log visualization - bellua bcs 2006
Post on 18-Oct-2014
827 views
DESCRIPTION
Log Visualization from Bellua BCS in Jakarta, 2006TRANSCRIPT
Logfile Visualization– The Beauty of GraphsBCS 2006, Jakarta
Raffael Marty, GCIA, CISSPManager Solutions @ ArcSight
August 30th, 2006*
Raffael Marty 2BCS 2006 Jakarta
Raffael Marty, GCIA, CISSP
Enterprise Security Management (ESM) specialist
Strategic Application Solutions @ ArcSight, Inc. Intrusion Detection Research @ IBM Research
See http://thor.cryptojail.net
IT Security Consultant @ PriceWaterhouse Coopers Open Vulnerability and Assessment Language
(OVAL) board member Passion for Visual Security Event Analysis
Raffael Marty 3BCS 2006 Jakarta
Table Of Contents
► Introduction
►Graphing Basics
►Graph Use Cases
►Visual Analysis Process
►AfterGlow
►Firewall Log Visualization
Raffael Marty 4BCS 2006 Las Vegas
Introduction
Raffael Marty 5BCS 2006 Jakarta
Disclaimer
IP addresses and host names showingup in event graphs and descriptions were obfuscated/changed. The addresses are
completely random and any resemblancewith well-known addresses or host names
are purely coincidental.
Raffael Marty 6BCS 2006 Jakarta
A Picture is Worth a Thousand Log Entries
Detect the Expected & Discover the Unexpected
Detect the Expected & Discover the Unexpected
Make Better DecisionsMake Better Decisions
Reduce Analysis and Response TimesReduce Analysis and Response Times
Raffael Marty 7BCS 2006 Jakarta
Jun 17 09:42:30 rmarty ifup: Determining IP information for eth0...Jun 17 09:42:35 rmarty ifup: failed; no link present. Check cable?Jun 17 09:42:35 rmarty network: Bringing up interface eth0: failedJun 17 09:42:38 rmarty sendmail: sendmail shutdown succeededJun 17 09:42:38 rmarty sendmail: sm-client shutdown succeededJun 17 09:42:39 rmarty sendmail: sendmail startup succeededJun 17 09:42:39 rmarty sendmail: sm-client startup succeededJun 17 09:43:39 rmarty vmnet-dhcpd: DHCPINFORM from 172.16.48.128Jun 17 09:45:42 rmarty last message repeated 2 timesJun 17 09:45:47 rmarty vmnet-dhcpd: DHCPINFORM from 172.16.48.128Jun 17 09:56:02 rmarty vmnet-dhcpd: DHCPDISCOVER from 00:0c:29:b7:b2:47 via vmnet8Jun 17 09:56:03 rmarty vmnet-dhcpd: DHCPOFFER on 172.16.48.128 to 00:0c:29:b7:b2:47 via vmnet8Jun 17 09:56:03 rmarty vmnet-dhcpd: DHCPREQUEST for 172.16.48.128 from 00:0c:29:b7:b2:47 via vmnet8Jun 17 09:56:03 rmarty vmnet-dhcpd: DHCPACK on 172.16.48.128 to 00:0c:29:b7:b2:47 via vmnet8Jun 17 10:00:03 rmarty crond(pam_unix)[30534]: session opened for user root by (uid=0)Jun 17 10:00:10 rmarty crond(pam_unix)[30534]: session closed for user rootJun 17 10:01:02 rmarty crond(pam_unix)[30551]: session opened for user