SlideShare una empresa de Scribd logo

Os Rash

oscon2007
oscon2007
Tecnología
1 de 40
Iptables Attack Visualization Michael Rash Security Architect Enterasys Networks, Inc. http://www.cipherdyne.org/ OSCON 2007­07­26   Copyright (C) 2007 Michael Rash 1
Agenda Why visualize iptables log data? ● context and change – iptables log message formats and data  – completeness New psad­2.0.8 release with Gnuplot interface ● Honeynet Project Scan34 iptables  ● visualizations (see http://www.honeynet.org) Gnuplot – AfterGlow –   Copyright (C) 2007 Michael Rash 2
Why Visualize Data? Consider the following set of values (each value  ● represents the number of packets to unique  TCP ports per minute): 5, 4, 2, 1, 3, 4, 55, 58, 70, 85, 120, 9, 2, 3, 1, 5, 4   Copyright (C) 2007 Michael Rash 3
Seeing the Trend   Copyright (C) 2007 Michael Rash 4
Graph Types Gnuplot ● Dots, points, lines through points – Good at seeing  – trends and relationships in large data sets (>  100,000 points) 3D mode with interactive viewing – AfterGlow ● Link Graphs – Good at expressing network  – relationships with IP addresses    Copyright (C) 2007 Michael Rash 5
Iptables Log Data Graphs will only be as good as the data source  ● permits Iptables logs include nearly every interesting  ● field for both the network and transport layer  headers – we just need an effective way to  parse and then visualize this data Iptables log messages can be tied to  ● application layer string matches via the string  match extension (see fwsnort)   Copyright (C) 2007 Michael Rash 6
iptables IP Header Coverage   Copyright (C) 2007 Michael Rash 7
iptables TCP Header Coverage   Copyright (C) 2007 Michael Rash 8
iptables TCP Log Message Jul 11 20:21:22 minastirith kernel: [199]  SID1361 ESTAB IN=eth1 OUT=  MAC=00:13:d3:38:b6:e4:00:13:46:c2:60:44:08:0 0 SRC=192.168.10.3 DST=192.168.10.1 LEN=60  TOS=0x00 PREC=0x00 TTL=63 ID=11112 DF  PROTO=TCP SPT=28778 DPT=80 WINDOW=5840  RES=0x00 ACK PSH URGP=0 OPT  (0101080A02A041D20CC386B1)   Copyright (C) 2007 Michael Rash 9
iptables UDP Header Coverage   Copyright (C) 2007 Michael Rash 10
iptables UDP Log Message Jul 11 20:50:54 minastirith kernel: [153]  SID2001597 IN=eth0 OUT=  MAC=00:13:d3:38:b6:e4:00:13:46:c2:60:44:08:0 0 SRC=192.168.10.3 DST=192.168.10.1 LEN=40  TOS=0x00 PREC=0x00 TTL=63 ID=29758 DF  PROTO=UDP SPT=32046 DPT=61 LEN=20   Copyright (C) 2007 Michael Rash 11
iptables ICMP Header Coverage   Copyright (C) 2007 Michael Rash 12
iptables ICMP Log Message Jul 11 20:57:18 minastirith kernel: [98]  SID2003294 IN=eth0 OUT=  MAC=00:13:d3:38:b6:e4:00:13:46:c2:60:44:08:0 0 SRC=192.168.10.3 DST=192.168.10.1 LEN=128  TOS=0x00 PREC=0x00 TTL=63 ID=53466  PROTO=ICMP TYPE=8 CODE=0 ID=27459 SEQ=0   Copyright (C) 2007 Michael Rash 13
psad­2.0.8 release Interfaces with Gnuplot – parses iptables log data  ● according to header field requirements and builds both a  data file and a directives file for Gnuplot Various counting modes are supported across different  ● time scales Granular requirements on iptables field values (including  ● negation) Gnuplot works best with integer data (separated by  ● commas or spaces), so IP addresses need to be  translated into integer equivalents   Copyright (C) 2007 Michael Rash 14
psad­2.0.8 release (cont'd) psad ­­gnuplot command line arguments: ●     ­­gnuplot­graph­style ­ “points”, “dots”, “linespoints”     ­­gnuplot­file­prefix ­ <file>.gnu, <file>.dat, <file>.png     ­­gnuplot­title – Graph title (used for psad command line)     ­­gnuplot­sort­style – time sorting vs. value sorting     ­­gnuplot­3D – Use “splot” for three­dimensional viewing     ­­gnuplot­view – Set viewing angle   Copyright (C) 2007 Michael Rash 15
The Honeynet Scan34 Data Set The goal of a Honeynet is to collect data on real  ● compromises – packet traces and log data is an excellent  learning tool Over 170,000 lines of iptables log data in the Scan34  ● challenge – covers a five week period Contains evidence of port scans, port sweeps, worm traffic  ● (Slammer, Nachi), and an outright compromise of a  system – we will visualize these graphically All IP addresses are sanitized to 11.11.0.0/16 ● http://www.honeynet.org/ ●   Copyright (C) 2007 Michael Rash 16
