2006](https://reader033.fdocuments.in/reader033/viewer/2022061105/544347afafaf9fef098b4818/html5/thumbnails/1.jpg)
Visual Log Analysis – The Beauty of GraphsDefCon 2006, Las Vegas
Raffael Marty, GCIA, CISSPManager Solutions @ ArcSight
August 5th, 2006*
![Page 2: Visual Log Analysis - DefCon 2006](https://reader033.fdocuments.in/reader033/viewer/2022061105/544347afafaf9fef098b4818/html5/thumbnails/2.jpg)
Raffael Marty 2DefCon 2006 Las Vegas
Raffael Marty, GCIA, CISSP
Enterprise Security Management (ESM) specialist
Strategic Application Solutions @ ArcSight, Inc. Intrusion Detection Research @ IBM Research
See http://thor.cryptojail.net
IT Security Consultant @ PriceWaterhouse Coopers Open Vulnerability and Assessment Language
(OVAL) board member Passion for Visual Security Event Analysis
![Page 3: Visual Log Analysis - DefCon 2006](https://reader033.fdocuments.in/reader033/viewer/2022061105/544347afafaf9fef098b4818/html5/thumbnails/3.jpg)
Raffael Marty 3DefCon 2006 Las Vegas
Table Of Contents
► Introduction
►Graphing Basics
►AfterGlow
►Firewall Log File Analysis
![Page 4: Visual Log Analysis - DefCon 2006](https://reader033.fdocuments.in/reader033/viewer/2022061105/544347afafaf9fef098b4818/html5/thumbnails/4.jpg)
Raffael Marty 4DefCon 2006 Las Vegas
Introduction
![Page 5: Visual Log Analysis - DefCon 2006](https://reader033.fdocuments.in/reader033/viewer/2022061105/544347afafaf9fef098b4818/html5/thumbnails/5.jpg)
Raffael Marty 5DefCon 2006 Las Vegas
Disclaimer
IP addresses and host names showingup in event graphs and descriptions were obfuscated/changed. The addresses are
completely random and any resemblancewith well-known addresses or host names
are purely coincidental.
![Page 6: Visual Log Analysis - DefCon 2006](https://reader033.fdocuments.in/reader033/viewer/2022061105/544347afafaf9fef098b4818/html5/thumbnails/6.jpg)
Raffael Marty 6DefCon 2006 Las Vegas
Jun 17 09:42:30 rmarty ifup: Determining IP information for eth0...Jun 17 09:42:35 rmarty ifup: failed; no link present. Check cable?Jun 17 09:42:35 rmarty network: Bringing up interface eth0: failedJun 17 09:42:38 rmarty sendmail: sendmail shutdown succeededJun 17 09:42:38 rmarty sendmail: sm-client shutdown succeededJun 17 09:42:39 rmarty sendmail: sendmail startup succeededJun 17 09:42:39 rmarty sendmail: sm-client startup succeededJun 17 09:43:39 rmarty vmnet-dhcpd: DHCPINFORM from 172.16.48.128Jun 17 09:45:42 rmarty last message repeated 2 timesJun 17 09:45:47 rmarty vmnet-dhcpd: DHCPINFORM from 172.16.48.128Jun 17 09:56:02 rmarty vmnet-dhcpd: DHCPDISCOVER from 00:0c:29:b7:b2:47 via vmnet8Jun 17 09:56:03 rmarty vmnet-dhcpd: DHCPOFFER on 172.16.48.128 to 00:0c:29:b7:b2:47 via vmnet8Jun 17 09:56:03 rmarty vmnet-dhcpd: DHCPREQUEST for 172.16.48.128 from 00:0c:29:b7:b2:47 via vmnet8Jun 17 09:56:03 rmarty vmnet-dhcpd: DHCPACK on 172.16.48.128 to 00:0c:29:b7:b2:47 via vmnet8Jun 17 10:00:03 rmarty crond(pam_unix)[30534]: session opened for user root by (uid=0)Jun 17 10:00:10 rmarty crond(pam_unix)[30534]: session closed for user rootJun 17 10:01:02 rmarty crond(pam_unix)[30551]: session opened for user root by (uid=0)Jun 17 10:01:07 rmarty crond(pam_unix)[30551]: session closed for user rootJun 17 10:05:02 rmarty crond(pam_unix)[30567]: session opened for user idabench by (uid=0)Jun 17 10:05:05 rmarty crond(pam_unix)[30567]: session closed for user idabenchJun 17 10:13:05 rmarty portsentry[4797]: attackalert: UDP scan from host: 192.168.80.19/192.168.80.19 to UDP port: 192Jun 17 10:13:05 rmarty portsentry[4797]: attackalert: Host: 192.168.80.19/192.168.80.19 is already blocked IgnoringJun 17 10:14:09 rmarty portsentry[4797]: attackalert: UDP scan from host: 192.168.80.8/192.168.80.8 to UDP port: 68Jun 17 10:14:09 rmarty portsentry[4797]: attackalert: Host: 192.168.80.8/192.168.80.8 is already blocked IgnoringJun 17 10:14:09 rmarty portsentry[4797]: attackalert: UDP scan from host: 192.168.80.8/192.168.80.8 to UDP port: 68Jun 17 10:14:09 rmarty portsentry[4797]: attackalert: Host: 192.168.80.8/192.168.80.8 is already blocked IgnoringJun 17 10:21:30 rmarty portsentry[4797]: attackalert: UDP scan from host: 192.168.80.8/192.168.80.8 to UDP port: 68Jun 17 10:21:30 rmarty portsentry[4797]: attackalert: Host: 192.168.80.8/192.168.80.8 is already blocked IgnoringJun 17 10:28:40 rmarty vmnet-dhcpd: DHCPDISCOVER from 00:0c:29:b7:b2:47 via vmnet8Jun 17 10:28:41 rmarty vmnet-dhcpd: DHCPOFFER on 172.16.48.128 to 00:0c:29:b7:b2:47 via vmnet8Jun 17 10:28:41 rmarty vmnet-dhcpd: DHCPREQUEST for 172.16.48.128 from 00:0c:29:b7:b2:47 via vmnet8Jun 17 10:28:45 rmarty vmnet-dhcpd: DHCPACK on 172.16.48.128 to 00:0c:29:b7:b2:47 via vmnet8Jun 17 10:30:47 rmarty portsentry[4797]: attackalert: UDP scan from host: 192.168.80.8/192.168.80.8 to UDP port: 68Jun 17 10:30:47 rmarty portsentry[4797]: attackalert: Host: 192.168.80.8/192.168.80.8 is already blocked IgnoringJun 17 10:30:47 rmarty portsentry[4797]: attackalert: UDP scan from host: 192.168.80.8/192.168.80.8 to UDP port: 68Jun 17 10:30:47 rmarty portsentry[4797]: attackalert: Host: 192.168.80.8/192.168.80.8 is already blocked IgnoringJun 17 10:35:28 rmarty vmnet-dhcpd: DHCPINFORM from 172.16.48.128Jun 17 10:35:31 rmarty vmnet-dhcpd: DHCPINFORM from 172.16.48.128Jun 17 10:38:51 rmarty vmnet-dhcpd: DHCPREQUEST for 172.16.48.128 from 00:0c:29:b7:b2:47 via vmnet8Jun 17 10:38:52 rmarty vmnet-dhcpd: DHCPACK on 172.16.48.128 to 00:0c:29:b7:b2:47 via vmnet8Jun 17 10:42:35 rmarty vmnet-dhcpd: DHCPINFORM from 172.16.48.128Jun 17 10:42:38 rmarty vmnet-dhcpd: DHCPINFORM from 172.16.48.128
Text or Visuals?
►What would you rather look at?
A Picture is Worth a Thousand Log LinesA Picture is Worth a Thousand Log Lines
![Page 7: Visual Log Analysis - DefCon 2006](https://reader033.fdocuments.in/reader033/viewer/2022061105/544347afafaf9fef098b4818/html5/thumbnails/7.jpg)
Raffael Marty 7DefCon 2006 Las Vegas
Graphing Basics
![Page 8: Visual Log Analysis - DefCon 2006](https://reader033.fdocuments.in/reader033/viewer/2022061105/544347afafaf9fef098b4818/html5/thumbnails/8.jpg)
Raffael Marty 8DefCon 2006 Las Vegas
How To Generate A Graph
ParserDevice Event Visualizer
... | Normalization | ...
