1 / 35

e mbracing the chaos

e mbracing the chaos. m ark l orenc lorencm@ornl.gov. c yber security geek ORNL for a year f ormerly unix sysadmin open networks. virtual computing data cloud.

mahola
Download Presentation

e mbracing the chaos

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. embracing the chaos mark lorenc lorencm@ornl.gov

  2. cyber security geek • ORNL for a year • formerly unixsysadmin • open networks

  3. virtual computing data cloud

  4. [a-z0-9!#$%&'*+/=?^_`{|}~-]+(?:\.[a-z0-9!#$%&'*+/=?^_`{|}~-]+)*@(?:[a-z0-9](?:[a-z0-9-]*[a-z0-9])?\.)+[a-z0-9](?:[a-z0-9-]*[a-z0-9])?[a-z0-9!#$%&'*+/=?^_`{|}~-]+(?:\.[a-z0-9!#$%&'*+/=?^_`{|}~-]+)*@(?:[a-z0-9](?:[a-z0-9-]*[a-z0-9])?\.)+[a-z0-9](?:[a-z0-9-]*[a-z0-9])?

  5. [a-z0-9!#$%&'*+/=?^_`{|}~-]+(?:\.[a-z0-9!#$%&'*+/=?^_`{|}~-]+)*@(?:[a-z0-9](?:[a-z0-9-]*[a-z0-9])?\.)+[a-z0-9](?:[a-z0-9-]*[a-z0-9])?[a-z0-9!#$%&'*+/=?^_`{|}~-]+(?:\.[a-z0-9!#$%&'*+/=?^_`{|}~-]+)*@(?:[a-z0-9](?:[a-z0-9-]*[a-z0-9])?\.)+[a-z0-9](?:[a-z0-9-]*[a-z0-9])? “What could possibly go wrong?”

  6. “Cisco IOS NetFlow efficiently provides a key set of services for IP applications, including network traffic accounting, usage-based network billing, network planning, security, Denial of Service monitoring capabilities, and network monitoring. NetFlow provides valuable information about network users and applications, peak usage times, and traffic routing.”

  7. “Cisco IOS NetFlow efficiently provides a key set of services for IP applications, including network traffic accounting, usage-based network billing, network planning, security, Denial of Service monitoring capabilities, and network monitoring. NetFlow provides valuable information about network users and applications, peak usage times, and traffic routing.”

  8. “Cisco IOS NetFlow efficiently provides a key set of services for IP applications, including network traffic accounting, usage-based network billing, network planning, security, Denial of Service monitoring capabilities, and network monitoring. NetFlow provides valuable information about network users and applications, peak usage times, and traffic routing.”

  9. “Cisco IOS NetFlow efficiently provides a key set of services for IP applications, including network traffic accounting, usage-based network billing, network planning, security, Denial of Service monitoring capabilities, and network monitoring. NetFlow provides valuable information about network users and applications, peak usage times, and traffic routing.”

  10. netflow version 5 • source IP address • destination IP address • next hop router IP address • packet count • byte count • source port • destination port • TCP flags • layer 4 protocol • time at start of flow • time at end of flow

  11. hot botnet of the week? long term trending? advanced host /network filtering? today’s current spearphishing attack? unflattering Halloween costume? SANS top 10?

  12. flow-tools, fprobe, probescan, flowd, psyche, ntop, lots of others flow-tools discrete remote IPs and timestamps database of your liking grind through data, possibly index profit!

  13. problems: • easy to get lost in the minutiae • duplication of work amongst analysts • make sure your datasets are complete solutions: • documentation is the sad answer • mailing lists • command line entries • full blown ticketing system (please no) • sit everyone in the same room

  14. DNS Logs May 22 15:17:59 160.91.1.30 srcip=160.91.1.30 named[23144]: [ID 873579 local3.info] 22-May-2009 15:17:59.997 queries: info: client 128.219.232.138#62031: view ns1: query: hfirw5.ornl.gov IN A +

  15. URL Common Logs (urlsnarf) 160.91.20.87 - - [22/May/2009:15:20:17 -0400] "GET http://photos-f.ak.fbcdn.net/photos-ak-sf2p/v43/33/68557016085/app_1_68557016085_5504.gif HTTP/1.1" - - "http://apps.facebook.com/schoolofmagic/?src=sidenav&ref=ts" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; MS-RTC LM 8)"

  16. Homebrew data sources #!/bin/bash unique=`netstat -an |grep :9997 |grep EST |sed -e 's/.*:9997 *//' -e 's/:.*//'|sort |uniq |wc -l` total=`netstat -an |grep :9997 |grep EST |wc -l` echo "netstat total=$total unique=$unique"

  17. Windows Event Logs

  18. A few notes about windows event logs for the brave... • Different operating systems have different codes • Overloaded variable names exist in one event • Inconsistent formats between applications • Forced API usage – no flat text file interface • Difficult to adjust what should or should not be logged • Designed around forensics and not discovery

  19. PCAP – raw data capture • your largest dataset • easily the hardest to use • computationally intensive • smoking gun (unless the traffic is encrypted...) • location of the tap? • software used? • tcpdump, time machine, wireshark, tshark... many technologies All of these technologies can be combined to create something beautiful!

  20. thanks!

More Related