Port Scans Packets to many different ports from a single  ● source address Not just SYN packets, think of Nmap ­sF, ­sN,  ● ­sX, ­sA, (also ­sU for UDP) Visualize with IP address vs. the number of  ● packets to unique ports   Copyright (C) 2007 Michael Rash 17
psad Command psad ­m iptables.data ­­gnuplot ­­ CSV­fields “src:not11.11.0.0/16  dp:countuniq” ­­gnuplot­graph points  ­­gnuplot­xrange 0:26500 –gnuplot­ file­prefix portscan   Copyright (C) 2007 Michael Rash 18
Visualizing Port Scans (IP vs.  Packet Count to Unique Ports)   Copyright (C) 2007 Michael Rash 19
psad Gnuplot data files # Generated by psad v2.0.8 (file revision: 2092) # Command line: 'psad ­m iptables.data ­­gnuplot ­­CSV­fields src:not11.11.0.0/16  dp:countuniq ­­gnuplot­graph points ­­gnuplot­xrange 0:26500 ­­gnuplot­file­prefix  portscan ­­use­store portscan.store' # Time stamp:  Sun Jul  8 13:43:28 2007 905, 66  ### 905=60.248.80.102  12415, 10  ### 12415=63.135.2.15  15634, 10  ### 15634=63.186.32.94  24950, 10  ### 24950=218.85.9.143  16374, 8  ### 16374=63.204.104.150    Copyright (C) 2007 Michael Rash 20
When Did the Heaviest Scan  Occur?   Copyright (C) 2007 Michael Rash 21
psad Analysis of Scanner:  60.248.80.102 psad ­m iptables.data ­A ­­analysis­fields quot;src:60.248.80.102quot; SRC:  60.248.80.102, DL: 2, Dsts: 1, Pkts: 67, Unique sigs: 3 DST: 11.11.79.125         Scanned ports: UDP 7­43981, Pkts: 53, Chain: FORWARD, Intf: br0         Scanned ports: TCP 68­32783, Pkts: 14, Chain: FORWARD, Intf: br0         Signature match: quot;POLICY vncviewer Java applet download attemptquot;         TCP, Chain: FORWARD, Count: 1, DP: 5802, SYN, Sid: 1846         Signature match: quot;PSAD­CUSTOM Slammer communication attemptquot;         UDP, Chain: FORWARD, Count: 1, DP: 1434, Sid: 100208         Signature match: quot;RPC portmap listing UDP 32771quot;         UDP, Chain: FORWARD, Count: 1, DP: 32771, Sid: 1281   Copyright (C) 2007 Michael Rash 22
Port Sweeps Packets to a single port number across many  ● hosts Good evidence of an automated worm (or  ● human) that can exploit a specific vulnerability  in a particular service Visualize with external IP addresses vs.  ● destination ports vs. packet count   Copyright (C) 2007 Michael Rash 23
psad Command psad ­m iptables.data ­­gnuplot ­­ CSV­fields “src:not11.11.0.0/16  dp:count” ­­gnuplot­graph points -- gnuplot-3d ­­gnuplot­view 74,77 ­­ gnuplot­file­prefix portsweep   Copyright (C) 2007 Michael Rash 24
Visualizing Port Sweeps (IP vs.  Destination Port vs. Packet Count)   Copyright (C) 2007 Michael Rash 25
The Top Port Sweeper:  200.216.205.189 vs. TCP/3306   Copyright (C) 2007 Michael Rash 26
The Top Port Sweeper (Link Graph)   Copyright (C) 2007 Michael Rash 27
Slammer Worm Exploited a vulnerability in MS SQL Server  ● 2000 Single 404­byte UDP packet to port 1434 ● One of the fastest spreading worms in history ● Can easily be spoofed – useless to return ICMP  ● port unreachable with your IDS; need to block  the packet with an IPS and patch the  vulnerability   Copyright (C) 2007 Michael Rash 28
Visualizing the Slammer Worm  (UDP 404­byte Packets vs. Hours)   Copyright (C) 2007 Michael Rash 29
Visualizing the Slammer Worm  (UDP 404­byte Packets vs. Minutes)   Copyright (C) 2007 Michael Rash 30
Nachi Worm Exploits Windows 2000 and XP systems that  ● are not patched against the MS03­026  vulnerability Always sends a 92­byte ICMP echo request to  ● a target system before attempting to exploit the  vulnerability This ICMP packet makes the worm easy to  ● detect   Copyright (C) 2007 Michael Rash 31
Nachi Worm (92­Byte ICMP Packet  vs. Hours)   Copyright (C) 2007 Michael Rash 32
  Copyright (C) 2007 Michael Rash 33
Detecting A Compromised System  with Outbound Connections Honeynet systems should not make outbound  ● connections to external networks (except for  administrative or reporting communication with  known addresses) SSH and IRC connections are particularly  ● suspicious   Copyright (C) 2007 Michael Rash 34
Outbound Connections   Copyright (C) 2007 Michael Rash 35
   