root by (uid=0)Jun 17 10:01:07 rmarty crond(pam_unix)[30551]: session closed for user rootJun 17 10:05:02 rmarty crond(pam_unix)[30567]: session opened for user idabench by (uid=0)Jun 17 10:05:05 rmarty crond(pam_unix)[30567]: session closed for user idabenchJun 17 10:13:05 rmarty portsentry[4797]: attackalert: UDP scan from host: 192.168.80.19/192.168.80.19 to UDP port: 192Jun 17 10:13:05 rmarty portsentry[4797]: attackalert: Host: 192.168.80.19/192.168.80.19 is already blocked IgnoringJun 17 10:14:09 rmarty portsentry[4797]: attackalert: UDP scan from host: 192.168.80.8/192.168.80.8 to UDP port: 68Jun 17 10:14:09 rmarty portsentry[4797]: attackalert: Host: 192.168.80.8/192.168.80.8 is already blocked IgnoringJun 17 10:14:09 rmarty portsentry[4797]: attackalert: UDP scan from host: 192.168.80.8/192.168.80.8 to UDP port: 68Jun 17 10:14:09 rmarty portsentry[4797]: attackalert: Host: 192.168.80.8/192.168.80.8 is already blocked IgnoringJun 17 10:21:30 rmarty portsentry[4797]: attackalert: UDP scan from host: 192.168.80.8/192.168.80.8 to UDP port: 68Jun 17 10:21:30 rmarty portsentry[4797]: attackalert: Host: 192.168.80.8/192.168.80.8 is already blocked IgnoringJun 17 10:28:40 rmarty vmnet-dhcpd: DHCPDISCOVER from 00:0c:29:b7:b2:47 via vmnet8Jun 17 10:28:41 rmarty vmnet-dhcpd: DHCPOFFER on 172.16.48.128 to 00:0c:29:b7:b2:47 via vmnet8Jun 17 10:28:41 rmarty vmnet-dhcpd: DHCPREQUEST for 172.16.48.128 from 00:0c:29:b7:b2:47 via vmnet8Jun 17 10:28:45 rmarty vmnet-dhcpd: DHCPACK on 172.16.48.128 to 00:0c:29:b7:b2:47 via vmnet8Jun 17 10:30:47 rmarty portsentry[4797]: attackalert: UDP scan from host: 192.168.80.8/192.168.80.8 to UDP port: 68Jun 17 10:30:47 rmarty portsentry[4797]: attackalert: Host: 192.168.80.8/192.168.80.8 is already blocked IgnoringJun 17 10:30:47 rmarty portsentry[4797]: attackalert: UDP scan from host: 192.168.80.8/192.168.80.8 to UDP port: 68Jun 17 10:30:47 rmarty portsentry[4797]: attackalert: Host: 192.168.80.8/192.168.80.8 is already blocked IgnoringJun 17 10:35:28 rmarty vmnet-dhcpd: DHCPINFORM from 172.16.48.128Jun 17 10:35:31 rmarty vmnet-dhcpd: DHCPINFORM from 172.16.48.128Jun 17 10:38:51 rmarty vmnet-dhcpd: DHCPREQUEST for 172.16.48.128 from 00:0c:29:b7:b2:47 via vmnet8Jun 17 10:38:52 rmarty vmnet-dhcpd: DHCPACK on 172.16.48.128 to 00:0c:29:b7:b2:47 via vmnet8Jun 17 10:42:35 rmarty vmnet-dhcpd: DHCPINFORM from 172.16.48.128Jun 17 10:42:38 rmarty vmnet-dhcpd: DHCPINFORM from 172.16.48.128
Text or Visuals?
►What would you rather look at?
Raffael Marty 8BCS 2006 Las Vegas
Graphing Basics
Raffael Marty 9BCS 2006 Jakarta
How To Generate A Graph
ParserDevice Event Visualizer
... | Normalization | ...