Jun 17 09:42:30 rmarty ifup: Determining IP information for eth0...Jun 17 09:42:35 rmarty ifup: failed; no link present. Check cable?Jun 17 09:42:35 rmarty network: Bringing up interface eth0: failedJun 17 09:42:38 rmarty sendmail: sendmail shutdown succeededJun 17 09:42:38 rmarty sendmail: sm-client shutdown succeededJun 17 09:42:39 rmarty sendmail: sendmail startup succeededJun 17 09:42:39 rmarty sendmail: sm-client startup succeededJun 17 09:43:39 rmarty vmnet-dhcpd: DHCPINFORM from 172.16.48.128Jun 17 09:45:42 rmarty last message repeated 2 timesJun 17 09:45:47 rmarty vmnet-dhcpd: DHCPINFORM from 172.16.48.128Jun 17 09:56:02 rmarty vmnet-dhcpd: DHCPDISCOVER from 00:0c:29:b7:b2:47 via vmnet8Jun 17 09:56:03 rmarty vmnet-dhcpd: DHCPOFFER on 172.16.48.128 to 00:0c:29:b7:b2:47 via vmnet8NH
Log File
Visual
![Page 9: Visual Log Analysis - DefCon 2006](https://reader033.fdocuments.in/reader033/viewer/2022061105/544347afafaf9fef098b4818/html5/thumbnails/9.jpg)
Raffael Marty 9DefCon 2006 Las Vegas
Visual Types
►Visuals that AfterGlow supports:
Link Graphs TreeMaps
AfterGlow 1.x - Perl AfterGlow 2.0 - JAVA
![Page 10: Visual Log Analysis - DefCon 2006](https://reader033.fdocuments.in/reader033/viewer/2022061105/544347afafaf9fef098b4818/html5/thumbnails/10.jpg)
Raffael Marty 10DefCon 2006 Las Vegas
Link Graph Configurations
Raw Event:[**] [1:1923:2] RPC portmap UDP proxy attempt [**][Classification: Decode of an RPC Query] [Priority: 2] 06/04-15:56:28.219753 192.168.10.90:32859 -> 192.168.10.255:111UDP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:148 DFLen: 120
Different node configurations:
192.168.10.90 RPC portmap 192.168.10.255 192.168.10.90 192.168.10.255 111
192.168.10.90 32859 111 RPC portmap 192.168.10.90 192.168.10.255
SPortSIP DPort SIPName DIP
DIPSIP DPortNameSIP DIP
![Page 11: Visual Log Analysis - DefCon 2006](https://reader033.fdocuments.in/reader033/viewer/2022061105/544347afafaf9fef098b4818/html5/thumbnails/11.jpg)
Raffael Marty 11DefCon 2006 Las Vegas
Tree Maps
All Network Traffic
![Page 12: Visual Log Analysis - DefCon 2006](https://reader033.fdocuments.in/reader033/viewer/2022061105/544347afafaf9fef098b4818/html5/thumbnails/12.jpg)
Raffael Marty 12DefCon 2006 Las Vegas
Tree Maps
20% 80%
Configuration (Hierarchy): Protocol
UDP TCP
![Page 13: Visual Log Analysis - DefCon 2006](https://reader033.fdocuments.in/reader033/viewer/2022061105/544347afafaf9fef098b4818/html5/thumbnails/13.jpg)
Raffael Marty 13DefCon 2006 Las Vegas
UDP TCP
Tree Maps
Configuration (Hierarchy): Protocol -> Service
HTTP
SSH
FTP
DNS
SNMP
UDP TCP
![Page 14: Visual Log Analysis - DefCon 2006](https://reader033.fdocuments.in/reader033/viewer/2022061105/544347afafaf9fef098b4818/html5/thumbnails/14.jpg)
Raffael Marty 14DefCon 2006 Las Vegas
AfterGlowafterglow.sourceforge.net
![Page 15: Visual Log Analysis - DefCon 2006](https://reader033.fdocuments.in/reader033/viewer/2022061105/544347afafaf9fef098b4818/html5/thumbnails/15.jpg)
Raffael Marty 15DefCon 2006 Las Vegas
AfterGlow
http://afterglow.sourceforge.net
►Two Versions:
• AfterGlow 1.x – Perl for Link Graphs
• AfterGlow 2.0 – Java for TreeMaps
►Collection of Parsers:
• pf2csv.pl BSD PacketFilter (pf)
• tcpdump2csv.pl tcpdump 3.9
• sendmail2csv.pl Sendmail transaction logs