Iptables Logging Args When building iptables LOG rules: ● Use ­­log­ip­options – Use ­­log­tcp­sequence – Use ­­log­tcp­options – More attacks can be detected, and operating  – systems can be passively fingerprinted   Copyright (C) 2007 Michael Rash 37
3D Graphing Demo...   Copyright (C) 2007 Michael Rash 38
No Starch Press, Sept 2007   Copyright (C) 2007 Michael Rash 39
Questions? http://www.cipherdyne.org/ mbr@cipherdyne.org   Copyright (C) 2007 Michael Rash 40

Recomendados

The Data Center and Hadoop
The Data Center and HadoopThe Data Center and Hadoop
The Data Center and HadoopDataWorks Summit
 
How to Introduce Telemetry Streaming (gNMI) in Your Network with SNMP with Te...
How to Introduce Telemetry Streaming (gNMI) in Your Network with SNMP with Te...How to Introduce Telemetry Streaming (gNMI) in Your Network with SNMP with Te...
How to Introduce Telemetry Streaming (gNMI) in Your Network with SNMP with Te...InfluxData
 
DRP for Big Data - Stream Processing Architectures
DRP for Big Data - Stream Processing ArchitecturesDRP for Big Data - Stream Processing Architectures
DRP for Big Data - Stream Processing ArchitecturesMohamed Mehdi Ben Aissa
 
PhNOG 2019: RPKI Deployment Update
PhNOG 2019: RPKI Deployment UpdatePhNOG 2019: RPKI Deployment Update
PhNOG 2019: RPKI Deployment UpdateAPNIC
 
Nagios Conference 2013 - Troy Lea - Leveraging and Understanding Performance ...
Nagios Conference 2013 - Troy Lea - Leveraging and Understanding Performance ...Nagios Conference 2013 - Troy Lea - Leveraging and Understanding Performance ...
Nagios Conference 2013 - Troy Lea - Leveraging and Understanding Performance ...Nagios
 
Adaptive Query Optimization in 12c
Adaptive Query Optimization in 12cAdaptive Query Optimization in 12c
Adaptive Query Optimization in 12cAnju Garg
 
Os Saintandre
Os SaintandreOs Saintandre
Os Saintandreoscon2007
 
Os Vilain
Os VilainOs Vilain
Os Vilainoscon2007
 

Recomendados

The Data Center and Hadoop
The Data Center and HadoopThe Data Center and Hadoop
The Data Center and HadoopDataWorks Summit
 
How to Introduce Telemetry Streaming (gNMI) in Your Network with SNMP with Te...
How to Introduce Telemetry Streaming (gNMI) in Your Network with SNMP with Te...How to Introduce Telemetry Streaming (gNMI) in Your Network with SNMP with Te...
How to Introduce Telemetry Streaming (gNMI) in Your Network with SNMP with Te...InfluxData
 
DRP for Big Data - Stream Processing Architectures
DRP for Big Data - Stream Processing ArchitecturesDRP for Big Data - Stream Processing Architectures
DRP for Big Data - Stream Processing ArchitecturesMohamed Mehdi Ben Aissa
 
PhNOG 2019: RPKI Deployment Update
PhNOG 2019: RPKI Deployment UpdatePhNOG 2019: RPKI Deployment Update
PhNOG 2019: RPKI Deployment UpdateAPNIC
 
Nagios Conference 2013 - Troy Lea - Leveraging and Understanding Performance ...
Nagios Conference 2013 - Troy Lea - Leveraging and Understanding Performance ...Nagios Conference 2013 - Troy Lea - Leveraging and Understanding Performance ...
Nagios Conference 2013 - Troy Lea - Leveraging and Understanding Performance ...Nagios
 
Adaptive Query Optimization in 12c
Adaptive Query Optimization in 12cAdaptive Query Optimization in 12c
Adaptive Query Optimization in 12cAnju Garg
 
Os Saintandre
Os SaintandreOs Saintandre
Os Saintandreoscon2007
 
Os Vilain
Os VilainOs Vilain
Os Vilainoscon2007
 
Os Racicot
Os RacicotOs Racicot
Os Racicotoscon2007
 
Os Capouch
Os CapouchOs Capouch
Os Capouchoscon2007
 
Os Ramani
Os RamaniOs Ramani
Os Ramanioscon2007
 
Os Keller
Os KellerOs Keller
Os Kelleroscon2007
 
Os Oram
Os OramOs Oram
Os Oramoscon2007
 
Os Bernier
Os BernierOs Bernier
Os Bernieroscon2007
 
Programming the PS3
Programming the PS3Programming the PS3
Programming the PS3Olivier Grisel
 
XS Boston 2008 Network Topology
XS Boston 2008 Network TopologyXS Boston 2008 Network Topology
XS Boston 2008 Network TopologyThe Linux Foundation
 
The Art of Grey-Box Attack
The Art of Grey-Box AttackThe Art of Grey-Box Attack
The Art of Grey-Box AttackPrathan Phongthiproek
 
Os Wilhelm
Os WilhelmOs Wilhelm
Os Wilhelmoscon2007
 
The Data Center and Hadoop
The Data Center and HadoopThe Data Center and Hadoop
The Data Center and HadoopMichael Zhang
 
Cisco Connect Toronto 2017 - Model-driven Telemetry
Cisco Connect Toronto 2017 - Model-driven TelemetryCisco Connect Toronto 2017 - Model-driven Telemetry
Cisco Connect Toronto 2017 - Model-driven TelemetryCisco Canada
 