Jun 17 09:42:30 rmarty ifup: Determining IP information for eth0...Jun 17 09:42:35 rmarty ifup: failed; no link present. Check cable?Jun 17 09:42:35 rmarty network: Bringing up interface eth0: failedJun 17 09:42:38 rmarty sendmail: sendmail shutdown succeededJun 17 09:42:38 rmarty sendmail: sm-client shutdown succeededJun 17 09:42:39 rmarty sendmail: sendmail startup succeededJun 17 09:42:39 rmarty sendmail: sm-client startup succeededJun 17 09:43:39 rmarty vmnet-dhcpd: DHCPINFORM from 172.16.48.128Jun 17 09:45:42 rmarty last message repeated 2 timesJun 17 09:45:47 rmarty vmnet-dhcpd: DHCPINFORM from 172.16.48.128Jun 17 09:56:02 rmarty vmnet-dhcpd: DHCPDISCOVER from 00:0c:29:b7:b2:47 via vmnet8Jun 17 09:56:03 rmarty vmnet-dhcpd: DHCPOFFER on 172.16.48.128 to 00:0c:29:b7:b2:47 via vmnet8NH
Log File
Visual
Raffael Marty 10BCS 2006 Jakarta
Visual Types
Link Graphs TreeMaps
AfterGlow 1.x - Perl AfterGlow 2.0 - JAVA
Raffael Marty 11BCS 2006 Jakarta
Link Graph Configurations
Raw Event:[**] [1:1923:2] RPC portmap UDP proxy attempt [**][Classification: Decode of an RPC Query] [Priority: 2] 06/04-15:56:28.219753 192.168.10.90:32859 -> 192.168.10.255:111UDP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:148 DFLen: 120
Different node configurations:
192.168.10.90 RPC portmap 192.168.10.255 192.168.10.90 192.168.10.255 111
192.168.10.90 32859 111 RPC portmap 192.168.10.90 192.168.10.255
SPortSIP DPort SIPName DIP
DIPSIP DPortNameSIP DIP
Raffael Marty 12BCS 2006 Jakarta
Tree Maps
All Network Traffic
Raffael Marty 13BCS 2006 Jakarta
Tree Maps
20% 80%
Configuration (Hierarchy): Protocol
UDP TCP
Raffael Marty 14BCS 2006 Jakarta
UDP TCP
Tree Maps
Configuration (Hierarchy): Protocol -> Service
HTTP
SSH
FTP
DNS
SNMP
UDP TCP
Raffael Marty 15BCS 2006 Las Vegas
Graph Use Cases
Raffael Marty 16BCS 2006 Jakarta
Situational Awareness DashboardGraph Use-Cases
Raffael Marty 17BCS 2006 Jakarta
Suspicious Activity?Graph Use-Cases
Raffael Marty 18BCS 2006 Jakarta
Network ScanGraph Use-Cases
Raffael Marty 19BCS 2006 Jakarta
Port Scan ?
►Port scan or something else?
Graph Use-Cases
Raffael Marty 20BCS 2006 Jakarta
PortScan
SIP
DIP
DPort
Graph Use-Cases
Raffael Marty 21BCS 2006 Jakarta
Telecom Malicious Code Propagation
FromPhone#
ToPhone#
ContentType|Size
Graph Use-Cases
Raffael Marty 22BCS 2006 Jakarta
Email Relays
From: My Domain
From: Other Domain
To: Other Domain
From To
To: My Domain
Do you run an open relay?
Grey out emails to and from “my domain”
Make “my domain” invisible
Graph Use-Cases
Raffael Marty 23BCS 2006 Las Vegas
Visual Analysis Process
Raffael Marty 24BCS 2006 Jakarta
Event Feedback LoopVisual Analysis Process
Device
Normalization
Filter
Correlation
Visual
Feb 18 13:39:15.598491 rule 71/0(match): pass in on xl0: 195.27.249.139.63263 > 195.141.69.42.80: S 492525755:492525755(0) win 32768 <mss 1460,nop,wscale 0,nop,nop,timestamp 24053 0> (DF)Feb 18 13:39:15.899644 rule 71/0(match): pass in on xl0: 195.27.249.139.63264 > 195.141.69.42.80: S 875844783:875844783(0) win 32768 <mss 1460,nop,wscale 0,nop,nop,timestamp 24054 0> (DF)
195.27.249.139,195.141.69.42,80195.27.249.139,195.141.69.42,80
195.27.249.139,195.141.69.42,80 Service stopped
Raffael Marty 25BCS 2006 Jakarta
