v davix visualization d x workshop - secviz- getting tools running is simple user can concentrate on...
TRANSCRIPT
![Page 1: V DAVIX Visualization D X Workshop - SecViz- Getting tools running is simple User can concentrate on analysis - Easy customizable Users can add missing things - Perfect workspace to](https://reader034.vdocument.in/reader034/viewer/2022042221/5ec7ec33b0586619b6106cea/html5/thumbnails/1.jpg)
DAVIX VisualizationWorkshop
D
V
X
DAVIX VisualizationWorkshop
Jan Monsch at iplosion comRaffael Marty at secviz org
D
V
X
Chief Security Strategist SplunkgtPassion for Visualization
httpsecvizorghttpafterglowsourceforgenet
Senior Security AnalystDAVIX initiator and engineer
httpdavixsecvizorghttpwwwiplosioncom
Applied Security VisualizationPaperback 552 pages
Publisher Addison Wesley (August 2008)ISBN 0321510100
Chief Security Strategist SplunkgtPassion for Visualization
httpsecvizorghttpafterglowsourceforgenet
Raffael Marty Jan P MonschSenior Security AnalystDAVIX initiator and engineer
httpdavixsecvizorghttpwwwiplosioncom
Applied Security VisualizationPaperback 552 pages
Publisher Addison Wesley (August 2008)ISBN 0321510100
Workshop Preparationbull 30 DAVIX CDs- DAVIX image
- DAVIX manual
- PCAP file for analysis in root
bull Recommended setupbull VMware Player or VMware Fusion
bull Bridged or NAT networking
bull Configure host to access DEFCON wireless network
Copy files to your disk and hand the CD to your neighbor
VM setup assistanceChapter 611 and 612in the manual
AgendaDAVIX
Visualization
Example analysis
Hands-on analysis
Show us what you got
4
AgendaDAVIX
Visualization
Example analysis
Hands-on analysis
Show us what you got
4
GoalYou can use DAVIX
to analyze your data
Visualization Questionsbull Who analyzes logs
bull Who uses visualization for log analysis
bull Who has used DAVIX
bull Have you heard of SecVizorg
bull What tools are you using for log analysis
5
Data Analysis and Visualization LinuxDAVIX
D
V
X
What is DAVIXbull Live Linux CD system based on SLAX 6
- Software packages are modularized
- Easy customizable
- Runs from CDDVD USB stick or hard drive
bull Collection of free tools for data processing amp visualization
- Tools work out of the box
- No compilation or installation of tools required
bull Comes with documentation
- Quick start description for the most important tools
- Links to manuals and tutorials
Why Did We Build DAVIXbull No free solution offering wide range of visualization tools
- Huge hurdle for people to get start with visualization
bull Cumbersome to get tools running
- Compiler issues eg gcc 3 vs gcc 4
- Dependencies with uncommon and old libraries
- Different runtime environments
bull DAVIX Goals
- Getting tools running is simple User can concentrate on analysis
- Easy customizable Users can add missing things
- Perfect workspace to get you started with visualization
User Interface - Menu Organizationbull Menu organized around the information visualization process
bull Tools often cover more than one category
- Afterglow Process Visualize
bull Additional toolsservices
- Apache MySQL NTP
Capture Process Visualize
ToolsCapture
- Network tools
Argus
Snort
Wireshark
- Logging
syslog-ng
- Fetching data
wget
ftp
scp
Processing
- Shell tools
awk grep sed
- Graphic preprocessing
Afterglow
LGL
- Date enrichment
geoiplookup
whoisgwhois
Visualization
- Network Traffic
EtherApe
InetVis
tnv
- Generic
Afterglow
LGL Viewer
Mondrian
R Project
Non-concluding list of tools
PDF User Manualbull Quick start guide
bull Network setup information
bull Tool usage examples
bull Links to online resource Tool home pages manuals tutorials
bull Customizing DAVIX
- Customizing ISO image
- Creating new modules
- Installation on USB stick or hard drive
User Manual in the Menubull The manual is browsable by
chapter hellip
bull hellip or individual tool chapters
The Manual Is Notbull Not an introduction to security analysis methodologies
bull Not a collection of security analysis use-cases
bull Not covering exhaustive examples
- The usage examples are not security related
- It is a quick usage guide for the tools
bull Look at Raffaelrsquos book to get these details
Customizationsbull The DAVIX and SLAX can be modified in two ways