Large-Scale Stream Processing in the Hadoop Ecosystem
Large-Scale Stream Processing in the Hadoop EcosystemLarge-Scale Stream Processing in the Hadoop Ecosystem
Large-Scale Stream Processing in the Hadoop EcosystemGyula Fóra
 
SecZone 2011: Scrubbing SAP clean with SOAP
SecZone 2011: Scrubbing SAP clean with SOAPSecZone 2011: Scrubbing SAP clean with SOAP
SecZone 2011: Scrubbing SAP clean with SOAPChris John Riley
 
Automate Oracle database patches and upgrades using Fleet Provisioning and Pa...
Automate Oracle database patches and upgrades using Fleet Provisioning and Pa...Automate Oracle database patches and upgrades using Fleet Provisioning and Pa...
Automate Oracle database patches and upgrades using Fleet Provisioning and Pa...Nelson Calero
 
شرح مبسط جدا لمنهج سيسكو CCNA
شرح مبسط جدا لمنهج سيسكو CCNAشرح مبسط جدا لمنهج سيسكو CCNA
شرح مبسط جدا لمنهج سيسكو CCNADawood Aqlan
 
Flink sql for continuous sql etl apps & Apache NiFi devops
Flink sql for continuous sql etl apps & Apache NiFi devopsFlink sql for continuous sql etl apps & Apache NiFi devops
Flink sql for continuous sql etl apps & Apache NiFi devopsTimothy Spann
 
Model-driven Telemetry: The Foundation of Big Data Analytics
Model-driven Telemetry: The Foundation of Big Data AnalyticsModel-driven Telemetry: The Foundation of Big Data Analytics
Model-driven Telemetry: The Foundation of Big Data AnalyticsCisco Canada
 
Building CloudScale Networks - AWS Summit Sydney 2018
Building CloudScale Networks - AWS Summit Sydney 2018Building CloudScale Networks - AWS Summit Sydney 2018
Building CloudScale Networks - AWS Summit Sydney 2018Amazon Web Services
 
Using packet-tracer, capture and other Cisco ASA tools for network troublesho...
Using packet-tracer, capture and other Cisco ASA tools for network troublesho...Using packet-tracer, capture and other Cisco ASA tools for network troublesho...
Using packet-tracer, capture and other Cisco ASA tools for network troublesho...Cisco Russia
 
Stress your DUT
Stress your DUTStress your DUT
Stress your DUTRedge Technologies
 
PLNOG20 - Paweł Małachowski - Stress your DUT–wykorzystanie narzędzi open sou...
PLNOG20 - Paweł Małachowski - Stress your DUT–wykorzystanie narzędzi open sou...PLNOG20 - Paweł Małachowski - Stress your DUT–wykorzystanie narzędzi open sou...
PLNOG20 - Paweł Małachowski - Stress your DUT–wykorzystanie narzędzi open sou...PROIDEA
 

Más contenido relacionado

Destacado

Destacado (6)

Os Racicot
Os RacicotOs Racicot
Os Racicot
 
Os Capouch
Os CapouchOs Capouch
Os Capouch
 
Os Ramani
Os RamaniOs Ramani
Os Ramani
 
Os Keller
Os KellerOs Keller
Os Keller
 
Os Oram
Os OramOs Oram
Os Oram
 
Os Bernier
Os BernierOs Bernier
Os Bernier
 

Similar a Os Rash

The Data Center and Hadoop
The Data Center and HadoopThe Data Center and Hadoop
The Data Center and HadoopMichael Zhang
 
Cisco Connect Toronto 2017 - Model-driven Telemetry
Cisco Connect Toronto 2017 - Model-driven TelemetryCisco Connect Toronto 2017 - Model-driven Telemetry
Cisco Connect Toronto 2017 - Model-driven TelemetryCisco Canada
 
Large-Scale Stream Processing in the Hadoop Ecosystem
Large-Scale Stream Processing in the Hadoop EcosystemLarge-Scale Stream Processing in the Hadoop Ecosystem
Large-Scale Stream Processing in the Hadoop EcosystemGyula Fóra
 
SecZone 2011: Scrubbing SAP clean with SOAP
SecZone 2011: Scrubbing SAP clean with SOAPSecZone 2011: Scrubbing SAP clean with SOAP
SecZone 2011: Scrubbing SAP clean with SOAPChris John Riley
 
Automate Oracle database patches and upgrades using Fleet Provisioning and Pa...
Automate Oracle database patches and upgrades using Fleet Provisioning and Pa...Automate Oracle database patches and upgrades using Fleet Provisioning and Pa...
Automate Oracle database patches and upgrades using Fleet Provisioning and Pa...Nelson Calero
 
شرح مبسط جدا لمنهج سيسكو CCNA
شرح مبسط جدا لمنهج سيسكو CCNAشرح مبسط جدا لمنهج سيسكو CCNA
شرح مبسط جدا لمنهج سيسكو CCNADawood Aqlan
 