Visual Detection
Assign to Content Author
Visual Investigation
Creation of new Filtersand Correlation Components
Real-timeData
ProcessingForensic and Historical Analysis
Event Feedback LoopVisual Analysis Process
Raffael Marty 26BCS 2006 Jakarta
Beginning of Analyst’s shift
Visual DetectionVisual Analysis Process
Raffael Marty 27BCS 2006 Jakarta
Scan Events
Firewall Blocks
Scanning activity is displayed
Visual DetectionVisual Analysis Process
Raffael Marty 28BCS 2006 Jakarta
Visual InvestigationVisual Analysis Process
Raffael Marty 29BCS 2006 Jakarta
Assign for further analysis if
More than 20 firewall drops
from an external machine
to an internal machine
1. Correlation
• Internal machines on white-list• connecting to active directory servers
2. Filter
3. Open a ticket for Operations to quarantine and clean infected machines
Defining New ContentVisual Analysis Process
Raffael Marty 30BCS 2006 Jakarta
AfterGlow
http://afterglow.sourceforge.net
►Two Versions:
• AfterGlow 1.x – Perl for Link Graphs
• AfterGlow 2.0 – Java for TreeMaps
►Collection of Parsers:
• pf2csv.pl BSD PacketFilter (pf)
• tcpdump2csv.pl tcpdump 3.9
• sendmail2csv.pl Sendmail transaction logs
Raffael Marty 31BCS 2006 Las Vegas
AfterGlowafterglow.sourceforge.net
Raffael Marty 32BCS 2006 Jakarta
► tcpdump2csv.pl
• Takes care of swapping response source and targets
tcpdump -vttttnnelr /tmp/log.tcpdump | ./tcpdump2csv.pl
►sendmail_parser.pl
• Reassemble email conversations:
►pf2csv.pl
• Parsing OpenBSD pf output
AfterGlowParsers
Jul 24 21:01:16 rmarty sendmail[17072]: j6P41Gqt017072: from=<[email protected]>, size=650, class=0, nrcpts=1,Jul 24 21:01:16 rmarty sendmail[17073]: j6P41Gqt017072: to=ram, ctladdr=<[email protected]> (0/0), delay=00:00:00, xdelay=00:00:00, mailer=local, pri=30881, dsn=2.0.0, stat=Sent
"sip dip sport"
Raffael Marty 33BCS 2006 Jakarta
AfterGlow 1.x - Perl
►Supported graphing tools:
• GraphViz from AT&T (dot, neato, circo, twopi) http://www.graphviz.org
• LGL (Large Graph Layout) by Alex Adaihttp://bioinformatics.icmb.utexas.edu/lgl/
CSV File
Parser AfterGlow Graph LanguageFile
Grapher
Raffael Marty 34BCS 2006 Jakarta
AfterGlow 1.xFeatures
►Generate Link Graphs
►Filtering Nodes
• Based on name
• Based on number of occurrences
►Fan Out Filtering►Coloring
• Edges
• Nodes
►Clustering
Fan Out: 3
Raffael Marty 35BCS 2006 Jakarta
a
b
c
d
e
AfterGlow 1.xHello World
Output:
Input Data:a,ba,cb,cd,e
a
b
c
d
e
Command:cat file | ./afterglow –c simple.properties –t \neato –Tgif –o test.gif
simple.properties:color.source=“green” if ($fields[0] ne “d”)color.target=“blue” if ($fields[1] ne “e”)
color.source=“red”
color=“green”
Raffael Marty 36BCS 2006 Jakarta
AfterGlow 1.xProperty File – Color Definition
Coloring:
color.[source|event|target|edge]=
<perl expression returning a color name> Array @fields contains input-line, split into tokens:
color.event=“red” if ($fields[1] =~ /^192\..*)
Filter nodes with “invisible” color:
color.target=“invisible” if ($fields[0] eq
“IIS Action”)
Raffael Marty 37BCS 2006 Jakarta
AfterGlow 1.xProperty File - Clustering
Clustering:
cluster.[source|event|target]=
<perl expression returning a cluster name>
Raffael Marty 38BCS 2006 Jakarta