![Page 16: Visual Log Analysis - DefCon 2006](https://reader033.fdocuments.in/reader033/viewer/2022061105/544347afafaf9fef098b4818/html5/thumbnails/16.jpg)
Raffael Marty 16DefCon 2006 Las Vegas
► tcpdump2csv.pl
• Takes care of swapping response source and targets
tcpdump -vttttnnelr /tmp/log.tcpdump | ./tcpdump2csv.pl
►sendmail_parser.pl
• Reassemble email conversations:
►pf2csv.pl
• Parsing OpenBSD pf output
AfterGlowParsers
Jul 24 21:01:16 rmarty sendmail[17072]: j6P41Gqt017072: from=<[email protected]>, size=650, class=0, nrcpts=1,Jul 24 21:01:16 rmarty sendmail[17073]: j6P41Gqt017072: to=ram, ctladdr=<[email protected]> (0/0), delay=00:00:00, xdelay=00:00:00, mailer=local, pri=30881, dsn=2.0.0, stat=Sent
"sip dip sport"
![Page 17: Visual Log Analysis - DefCon 2006](https://reader033.fdocuments.in/reader033/viewer/2022061105/544347afafaf9fef098b4818/html5/thumbnails/17.jpg)
Raffael Marty 17DefCon 2006 Las Vegas
AfterGlow 1.x - Perl
►Supported graphing tools:
• GraphViz from AT&T (dot, neato, circo, twopi) http://www.graphviz.org
• LGL (Large Graph Layout) by Alex Adaihttp://bioinformatics.icmb.utexas.edu/lgl/
CSV File
Parser AfterGlow Graph LanguageFile
Grapher
![Page 18: Visual Log Analysis - DefCon 2006](https://reader033.fdocuments.in/reader033/viewer/2022061105/544347afafaf9fef098b4818/html5/thumbnails/18.jpg)
Raffael Marty 18DefCon 2006 Las Vegas
AfterGlow 1.xFeatures
►Generate Link Graphs
►Filtering Nodes
• Based on name
• Based on number of occurrences
►Fan Out Filtering►Coloring
• Edges
• Nodes
►Clustering
Fan Out: 3
![Page 19: Visual Log Analysis - DefCon 2006](https://reader033.fdocuments.in/reader033/viewer/2022061105/544347afafaf9fef098b4818/html5/thumbnails/19.jpg)
Raffael Marty 19DefCon 2006 Las Vegas
AfterGlow 1.xCommand Line Parameters
Some command line arguments:-h : help
-t : two node mode
-d : print count on nodes
-e : edge length
-n : no node labels
-o threshold : omit threshold (fan-out for nodes to be displayed)
-f threshold : fan out threshold for source node
-c configfile : color configuration file
![Page 20: Visual Log Analysis - DefCon 2006](https://reader033.fdocuments.in/reader033/viewer/2022061105/544347afafaf9fef098b4818/html5/thumbnails/20.jpg)
Raffael Marty 20DefCon 2006 Las Vegas
a
b
c
d
e
AfterGlow 1.xHello World
Output:
Input Data:a,ba,cb,cd,e
a
b
c
d
e
Command:cat file | ./afterglow –c simple.properties –t \neato –Tgif –o test.gif
simple.properties:color.source=“green” if ($fields[0] ne “d”)color.target=“blue” if ($fields[1] ne “e”)
color.source=“red”
color=“green”
![Page 21: Visual Log Analysis - DefCon 2006](https://reader033.fdocuments.in/reader033/viewer/2022061105/544347afafaf9fef098b4818/html5/thumbnails/21.jpg)
Raffael Marty 21DefCon 2006 Las Vegas
AfterGlow 1.xProperty File – Color Definition
Coloring:
color.[source|event|target|edge]=
<perl expression returning a color name> Array @fields contains input-line, split into tokens:
color.event=“red” if ($fields[1] =~ /^192\..*)
Filter nodes with “invisible” color:
color.target=“invisible” if ($fields[0] eq
“IIS Action”)
![Page 22: Visual Log Analysis - DefCon 2006](https://reader033.fdocuments.in/reader033/viewer/2022061105/544347afafaf9fef098b4818/html5/thumbnails/22.jpg)
Raffael Marty 22DefCon 2006 Las Vegas
AfterGlow 1.xProperty File - Clustering
Clustering:
cluster.[source|event|target]=
<perl expression returning a cluster name>