- LZM modules
Adding or removing modules in the directory slaxmodules
Modules are highly compressed software packages
- rootcopy
Overwrite or add individual files of LZM modules by copyingmodified files to the directory slaxrootcopy
bull LZM modules can be generated out of standard Slackware or dropline GNOME packages using tgz2lzm
Visualization
Information Visualization Process
16
Capture Process Visualize
Data Formatsbull CSV TSV
100028023212failed
100028023215success
bull TM3
Source Port Destination Action
STRING INTEGER STRING STRING
10002 80 23212 failed
bull GML
17
bull DOT
digraph structs
graph [label=rdquoMy Graphrdquo]
node [shape=ellipse]
edge [len=1]
ldquoramrdquo -gt ldquoactivity 1rdquo
ldquoramrdquo [fillcolor=white]
bull
AfterGlow 1x
CSV File
AfterGlowGraph
LanguageFile
digraph structs graph [label=AfterGlow 158 fontsize=8] node [shape=ellipse style=filled fontsize=10 width=1 height=1 fixedsize=true] edge [len=16]
aaelenes -gt Printing Resume abbe -gt Information Encryption aanna -gt Patent Access aatharuv -gt Ping
aaelenesPrinting ResumeabbeInformation Encrytion
aannaPatent AccessaatharuyPing
Parser Grapher
AfterGlow 1x
CSV File
AfterGlowGraph
LanguageFile
digraph structs graph [label=AfterGlow 158 fontsize=8] node [shape=ellipse style=filled fontsize=10 width=1 height=1 fixedsize=true] edge [len=16]
aaelenes -gt Printing Resume abbe -gt Information Encryption aanna -gt Patent Access aatharuv -gt Ping
aaelenesPrinting ResumeabbeInformation Encrytion
aannaPatent AccessaatharuyPing
Parser Grapher
An Example Analysis
Worms in Mobile Networksbull Problem Find worms in mobile networks
bull Data Call Detail Records (CDR)
20051117225657 GMT 20051117225657 GMT 4179543xxxx 4176448xxxx 0 63517 20051117225657 GMT 19700101000000 GMT imagejpeg CHEC1_MMSC1 MM4Rrecord 0 1 MM1 22801351822xxxx 22802071035xxxx 2 1132 26821763098xxxx
bull Process
cat mmscdr | awk -o VFS= lsquoprint $5 $6rsquo
bull Visual Transformation
Multimedia Message Service
21
Multimedia Message Service
21
Service Numbers
Multimedia Message Service
22
Multimedia Message Service
22
Long Chains
Hands-on Analysis
Letrsquos Gobull Captures are in rootdavix_workshop_capturespcap
bull Find something interesting Come show
bull Hints
bull tcpdump -nlr rootdavix_workshop_capturespcap
bull tcpdump2csvpl
bull afterglowpl -h
bull barpl -h
AfterGlow Variable and Color
variable=violation=(Backdoor Access HackerTool Downloadrdquo)colortarget=orange if (grep($fields[1]violation))colortarget=palegreen
Node Size and Threshold
maxnodesize=1sizesource=$fields[2] size=05sumtarget=0thresholdsource=14
Color and Clustercolorsource=palegreen if ($fields[0] =~ ^111)colorsource=redcolortarget=palegreenclustersource=regex_replace((d+)d+)8
Thank You
davix secviz org
S
E
C I
V
Z
secviz org
![Page 2: V DAVIX Visualization D X Workshop - SecViz- Getting tools running is simple User can concentrate on analysis - Easy customizable Users can add missing things - Perfect workspace to](https://reader034.vdocument.in/reader034/viewer/2022042221/5ec7ec33b0586619b6106cea/html5/thumbnails/2.jpg)
DAVIX VisualizationWorkshop
Jan Monsch at iplosion comRaffael Marty at secviz org
D
V
X
Chief Security Strategist SplunkgtPassion for Visualization
httpsecvizorghttpafterglowsourceforgenet
Senior Security AnalystDAVIX initiator and engineer
httpdavixsecvizorghttpwwwiplosioncom
Applied Security VisualizationPaperback 552 pages
Publisher Addison Wesley (August 2008)ISBN 0321510100
Chief Security Strategist SplunkgtPassion for Visualization
httpsecvizorghttpafterglowsourceforgenet
Raffael Marty Jan P MonschSenior Security AnalystDAVIX initiator and engineer
httpdavixsecvizorghttpwwwiplosioncom
Applied Security VisualizationPaperback 552 pages
Publisher Addison Wesley (August 2008)ISBN 0321510100
Workshop Preparationbull 30 DAVIX CDs- DAVIX image
- DAVIX manual
- PCAP file for analysis in root
bull Recommended setupbull VMware Player or VMware Fusion
bull Bridged or NAT networking
bull Configure host to access DEFCON wireless network
Copy files to your disk and hand the CD to your neighbor
VM setup assistanceChapter 611 and 612in the manual
AgendaDAVIX
Visualization
Example analysis
Hands-on analysis
Show us what you got
4
AgendaDAVIX
