350 likes | 444 Views
e mbracing the chaos. m ark l orenc lorencm@ornl.gov. c yber security geek ORNL for a year f ormerly unix sysadmin open networks. virtual computing data cloud.
E N D
embracing the chaos mark lorenc lorencm@ornl.gov
cyber security geek • ORNL for a year • formerly unixsysadmin • open networks
[a-z0-9!#$%&'*+/=?^_`{|}~-]+(?:\.[a-z0-9!#$%&'*+/=?^_`{|}~-]+)*@(?:[a-z0-9](?:[a-z0-9-]*[a-z0-9])?\.)+[a-z0-9](?:[a-z0-9-]*[a-z0-9])?[a-z0-9!#$%&'*+/=?^_`{|}~-]+(?:\.[a-z0-9!#$%&'*+/=?^_`{|}~-]+)*@(?:[a-z0-9](?:[a-z0-9-]*[a-z0-9])?\.)+[a-z0-9](?:[a-z0-9-]*[a-z0-9])?
[a-z0-9!#$%&'*+/=?^_`{|}~-]+(?:\.[a-z0-9!#$%&'*+/=?^_`{|}~-]+)*@(?:[a-z0-9](?:[a-z0-9-]*[a-z0-9])?\.)+[a-z0-9](?:[a-z0-9-]*[a-z0-9])?[a-z0-9!#$%&'*+/=?^_`{|}~-]+(?:\.[a-z0-9!#$%&'*+/=?^_`{|}~-]+)*@(?:[a-z0-9](?:[a-z0-9-]*[a-z0-9])?\.)+[a-z0-9](?:[a-z0-9-]*[a-z0-9])? “What could possibly go wrong?”
“Cisco IOS NetFlow efficiently provides a key set of services for IP applications, including network traffic accounting, usage-based network billing, network planning, security, Denial of Service monitoring capabilities, and network monitoring. NetFlow provides valuable information about network users and applications, peak usage times, and traffic routing.”
“Cisco IOS NetFlow efficiently provides a key set of services for IP applications, including network traffic accounting, usage-based network billing, network planning, security, Denial of Service monitoring capabilities, and network monitoring. NetFlow provides valuable information about network users and applications, peak usage times, and traffic routing.”
“Cisco IOS NetFlow efficiently provides a key set of services for IP applications, including network traffic accounting, usage-based network billing, network planning, security, Denial of Service monitoring capabilities, and network monitoring. NetFlow provides valuable information about network users and applications, peak usage times, and traffic routing.”
“Cisco IOS NetFlow efficiently provides a key set of services for IP applications, including network traffic accounting, usage-based network billing, network planning, security, Denial of Service monitoring capabilities, and network monitoring. NetFlow provides valuable information about network users and applications, peak usage times, and traffic routing.”
netflow version 5 • source IP address • destination IP address • next hop router IP address • packet count • byte count • source port • destination port • TCP flags • layer 4 protocol • time at start of flow • time at end of flow
hot botnet of the week? long term trending? advanced host /network filtering? today’s current spearphishing attack? unflattering Halloween costume? SANS top 10?
flow-tools, fprobe, probescan, flowd, psyche, ntop, lots of others flow-tools discrete remote IPs and timestamps database of your liking grind through data, possibly index profit!
problems: • easy to get lost in the minutiae • duplication of work amongst analysts • make sure your datasets are complete solutions: • documentation is the sad answer • mailing lists • command line entries • full blown ticketing system (please no) • sit everyone in the same room
DNS Logs May 22 15:17:59 160.91.1.30 srcip=160.91.1.30 named[23144]: [ID 873579 local3.info] 22-May-2009 15:17:59.997 queries: info: client 128.219.232.138#62031: view ns1: query: hfirw5.ornl.gov IN A +
URL Common Logs (urlsnarf) 160.91.20.87 - - [22/May/2009:15:20:17 -0400] "GET http://photos-f.ak.fbcdn.net/photos-ak-sf2p/v43/33/68557016085/app_1_68557016085_5504.gif HTTP/1.1" - - "http://apps.facebook.com/schoolofmagic/?src=sidenav&ref=ts" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; MS-RTC LM 8)"
Homebrew data sources #!/bin/bash unique=`netstat -an |grep :9997 |grep EST |sed -e 's/.*:9997 *//' -e 's/:.*//'|sort |uniq |wc -l` total=`netstat -an |grep :9997 |grep EST |wc -l` echo "netstat total=$total unique=$unique"
Windows Event Logs
A few notes about windows event logs for the brave... • Different operating systems have different codes • Overloaded variable names exist in one event • Inconsistent formats between applications • Forced API usage – no flat text file interface • Difficult to adjust what should or should not be logged • Designed around forensics and not discovery
PCAP – raw data capture • your largest dataset • easily the hardest to use • computationally intensive • smoking gun (unless the traffic is encrypted...) • location of the tap? • software used? • tcpdump, time machine, wireshark, tshark... many technologies All of these technologies can be combined to create something beautiful!