Flink sql for continuous sql etl apps & Apache NiFi devops
Flink sql for continuous sql etl apps & Apache NiFi devopsFlink sql for continuous sql etl apps & Apache NiFi devops
Flink sql for continuous sql etl apps & Apache NiFi devopsTimothy Spann
 
Model-driven Telemetry: The Foundation of Big Data Analytics
Model-driven Telemetry: The Foundation of Big Data AnalyticsModel-driven Telemetry: The Foundation of Big Data Analytics
Model-driven Telemetry: The Foundation of Big Data AnalyticsCisco Canada
 
Building CloudScale Networks - AWS Summit Sydney 2018
Building CloudScale Networks - AWS Summit Sydney 2018Building CloudScale Networks - AWS Summit Sydney 2018
Building CloudScale Networks - AWS Summit Sydney 2018Amazon Web Services
 
Using packet-tracer, capture and other Cisco ASA tools for network troublesho...
Using packet-tracer, capture and other Cisco ASA tools for network troublesho...Using packet-tracer, capture and other Cisco ASA tools for network troublesho...
Using packet-tracer, capture and other Cisco ASA tools for network troublesho...Cisco Russia
 
PLNOG20 - Paweł Małachowski - Stress your DUT–wykorzystanie narzędzi open sou...
PLNOG20 - Paweł Małachowski - Stress your DUT–wykorzystanie narzędzi open sou...PLNOG20 - Paweł Małachowski - Stress your DUT–wykorzystanie narzędzi open sou...
PLNOG20 - Paweł Małachowski - Stress your DUT–wykorzystanie narzędzi open sou...PROIDEA
 
Perf Tuning Best Practices
Perf Tuning Best PracticesPerf Tuning Best Practices
Perf Tuning Best Practicesguest01bbdd
 
Statsd introduction
Statsd introductionStatsd introduction
Statsd introductionRick Chang
 
Model driven telemetry
Model driven telemetryModel driven telemetry
Model driven telemetryCisco Canada
 
Dynamic Service Chaining
Dynamic Service Chaining Dynamic Service Chaining
Dynamic Service Chaining Tail-f Systems
 

Similar a Os Rash (20)

Programming the PS3
Programming the PS3Programming the PS3
Programming the PS3
 
XS Boston 2008 Network Topology
XS Boston 2008 Network TopologyXS Boston 2008 Network Topology
XS Boston 2008 Network Topology
 
The Art of Grey-Box Attack
The Art of Grey-Box AttackThe Art of Grey-Box Attack
The Art of Grey-Box Attack
 
Os Wilhelm
Os WilhelmOs Wilhelm
Os Wilhelm
 
The Data Center and Hadoop
The Data Center and HadoopThe Data Center and Hadoop
The Data Center and Hadoop
 
Cisco Connect Toronto 2017 - Model-driven Telemetry
Cisco Connect Toronto 2017 - Model-driven TelemetryCisco Connect Toronto 2017 - Model-driven Telemetry
Cisco Connect Toronto 2017 - Model-driven Telemetry
 
Large-Scale Stream Processing in the Hadoop Ecosystem
Large-Scale Stream Processing in the Hadoop EcosystemLarge-Scale Stream Processing in the Hadoop Ecosystem
Large-Scale Stream Processing in the Hadoop Ecosystem
 
SecZone 2011: Scrubbing SAP clean with SOAP
SecZone 2011: Scrubbing SAP clean with SOAPSecZone 2011: Scrubbing SAP clean with SOAP
SecZone 2011: Scrubbing SAP clean with SOAP
 
Automate Oracle database patches and upgrades using Fleet Provisioning and Pa...
Automate Oracle database patches and upgrades using Fleet Provisioning and Pa...Automate Oracle database patches and upgrades using Fleet Provisioning and Pa...
Automate Oracle database patches and upgrades using Fleet Provisioning and Pa...
 
شرح مبسط جدا لمنهج سيسكو CCNA
شرح مبسط جدا لمنهج سيسكو CCNAشرح مبسط جدا لمنهج سيسكو CCNA
شرح مبسط جدا لمنهج سيسكو CCNA
 
Flink sql for continuous sql etl apps & Apache NiFi devops
Flink sql for continuous sql etl apps & Apache NiFi devopsFlink sql for continuous sql etl apps & Apache NiFi devops
Flink sql for continuous sql etl apps & Apache NiFi devops
 
Model-driven Telemetry: The Foundation of Big Data Analytics
Model-driven Telemetry: The Foundation of Big Data AnalyticsModel-driven Telemetry: The Foundation of Big Data Analytics
Model-driven Telemetry: The Foundation of Big Data Analytics
 
Building CloudScale Networks - AWS Summit Sydney 2018
Building CloudScale Networks - AWS Summit Sydney 2018Building CloudScale Networks - AWS Summit Sydney 2018
Building CloudScale Networks - AWS Summit Sydney 2018
 
Using packet-tracer, capture and other Cisco ASA tools for network troublesho...
Using packet-tracer, capture and other Cisco ASA tools for network troublesho...Using packet-tracer, capture and other Cisco ASA tools for network troublesho...
Using packet-tracer, capture and other Cisco ASA tools for network troublesho...
 
