2 Managed by UT-Battellefor the U.S. Department of Energy embracing the chaos
• cyber security geek
• ORNL for a year
• formerly unix sysadmin
• open networks
3 Managed by UT-Battellefor the U.S. Department of Energy embracing the chaos
virtual computing data cloud
4 Managed by UT-Battellefor the U.S. Department of Energy embracing the chaos
5 Managed by UT-Battellefor the U.S. Department of Energy embracing the chaos
[a-z0-9!#$%&'*+/=?^_`{|}~-]+(?:\.[a-z0-9!#$%&'*+/=?^_`{|}~-]+)*@(?:[a-z0-9](?:[a-z0-9-]*[a-z0-9])?\.)+[a-
z0-9](?:[a-z0-9-]*[a-z0-9])?
6 Managed by UT-Battellefor the U.S. Department of Energy embracing the chaos
[a-z0-9!#$%&'*+/=?^_`{|}~-]+(?:\.[a-z0-9!#$%&'*+/=?^_`{|}~-]+)*@(?:[a-z0-9](?:[a-z0-9-]*[a-z0-9])?\.)+[a-
z0-9](?:[a-z0-9-]*[a-z0-9])?
“What could possibly go wrong?”
7 Managed by UT-Battellefor the U.S. Department of Energy embracing the chaos
“Cisco IOS NetFlow efficiently provides a key set of services for IP applications, including network traffic accounting, usage-based network billing, network planning, security, Denial of Service monitoring capabilities, and network monitoring. NetFlow provides valuable information about network users and applications, peak usage times, and traffic routing.”
8 Managed by UT-Battellefor the U.S. Department of Energy embracing the chaos
“Cisco IOS NetFlow efficiently provides a key set of services for IP applications, including network traffic accounting, usage-based network billing, network planning, security, Denial of Service monitoring capabilities, and network monitoring. NetFlow provides valuable information about network users and applications, peak usage times, and traffic routing.”
9 Managed by UT-Battellefor the U.S. Department of Energy embracing the chaos
“Cisco IOS NetFlow efficiently provides a key set of services for IP applications, including network traffic accounting, usage-based network billing, network planning, security, Denial of Service monitoring capabilities, and network monitoring. NetFlow provides valuable information about network users and applications, peak usage times, and traffic routing.”
10 Managed by UT-Battellefor the U.S. Department of Energy embracing the chaos
“Cisco IOS NetFlow efficiently provides a key set of services for IP applications, including network traffic accounting, usage-based network billing, network planning, security, Denial of Service monitoring capabilities, and network monitoring. NetFlow provides valuable information about network users and applications, peak usage times, and traffic routing.”
11 Managed by UT-Battellefor the U.S. Department of Energy embracing the chaos
netflow version 5
• source IP address
• destination IP address
• next hop router IP address
• packet count
• byte count
• source port
• destination port
• TCP flags
• layer 4 protocol
• time at start of flow
• time at end of flow
12 Managed by UT-Battellefor the U.S. Department of Energy embracing the chaos
13 Managed by UT-Battellefor the U.S. Department of Energy embracing the chaos
14 Managed by UT-Battellefor the U.S. Department of Energy embracing the chaos
15 Managed by UT-Battellefor the U.S. Department of Energy embracing the chaos
SANS top 10?
hot botnet of the week?
today’s curre
nt spearphish
ing attack?
long term trending?
advanced host /network filtering?
unflattering Halloween costume?
16 Managed by UT-Battellefor the U.S. Department of Energy embracing the chaos
flow-tools, fprobe, probescan, flowd, psyche, ntop, lots of others
flow-tools
discrete remote IPs and timestamps
database of your liking
grind through data, possibly index
profit!
17 Managed by UT-Battellefor the U.S. Department of Energy embracing the chaos
18 Managed by UT-Battellefor the U.S. Department of Energy embracing the chaos
• easy to get lost in the minutiae• duplication of work amongst analysts• make sure your datasets are complete
• documentation is the sad answer• mailing lists• command line entries• full blown ticketing system (please no)• sit everyone in the same room
problems:
solutions:
19 Managed by UT-Battellefor the U.S. Department of Energy embracing the chaos
20 Managed by UT-Battellefor the U.S. Department of Energy embracing the chaos
21 Managed by UT-Battellefor the U.S. Department of Energy embracing the chaos
22 Managed by UT-Battellefor the U.S. Department of Energy embracing the chaos
23 Managed by UT-Battellefor the U.S. Department of Energy embracing the chaos
May 22 15:17:59 160.91.1.30 srcip=160.91.1.30 named[23144]: [ID 873579 local3.info] 22-May-2009 15:17:59.997 queries: info: client 128.219.232.138#62031: view ns1: query: hfirw5.ornl.gov IN A +
DNS Logs
24 Managed by UT-Battellefor the U.S. Department of Energy embracing the chaos
25 Managed by UT-Battellefor the U.S. Department of Energy embracing the chaos
URL Common Logs (urlsnarf)
160.91.20.87 - - [22/May/2009:15:20:17 -0400] "GET http://photos-f.ak.fbcdn.net/photos-ak-sf2p/v43/33/68557016085/app_1_68557016085_5504.gif HTTP/1.1" - - "http://apps.facebook.com/schoolofmagic/?src=sidenav&ref=ts" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; MS-RTC LM 8)"
26 Managed by UT-Battellefor the U.S. Department of Energy embracing the chaos
27 Managed by UT-Battellefor the U.S. Department of Energy embracing the chaos
28 Managed by UT-Battellefor the U.S. Department of Energy embracing the chaos
Homebrew data sources
#!/bin/bash
unique=`netstat -an |grep :9997 |grep EST |sed -e 's/.*:9997 *//' -e 's/:.*//'|sort |uniq |wc -l`
total=`netstat -an |grep :9997 |grep EST |wc -l`
echo "netstat total=$total unique=$unique"
29 Managed by UT-Battellefor the U.S. Department of Energy embracing the chaos
30 Managed by UT-Battellefor the U.S. Department of Energy embracing the chaos
31 Managed by UT-Battellefor the U.S. Department of Energy embracing the chaos
WindowsEventLogs
32 Managed by UT-Battellefor the U.S. Department of Energy embracing the chaos
A few notes about windows event logs for the brave...
• Different operating systems have different codes
• Overloaded variable names exist in one event
• Inconsistent formats between applications
• Forced API usage – no flat text file interface
• Difficult to adjust what should or should not be logged
• Designed around forensics and not discovery
33 Managed by UT-Battellefor the U.S. Department of Energy embracing the chaos
34 Managed by UT-Battellefor the U.S. Department of Energy embracing the chaos
PCAP – raw data capture
• your largest dataset
• easily the hardest to use
• computationally intensive
• smoking gun (unless the traffic is encrypted...)
• location of the tap?
• software used?
• tcpdump, time machine, wireshark, tshark... many technologies
All of these technologies can be combined to create something beautiful!
35 Managed by UT-Battellefor the U.S. Department of Energy embracing the chaos
thanks!