![Page 23: Visual Log Analysis - DefCon 2006](https://reader033.fdocuments.in/reader033/viewer/2022061105/544347afafaf9fef098b4818/html5/thumbnails/23.jpg)
Raffael Marty 23DefCon 2006 Las Vegas
AfterGlow 2.0 - Java
►Command line arguments:
-h : help
-c file : property file
-f file : data file
CSV File
Parser AfterGlow - Java
![Page 24: Visual Log Analysis - DefCon 2006](https://reader033.fdocuments.in/reader033/viewer/2022061105/544347afafaf9fef098b4818/html5/thumbnails/24.jpg)
Raffael Marty 24DefCon 2006 Las Vegas
Target System Type,SIP,DIP,User,OutcomeDevelopment,192.168.10.1,10.10.2.1,ram,failureVPN,192.168.10.1,10.10.2.1,ram,successFinancial System,192.168.20.1,10.0.3.1,drob,successVPN,192.168.10.1,10.10.2.1,ram,successVPN,192.168.10.1,10.10.2.1,jmoe,failureFinancial System,192.168.10.1,10.10.2.1,jmoe,successFinancial System,192.168.10.1,10.10.2.1,jmoe,failure
AfterGlow 2.0 Example
►Data:
►Launch:
./afterglow-java.sh –c afterglow.properties
# AfterGlow - JAVA 2.0# Properties File
# File to loadfile.name=/home/ram/afterglow/data/sample.csv
# Column Types (default is STRING), start with 0!# Valid values:# STRING# INTEGER# CATEGORICAL
column.type.count=4column.type[0].column=0column.type[0].type=INTEGERcolumn.type[1].column=1column.type[1].type=CATEGORICALcolumn.type[2].column=2column.type[2].type=CATEGORICALcolumn.type[3].column=3column.type[3].type=CATEGORICAL
# Size Column (default is 0)size.column=0
# Color Column (default is 0)color.column=2
# AfterGlow - JAVA 2.0# Properties File
# File to loadfile.name=/home/ram/afterglow/data/sample.csv
# Column Types (default is STRING), start with 0!# Valid values:# STRING# INTEGER# CATEGORICAL
column.type.count=4column.type[0].column=0column.type[0].type=INTEGERcolumn.type[1].column=1column.type[1].type=CATEGORICALcolumn.type[2].column=2column.type[2].type=CATEGORICALcolumn.type[3].column=3column.type[3].type=CATEGORICAL
# Size Column (default is 0)size.column=0
# Color Column (default is 0)color.column=2
![Page 25: Visual Log Analysis - DefCon 2006](https://reader033.fdocuments.in/reader033/viewer/2022061105/544347afafaf9fef098b4818/html5/thumbnails/25.jpg)
Raffael Marty 25DefCon 2006 Las Vegas
AfterGlow 2.0Output
![Page 26: Visual Log Analysis - DefCon 2006](https://reader033.fdocuments.in/reader033/viewer/2022061105/544347afafaf9fef098b4818/html5/thumbnails/26.jpg)
Raffael Marty 26DefCon 2006 Las Vegas
AfterGlow 2.0Interaction
►Left-click:
• Zoom in
►Right-click:
• Zoom all the way out
►Middle-click
• Change Coloring to currentdepth
(Hack: Use SHIFT for leafs)
![Page 27: Visual Log Analysis - DefCon 2006](https://reader033.fdocuments.in/reader033/viewer/2022061105/544347afafaf9fef098b4818/html5/thumbnails/27.jpg)
Raffael Marty 27DefCon 2006 Las Vegas
Firewall Log File Analysis
![Page 28: Visual Log Analysis - DefCon 2006](https://reader033.fdocuments.in/reader033/viewer/2022061105/544347afafaf9fef098b4818/html5/thumbnails/28.jpg)
Raffael Marty 28DefCon 2006 Las Vegas
Firewall Log File AnalysisOverview
1. Parse Firewall Log
2. Investigate allowed incoming traffic
► Do you know what you are dealing with?
3. Investigate allowed outgoing traffic
► What is leaving the network?
4. Investigate blocked outgoing traffic
► Mis-configured or compromised internal machines OR ACL problem
5. Investigate blocked incoming traffic
► What is trying to attack me?