Stress your DUT
Stress your DUTStress your DUT
Stress your DUT
 
PLNOG20 - Paweł Małachowski - Stress your DUT–wykorzystanie narzędzi open sou...
PLNOG20 - Paweł Małachowski - Stress your DUT–wykorzystanie narzędzi open sou...PLNOG20 - Paweł Małachowski - Stress your DUT–wykorzystanie narzędzi open sou...
PLNOG20 - Paweł Małachowski - Stress your DUT–wykorzystanie narzędzi open sou...
 
Perf Tuning Best Practices
Perf Tuning Best PracticesPerf Tuning Best Practices
Perf Tuning Best Practices
 
Statsd introduction
Statsd introductionStatsd introduction
Statsd introduction
 
Model driven telemetry
Model driven telemetryModel driven telemetry
Model driven telemetry
 
Dynamic Service Chaining
Dynamic Service Chaining Dynamic Service Chaining
Dynamic Service Chaining
 

Más de oscon2007

J Ruby Whirlwind Tour
J Ruby Whirlwind TourJ Ruby Whirlwind Tour
J Ruby Whirlwind Touroscon2007
 
Solr Presentation5
Solr Presentation5Solr Presentation5
Solr Presentation5oscon2007
 
Os Fitzpatrick Sussman Wiifm
Os Fitzpatrick Sussman WiifmOs Fitzpatrick Sussman Wiifm
Os Fitzpatrick Sussman Wiifmoscon2007
 
Performance Whack A Mole
Performance Whack A MolePerformance Whack A Mole
Performance Whack A Moleoscon2007
 
Os Lanphier Brashears
Os Lanphier BrashearsOs Lanphier Brashears
Os Lanphier Brashearsoscon2007
 
Os Fitzpatrick Sussman Swp
Os Fitzpatrick Sussman SwpOs Fitzpatrick Sussman Swp
Os Fitzpatrick Sussman Swposcon2007
 
Os Berlin Dispelling Myths
Os Berlin Dispelling MythsOs Berlin Dispelling Myths
Os Berlin Dispelling Mythsoscon2007
 
Os Keysholistic
Os KeysholisticOs Keysholistic
Os Keysholisticoscon2007
 
Os Jonphillips
Os JonphillipsOs Jonphillips
Os Jonphillipsoscon2007
 
Os Urnerupdated
Os UrnerupdatedOs Urnerupdated
Os Urnerupdatedoscon2007
 

Más de oscon2007 (20)

J Ruby Whirlwind Tour
J Ruby Whirlwind TourJ Ruby Whirlwind Tour
J Ruby Whirlwind Tour
 
Solr Presentation5
Solr Presentation5Solr Presentation5
Solr Presentation5
 
Os Borger
Os BorgerOs Borger
Os Borger
 
Os Harkins
Os HarkinsOs Harkins
Os Harkins
 
Os Fitzpatrick Sussman Wiifm
Os Fitzpatrick Sussman WiifmOs Fitzpatrick Sussman Wiifm
Os Fitzpatrick Sussman Wiifm
 
Os Bunce
Os BunceOs Bunce
Os Bunce
 
Yuicss R7
Yuicss R7Yuicss R7
Yuicss R7
 
Performance Whack A Mole
Performance Whack A MolePerformance Whack A Mole
Performance Whack A Mole
 
Os Fogel
Os FogelOs Fogel
Os Fogel
 
Os Lanphier Brashears
Os Lanphier BrashearsOs Lanphier Brashears
Os Lanphier Brashears
 
Os Tucker
Os TuckerOs Tucker
Os Tucker
 
Os Fitzpatrick Sussman Swp
Os Fitzpatrick Sussman SwpOs Fitzpatrick Sussman Swp
Os Fitzpatrick Sussman Swp
 
Os Furlong
Os FurlongOs Furlong
Os Furlong
 
Os Berlin Dispelling Myths
Os Berlin Dispelling MythsOs Berlin Dispelling Myths
Os Berlin Dispelling Myths
 
Os Kimsal
Os KimsalOs Kimsal
Os Kimsal
 
Os Pruett
Os PruettOs Pruett
Os Pruett
 
Os Alrubaie
Os AlrubaieOs Alrubaie
Os Alrubaie
 
Os Keysholistic
Os KeysholisticOs Keysholistic
Os Keysholistic
 
Os Jonphillips
Os JonphillipsOs Jonphillips
Os Jonphillips
 
Os Urnerupdated
Os UrnerupdatedOs Urnerupdated
Os Urnerupdated
 

Último

A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...gurkirankumar98700
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilV3cube
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 

Último (20)