Visualization
Example analysis
Hands-on analysis
Show us what you got
4
GoalYou can use DAVIX
to analyze your data
Visualization Questionsbull Who analyzes logs
bull Who uses visualization for log analysis
bull Who has used DAVIX
bull Have you heard of SecVizorg
bull What tools are you using for log analysis
5
Data Analysis and Visualization LinuxDAVIX
D
V
X
What is DAVIXbull Live Linux CD system based on SLAX 6
- Software packages are modularized
- Easy customizable
- Runs from CDDVD USB stick or hard drive
bull Collection of free tools for data processing amp visualization
- Tools work out of the box
- No compilation or installation of tools required
bull Comes with documentation
- Quick start description for the most important tools
- Links to manuals and tutorials
Why Did We Build DAVIXbull No free solution offering wide range of visualization tools
- Huge hurdle for people to get start with visualization
bull Cumbersome to get tools running
- Compiler issues eg gcc 3 vs gcc 4
- Dependencies with uncommon and old libraries
- Different runtime environments
bull DAVIX Goals
- Getting tools running is simple User can concentrate on analysis
- Easy customizable Users can add missing things
- Perfect workspace to get you started with visualization
User Interface - Menu Organizationbull Menu organized around the information visualization process
bull Tools often cover more than one category
- Afterglow Process Visualize
bull Additional toolsservices
- Apache MySQL NTP
Capture Process Visualize
ToolsCapture
- Network tools
Argus
Snort
Wireshark
- Logging
syslog-ng
- Fetching data
wget
ftp
scp
Processing
- Shell tools
awk grep sed
- Graphic preprocessing
Afterglow
LGL
- Date enrichment
geoiplookup
whoisgwhois
Visualization
- Network Traffic
EtherApe
InetVis
tnv
- Generic
Afterglow
LGL Viewer
Mondrian
R Project
Non-concluding list of tools
PDF User Manualbull Quick start guide
bull Network setup information
bull Tool usage examples
bull Links to online resource Tool home pages manuals tutorials
bull Customizing DAVIX
- Customizing ISO image
- Creating new modules
- Installation on USB stick or hard drive
User Manual in the Menubull The manual is browsable by
chapter hellip
bull hellip or individual tool chapters
The Manual Is Notbull Not an introduction to security analysis methodologies
bull Not a collection of security analysis use-cases
bull Not covering exhaustive examples
- The usage examples are not security related
- It is a quick usage guide for the tools
bull Look at Raffaelrsquos book to get these details
Customizationsbull The DAVIX and SLAX can be modified in two ways
- LZM modules
Adding or removing modules in the directory slaxmodules
Modules are highly compressed software packages
- rootcopy
Overwrite or add individual files of LZM modules by copyingmodified files to the directory slaxrootcopy
bull LZM modules can be generated out of standard Slackware or dropline GNOME packages using tgz2lzm
Visualization
Information Visualization Process
16
Capture Process Visualize
Data Formatsbull CSV TSV
100028023212failed
100028023215success
bull TM3
Source Port Destination Action
STRING INTEGER STRING STRING
10002 80 23212 failed
bull GML
17
bull DOT
digraph structs
graph [label=rdquoMy Graphrdquo]
node [shape=ellipse]
edge [len=1]
ldquoramrdquo -gt ldquoactivity 1rdquo
ldquoramrdquo [fillcolor=white]
bull
AfterGlow 1x
CSV File
AfterGlowGraph
LanguageFile
digraph structs graph [label=AfterGlow 158 fontsize=8] node [shape=ellipse style=filled fontsize=10 width=1 height=1 fixedsize=true] edge [len=16]
aaelenes -gt Printing Resume abbe -gt Information Encryption aanna -gt Patent Access aatharuv -gt Ping
aaelenesPrinting ResumeabbeInformation Encrytion
aannaPatent AccessaatharuyPing
Parser Grapher
AfterGlow 1x
CSV File
AfterGlowGraph
LanguageFile
digraph structs graph [label=AfterGlow 158 fontsize=8] node [shape=ellipse style=filled fontsize=10 width=1 height=1 fixedsize=true] edge [len=16]
aaelenes -gt Printing Resume abbe -gt Information Encryption aanna -gt Patent Access aatharuv -gt Ping
aaelenesPrinting ResumeabbeInformation Encrytion
aannaPatent AccessaatharuyPing
Parser Grapher
An Example Analysis
Worms in Mobile Networksbull Problem Find worms in mobile networks