AfterGlow 2.0 - Java
►Command line arguments:
-h : help
-c file : property file
-f file : data file
CSV File
Parser AfterGlow - Java
Raffael Marty 39BCS 2006 Jakarta
Target System Type,SIP,DIP,User,OutcomeDevelopment,192.168.10.1,10.10.2.1,ram,failureVPN,192.168.10.1,10.10.2.1,ram,successFinancial System,192.168.20.1,10.0.3.1,drob,successVPN,192.168.10.1,10.10.2.1,ram,successVPN,192.168.10.1,10.10.2.1,jmoe,failureFinancial System,192.168.10.1,10.10.2.1,jmoe,successFinancial System,192.168.10.1,10.10.2.1,jmoe,failure
AfterGlow 2.0 Example
►Data:
►Launch:
./afterglow-java.sh –c afterglow.properties
# AfterGlow - JAVA 2.0# Properties File
# File to loadfile.name=/home/ram/afterglow/data/sample.csv
# Column Types (default is STRING), start with 0!# Valid values:# STRING# INTEGER# CATEGORICAL
column.type.count=4column.type[0].column=0column.type[0].type=INTEGERcolumn.type[1].column=1column.type[1].type=CATEGORICALcolumn.type[2].column=2column.type[2].type=CATEGORICALcolumn.type[3].column=3column.type[3].type=CATEGORICAL
# Size Column (default is 0)size.column=0
# Color Column (default is 0)color.column=2
# AfterGlow - JAVA 2.0# Properties File
# File to loadfile.name=/home/ram/afterglow/data/sample.csv
# Column Types (default is STRING), start with 0!# Valid values:# STRING# INTEGER# CATEGORICAL
column.type.count=4column.type[0].column=0column.type[0].type=INTEGERcolumn.type[1].column=1column.type[1].type=CATEGORICALcolumn.type[2].column=2column.type[2].type=CATEGORICALcolumn.type[3].column=3column.type[3].type=CATEGORICAL
# Size Column (default is 0)size.column=0
# Color Column (default is 0)color.column=2
Raffael Marty 40BCS 2006 Jakarta
AfterGlow 2.0Output
Raffael Marty 41BCS 2006 Jakarta
AfterGlow 2.0Interaction
►Left-click:
• Zoom in
►Right-click:
• Zoom all the way out
►Middle-click
• Change Coloring to currentdepth
(Hack: Use SHIFT for leafs)
Raffael Marty 42BCS 2006 Jakarta
AfterGlowFirewall Log Analysis Example
Command:
cat pflog | pf2csv.pl “sip dip dport”
Feb 18 13:39:15.598491 rule 71/0(match): pass in on xl0: 195.27.249.139.63263 > 195.141.69.42.80: S 492525755:492525755(0) win 32768 <mss 1460,nop,wscale 0,nop,nop,timestamp 24053 0> (DF)Feb 18 13:39:15.899644 rule 71/0(match): pass in on xl0: 195.27.249.139.63264 > 195.141.69.42.80: S 875844783:875844783(0) win 32768 <mss 1460,nop,wscale 0,nop,nop,timestamp 24054 0> (DF)
Input (pflog):
Output:195.27.249.139,195.141.69.42,80195.27.249.139,195.141.69.42,80
AfterGlow InputVisualization:
cat pflog | pf2csv.pl “sip dip dport” | \afterglow –c properties | neato –Tgif –o foo.gif
Raffael Marty 43BCS 2006 Jakarta
AfterGlowFirewall Log Analysis Example
Command:cat log | grep pass_in | ./afterglow –c properties –d | dot –Tgif –o foo.gif
Properties:cluster.source="External" if (!match("^195\.141\.69"))color=“red” if (field() eq “External”)color.event=“blue" if (regex("^195\.141\.69"))color.event=“lightblue”color="red"
Port 100 access
Raffael Marty 44BCS 2006 Jakarta
Summary
►Quickly Visualize Log Files
• Understand Relationships
• Find Outliers
• Spot suspicious activity
►Visual Data Analysis Process►AfterGlow►Firewall Log File Analysis
Don’t Read Log Files
Visualize Them!!
Don’t Read Log Files
Visualize Them!!