A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 

Os Rash

  • 1. Iptables Attack Visualization Michael Rash Security Architect Enterasys Networks, Inc. http://www.cipherdyne.org/ OSCON 2007­07­26   Copyright (C) 2007 Michael Rash 1
  • 2. Agenda Why visualize iptables log data? ● context and change – iptables log message formats and data  – completeness New psad­2.0.8 release with Gnuplot interface ● Honeynet Project Scan34 iptables  ● visualizations (see http://www.honeynet.org) Gnuplot – AfterGlow –   Copyright (C) 2007 Michael Rash 2
  • 3. Why Visualize Data? Consider the following set of values (each value  ● represents the number of packets to unique  TCP ports per minute): 5, 4, 2, 1, 3, 4, 55, 58, 70, 85, 120, 9, 2, 3, 1, 5, 4   Copyright (C) 2007 Michael Rash 3
  • 4. Seeing the Trend   Copyright (C) 2007 Michael Rash 4
  • 5. Graph Types Gnuplot ● Dots, points, lines through points – Good at seeing  – trends and relationships in large data sets (>  100,000 points) 3D mode with interactive viewing – AfterGlow ● Link Graphs – Good at expressing network  – relationships with IP addresses    Copyright (C) 2007 Michael Rash 5
  • 6. Iptables Log Data Graphs will only be as good as the data source  ● permits Iptables logs include nearly every interesting  ● field for both the network and transport layer  headers – we just need an effective way to  parse and then visualize this data Iptables log messages can be tied to  ● application layer string matches via the string  match extension (see fwsnort)   Copyright (C) 2007 Michael Rash 6
  • 7. iptables IP Header Coverage   Copyright (C) 2007 Michael Rash 7
  • 8. iptables TCP Header Coverage   Copyright (C) 2007 Michael Rash 8
  • 9. iptables TCP Log Message Jul 11 20:21:22 minastirith kernel: [199]  SID1361 ESTAB IN=eth1 OUT=  MAC=00:13:d3:38:b6:e4:00:13:46:c2:60:44:08:0 0 SRC=192.168.10.3 DST=192.168.10.1 LEN=60  TOS=0x00 PREC=0x00 TTL=63 ID=11112 DF  PROTO=TCP SPT=28778 DPT=80 WINDOW=5840  RES=0x00 ACK PSH URGP=0 OPT  (0101080A02A041D20CC386B1)   Copyright (C) 2007 Michael Rash 9
  • 10. iptables UDP Header Coverage   Copyright (C) 2007 Michael Rash 10
  • 11. iptables UDP Log Message Jul 11 20:50:54 minastirith kernel: [153]  SID2001597 IN=eth0 OUT=  MAC=00:13:d3:38:b6:e4:00:13:46:c2:60:44:08:0 0 SRC=192.168.10.3 DST=192.168.10.1 LEN=40  TOS=0x00 PREC=0x00 TTL=63 ID=29758 DF  PROTO=UDP SPT=32046 DPT=61 LEN=20   Copyright (C) 2007 Michael Rash 11
  • 12. iptables ICMP Header Coverage   Copyright (C) 2007 Michael Rash 12
  • 13. iptables ICMP Log Message Jul 11 20:57:18 minastirith kernel: [98]  SID2003294 IN=eth0 OUT=  MAC=00:13:d3:38:b6:e4:00:13:46:c2:60:44:08:0 0 SRC=192.168.10.3 DST=192.168.10.1 LEN=128  TOS=0x00 PREC=0x00 TTL=63 ID=53466  PROTO=ICMP TYPE=8 CODE=0 ID=27459 SEQ=0   Copyright (C) 2007 Michael Rash 13
  • 14. psad­2.0.8 release Interfaces with Gnuplot – parses iptables log data  ● according to header field requirements and builds both a  data file and a directives file for Gnuplot Various counting modes are supported across different  ● time scales Granular requirements on iptables field values (including  ● negation) Gnuplot works best with integer data (separated by  ● commas or spaces), so IP addresses need to be  translated into integer equivalents   Copyright (C) 2007 Michael Rash 14
  • 15. psad­2.0.8 release (cont'd) psad ­­gnuplot command line arguments: ●     ­­gnuplot­graph­style ­ “points”, “dots”, “linespoints”     ­­gnuplot­file­prefix ­ <file>.gnu, <file>.dat, <file>.png     ­­gnuplot­title – Graph title (used for psad command line)     ­­gnuplot­sort­style – time sorting vs. value sorting     ­­gnuplot­3D – Use “splot” for three­dimensional viewing     ­­gnuplot­view – Set viewing angle   Copyright (C) 2007 Michael Rash 15
  • 16. The Honeynet Scan34 Data Set The goal of a Honeynet is to collect data on real  ● compromises – packet traces and log data is an excellent  learning tool Over 170,000 lines of iptables log data in the Scan34  ● challenge – covers a five week period Contains evidence of port scans, port sweeps, worm traffic  ● (Slammer, Nachi), and an outright compromise of a  system – we will visualize these graphically All IP addresses are sanitized to 11.11.0.0/16 ● http://www.honeynet.org/ ●   Copyright (C) 2007 Michael Rash 16
  • 17. Port Scans Packets to many different ports from a single  ● source address Not just SYN packets, think of Nmap ­sF, ­sN,  ● ­sX, ­sA, (also ­sU for UDP) Visualize with IP address vs. the number of  ● packets to unique ports   Copyright (C) 2007 Michael Rash 17