![Page 29: Visual Log Analysis - DefCon 2006](https://reader033.fdocuments.in/reader033/viewer/2022061105/544347afafaf9fef098b4818/html5/thumbnails/29.jpg)
Raffael Marty 29DefCon 2006 Las Vegas
Firewall Log File AnalysisParsing PF Firewall Log
Command:
cat pflog | pf2csv.pl “sip dip dport”
Feb 18 13:39:15.598491 rule 71/0(match): pass in on xl0: 195.27.249.139.63263 > 195.141.69.42.80: S 492525755:492525755(0) win 32768 <mss 1460,nop,wscale 0,nop,nop,timestamp 24053 0> (DF)Feb 18 13:39:15.899644 rule 71/0(match): pass in on xl0: 195.27.249.139.63264 > 195.141.69.42.80: S 875844783:875844783(0) win 32768 <mss 1460,nop,wscale 0,nop,nop,timestamp 24054 0> (DF)
Input (pflog):
Output:195.27.249.139,195.141.69.42,80195.27.249.139,195.141.69.42,80
AfterGlow InputVisualization:
cat pflog | pf2csv.pl “sip dip dport” | \afterglow –c properties | neato –Tgif –o foo.gif
![Page 30: Visual Log Analysis - DefCon 2006](https://reader033.fdocuments.in/reader033/viewer/2022061105/544347afafaf9fef098b4818/html5/thumbnails/30.jpg)
Raffael Marty 30DefCon 2006 Las Vegas
Firewall Log File AnalysisPassed Incoming Traffic
Command:cat log | grep pass_in | ./afterglow –c properties –d | dot –Tgif –o foo.gif
Properties:cluster.source="External" if (!match("^195\.141\.69"))color=“red” if (field() eq “External”)color.event=“blue" if (regex("^195\.141\.69"))color.event=“lightblue”color="red"
Features/Functions:field()clustermatch()
Port 100 access
![Page 31: Visual Log Analysis - DefCon 2006](https://reader033.fdocuments.in/reader033/viewer/2022061105/544347afafaf9fef098b4818/html5/thumbnails/31.jpg)
Raffael Marty 31DefCon 2006 Las Vegas
Firewall Log File AnalysisPassed Outgoing Traffic
Command:cat log | grep pass_out | ./afterglow –c properties –d | neato –Tgif –o foo.gif
![Page 32: Visual Log Analysis - DefCon 2006](https://reader033.fdocuments.in/reader033/viewer/2022061105/544347afafaf9fef098b4818/html5/thumbnails/32.jpg)
Raffael Marty 32DefCon 2006 Las Vegas
Firewall Log File AnalysisBlocked Outgoing Traffic
Command:cat log | grep block_out | ./afterglow –c properties –d | neato –Tgif –o foo.gif
What happened?
Rule-set logs on response
ClientServer
Firewall
request
response
block in on xl1
xl0 xl1
![Page 33: Visual Log Analysis - DefCon 2006](https://reader033.fdocuments.in/reader033/viewer/2022061105/544347afafaf9fef098b4818/html5/thumbnails/33.jpg)
Raffael Marty 33DefCon 2006 Las Vegas
Firewall Log File AnalysisBlocked Outgoing Traffic – 2nd Attempt
cat log | pf2csv.pl “sip dip dport reversed” | grep –v “R$”
Uses heuristics to filter responses out
Port 427/svrlog
![Page 34: Visual Log Analysis - DefCon 2006](https://reader033.fdocuments.in/reader033/viewer/2022061105/544347afafaf9fef098b4818/html5/thumbnails/34.jpg)
Raffael Marty 34DefCon 2006 Las Vegas
Firewall Log File AnalysisBlocked Incoming Traffic
Command:cat log | grep block_in | ./afterglow –c properties –d | neato –Tgif –o foo.gif
You guessed right:WAY TOO MESSY!
![Page 35: Visual Log Analysis - DefCon 2006](https://reader033.fdocuments.in/reader033/viewer/2022061105/544347afafaf9fef098b4818/html5/thumbnails/35.jpg)
Raffael Marty 35DefCon 2006 Las Vegas
Firewall Log File AnalysisBlocked Incoming Port-Scans
Command:cat log |grep block_in |./afterglow –c properties –d –g 2 | neato –Tgif –o foo.gif
Properties:cluster.target=“>30000” if ($fields[2]>30000)cluster.target=“>1024” if ($fields[2]>1024)color= . . .
Feature:-g 2 : Filter based on event-node fan-out! i.e., more than two ports accessed!
![Page 36: Visual Log Analysis - DefCon 2006](https://reader033.fdocuments.in/reader033/viewer/2022061105/544347afafaf9fef098b4818/html5/thumbnails/36.jpg)
Raffael Marty 36DefCon 2006 Las Vegas
Firewall Log File AnalysisBlocked Incoming Port-Scans
SIP
DIP
DPort
![Page 37: Visual Log Analysis - DefCon 2006](https://reader033.fdocuments.in/reader033/viewer/2022061105/544347afafaf9fef098b4818/html5/thumbnails/37.jpg)
Raffael Marty 37DefCon 2006 Las Vegas
Firewall Log File AnalysisBlocked Incoming Bogon Addresses
Command:cat log | grep block_in |./afterglow –c properties –d | neato –Tgif –o foo.gif
This is going to be crazy!
![Page 38: Visual Log Analysis - DefCon 2006](https://reader033.fdocuments.in/reader033/viewer/2022061105/544347afafaf9fef098b4818/html5/thumbnails/38.jpg)
Raffael Marty 38DefCon 2006 Las Vegas
Firewall Log File AnalysisBlocked Incoming Bogon Addresses
Command:cat log |grep block_in |./afterglow –c properties –d | neato –Tgif –o foo.gif
Properties:variable=@ranges=qw{0.0.0.0/7 2.0.0.0/8 5.0.0.0/8 7.0.0.0/8 10.0.0.0/8 23.0.0.0/8 27.0.0.0/8 31.0.0.0/8 36.0.0.0/7 39.0.0.0/8 42.0.0.0/8 49.0.0.0/8 50.0.0.0/8 77.0.0.0/8 78.0.0.0/7 92.0.0.0/6 96.0.0.0/4 112.0.0.0/5 120.0.0.0/8 127.0.0.0/8 169.254.0.0/16 172.16.0.0/12 173.0.0.0/8 174.0.0.0/7 176.0.0.0/5 184.0.0.0/6
192.0.2.0/24 192.168.0.0/16 197.0.0.0/8 198.18.0.0/15 223.0.0.0/8 224.0.0.0/3};
Features:variable=regex_replace()subnet(IP,range) e.g., subnet(“10.0.0.2”,”10.0.0.0/8”) 1 (true)
Bogon Address Space
cluster.source=$value=0; map{ $value+=subnet(field(),$_) } @ranges; regex_replace("(\\d+)")."/8" if (!match("^(195\.141\.69)") && !$value);cluster.target=$value=0; map{ $value+=subnet(field(),$_) } @ranges; regex_replace("(\\d+)")."/8" if (!match("^(195\.141\.69)") && !$value);
color=$value=0; map{ ($value+=subnet(field(),$_)) } @ranges "red" if ($value)color="green" if (!match("^(195\.141\.69)")) color="blue"
![Page 39: Visual Log Analysis - DefCon 2006](https://reader033.fdocuments.in/reader033/viewer/2022061105/544347afafaf9fef098b4818/html5/thumbnails/39.jpg)
Raffael Marty 39DefCon 2006 Las Vegas
Firewall Log File AnalysisBlocked Incoming Bogon Addresses
Bogon Addresses
External Addresses
Internal Addresses
![Page 40: Visual Log Analysis - DefCon 2006](https://reader033.fdocuments.in/reader033/viewer/2022061105/544347afafaf9fef098b4818/html5/thumbnails/40.jpg)
Raffael Marty 40DefCon 2006 Las Vegas
Summary
► Introduced AfterGlow
• Filtering
• Coloring
• Clustering
►Quickly Visualize Log Files
• Understand Relationships
• Find Outliers
• Spot suspicious activity
Don’t Read Log Files
Visualize Them!!
Don’t Read Log Files
Visualize Them!!
![Page 41: Visual Log Analysis - DefCon 2006](https://reader033.fdocuments.in/reader033/viewer/2022061105/544347afafaf9fef098b4818/html5/thumbnails/41.jpg)
Raffael Marty 41DefCon 2006 Las Vegas
THANKS!
Raffael Marty 41DefCon 2006 Las Vegas