  • 18. psad Command psad ­m iptables.data ­­gnuplot ­­ CSV­fields “src:not11.11.0.0/16  dp:countuniq” ­­gnuplot­graph points  ­­gnuplot­xrange 0:26500 –gnuplot­ file­prefix portscan   Copyright (C) 2007 Michael Rash 18
  • 19. Visualizing Port Scans (IP vs.  Packet Count to Unique Ports)   Copyright (C) 2007 Michael Rash 19
  • 20. psad Gnuplot data files # Generated by psad v2.0.8 (file revision: 2092) # Command line: 'psad ­m iptables.data ­­gnuplot ­­CSV­fields src:not11.11.0.0/16  dp:countuniq ­­gnuplot­graph points ­­gnuplot­xrange 0:26500 ­­gnuplot­file­prefix  portscan ­­use­store portscan.store' # Time stamp:  Sun Jul  8 13:43:28 2007 905, 66  ### 905=60.248.80.102  12415, 10  ### 12415=63.135.2.15  15634, 10  ### 15634=63.186.32.94  24950, 10  ### 24950=218.85.9.143  16374, 8  ### 16374=63.204.104.150    Copyright (C) 2007 Michael Rash 20
  • 21. When Did the Heaviest Scan  Occur?   Copyright (C) 2007 Michael Rash 21
  • 22. psad Analysis of Scanner:  60.248.80.102 psad ­m iptables.data ­A ­­analysis­fields quot;src:60.248.80.102quot; SRC:  60.248.80.102, DL: 2, Dsts: 1, Pkts: 67, Unique sigs: 3 DST: 11.11.79.125         Scanned ports: UDP 7­43981, Pkts: 53, Chain: FORWARD, Intf: br0         Scanned ports: TCP 68­32783, Pkts: 14, Chain: FORWARD, Intf: br0         Signature match: quot;POLICY vncviewer Java applet download attemptquot;         TCP, Chain: FORWARD, Count: 1, DP: 5802, SYN, Sid: 1846         Signature match: quot;PSAD­CUSTOM Slammer communication attemptquot;         UDP, Chain: FORWARD, Count: 1, DP: 1434, Sid: 100208         Signature match: quot;RPC portmap listing UDP 32771quot;         UDP, Chain: FORWARD, Count: 1, DP: 32771, Sid: 1281   Copyright (C) 2007 Michael Rash 22
  • 23. Port Sweeps Packets to a single port number across many  ● hosts Good evidence of an automated worm (or  ● human) that can exploit a specific vulnerability  in a particular service Visualize with external IP addresses vs.  ● destination ports vs. packet count   Copyright (C) 2007 Michael Rash 23
  • 24. psad Command psad ­m iptables.data ­­gnuplot ­­ CSV­fields “src:not11.11.0.0/16  dp:count” ­­gnuplot­graph points -- gnuplot-3d ­­gnuplot­view 74,77 ­­ gnuplot­file­prefix portsweep   Copyright (C) 2007 Michael Rash 24
  • 25. Visualizing Port Sweeps (IP vs.  Destination Port vs. Packet Count)   Copyright (C) 2007 Michael Rash 25
  • 26. The Top Port Sweeper:  200.216.205.189 vs. TCP/3306   Copyright (C) 2007 Michael Rash 26
  • 27. The Top Port Sweeper (Link Graph)   Copyright (C) 2007 Michael Rash 27
  • 28. Slammer Worm Exploited a vulnerability in MS SQL Server  ● 2000 Single 404­byte UDP packet to port 1434 ● One of the fastest spreading worms in history ● Can easily be spoofed – useless to return ICMP  ● port unreachable with your IDS; need to block  the packet with an IPS and patch the  vulnerability   Copyright (C) 2007 Michael Rash 28
  • 29. Visualizing the Slammer Worm  (UDP 404­byte Packets vs. Hours)   Copyright (C) 2007 Michael Rash 29
  • 31. Nachi Worm Exploits Windows 2000 and XP systems that  ● are not patched against the MS03­026  vulnerability Always sends a 92­byte ICMP echo request to  ● a target system before attempting to exploit the  vulnerability This ICMP packet makes the worm easy to  ● detect   Copyright (C) 2007 Michael Rash 31
  • 32. Nachi Worm (92­Byte ICMP Packet  vs. Hours)   Copyright (C) 2007 Michael Rash 32
  • 33.   Copyright (C) 2007 Michael Rash 33
  • 34. Detecting A Compromised System  with Outbound Connections Honeynet systems should not make outbound  ● connections to external networks (except for  administrative or reporting communication with  known addresses) SSH and IRC connections are particularly  ● suspicious   Copyright (C) 2007 Michael Rash 34
  • 35. Outbound Connections   Copyright (C) 2007 Michael Rash 35
  • 36.    
  • 37. Iptables Logging Args When building iptables LOG rules: ● Use ­­log­ip­options – Use ­­log­tcp­sequence – Use ­­log­tcp­options – More attacks can be detected, and operating  – systems can be passively fingerprinted   Copyright (C) 2007 Michael Rash 37
  • 38. 3D Graphing Demo...   Copyright (C) 2007 Michael Rash 38
  • 39. No Starch Press, Sept 2007   Copyright (C) 2007 Michael Rash 39
  • 40. Questions? http://www.cipherdyne.org/ mbr@cipherdyne.org   Copyright (C) 2007 Michael Rash 40