bull Data Call Detail Records (CDR)
20051117225657 GMT 20051117225657 GMT 4179543xxxx 4176448xxxx 0 63517 20051117225657 GMT 19700101000000 GMT imagejpeg CHEC1_MMSC1 MM4Rrecord 0 1 MM1 22801351822xxxx 22802071035xxxx 2 1132 26821763098xxxx
bull Process
cat mmscdr | awk -o VFS= lsquoprint $5 $6rsquo
bull Visual Transformation
Multimedia Message Service
21
Multimedia Message Service
21
Service Numbers
Multimedia Message Service
22
Multimedia Message Service
22
Long Chains
Hands-on Analysis
Letrsquos Gobull Captures are in rootdavix_workshop_capturespcap
bull Find something interesting Come show
bull Hints
bull tcpdump -nlr rootdavix_workshop_capturespcap
bull tcpdump2csvpl
bull afterglowpl -h
bull barpl -h
AfterGlow Variable and Color
variable=violation=(Backdoor Access HackerTool Downloadrdquo)colortarget=orange if (grep($fields[1]violation))colortarget=palegreen
Node Size and Threshold
maxnodesize=1sizesource=$fields[2] size=05sumtarget=0thresholdsource=14
Color and Clustercolorsource=palegreen if ($fields[0] =~ ^111)colorsource=redcolortarget=palegreenclustersource=regex_replace((d+)d+)8
Thank You
davix secviz org
S
E
C I
V
Z
secviz org
![Page 3: V DAVIX Visualization D X Workshop - SecViz- Getting tools running is simple User can concentrate on analysis - Easy customizable Users can add missing things - Perfect workspace to](https://reader034.vdocument.in/reader034/viewer/2022042221/5ec7ec33b0586619b6106cea/html5/thumbnails/3.jpg)
Chief Security Strategist SplunkgtPassion for Visualization
httpsecvizorghttpafterglowsourceforgenet
Senior Security AnalystDAVIX initiator and engineer
httpdavixsecvizorghttpwwwiplosioncom
Applied Security VisualizationPaperback 552 pages
Publisher Addison Wesley (August 2008)ISBN 0321510100
Chief Security Strategist SplunkgtPassion for Visualization
httpsecvizorghttpafterglowsourceforgenet
Raffael Marty Jan P MonschSenior Security AnalystDAVIX initiator and engineer
httpdavixsecvizorghttpwwwiplosioncom
Applied Security VisualizationPaperback 552 pages
Publisher Addison Wesley (August 2008)ISBN 0321510100
Workshop Preparationbull 30 DAVIX CDs- DAVIX image
- DAVIX manual
- PCAP file for analysis in root
bull Recommended setupbull VMware Player or VMware Fusion
bull Bridged or NAT networking
bull Configure host to access DEFCON wireless network
Copy files to your disk and hand the CD to your neighbor
VM setup assistanceChapter 611 and 612in the manual
AgendaDAVIX
Visualization
Example analysis
Hands-on analysis
Show us what you got
4
AgendaDAVIX
Visualization
Example analysis
Hands-on analysis
Show us what you got
4
GoalYou can use DAVIX
to analyze your data
Visualization Questionsbull Who analyzes logs
bull Who uses visualization for log analysis
bull Who has used DAVIX
bull Have you heard of SecVizorg
bull What tools are you using for log analysis
5
Data Analysis and Visualization LinuxDAVIX
D
V
X
What is DAVIXbull Live Linux CD system based on SLAX 6
- Software packages are modularized
- Easy customizable
- Runs from CDDVD USB stick or hard drive
bull Collection of free tools for data processing amp visualization
- Tools work out of the box
- No compilation or installation of tools required
bull Comes with documentation
- Quick start description for the most important tools
- Links to manuals and tutorials
Why Did We Build DAVIXbull No free solution offering wide range of visualization tools
- Huge hurdle for people to get start with visualization
bull Cumbersome to get tools running
- Compiler issues eg gcc 3 vs gcc 4
- Dependencies with uncommon and old libraries
- Different runtime environments
bull DAVIX Goals
- Getting tools running is simple User can concentrate on analysis
- Easy customizable Users can add missing things
- Perfect workspace to get you started with visualization
User Interface - Menu Organizationbull Menu organized around the information visualization process
bull Tools often cover more than one category
- Afterglow Process Visualize
bull Additional toolsservices
- Apache MySQL NTP
Capture Process Visualize
ToolsCapture
- Network tools
Argus
Snort
Wireshark
- Logging
syslog-ng
- Fetching data
wget
ftp
scp
Processing
- Shell tools
awk grep sed
- Graphic preprocessing
Afterglow
LGL
- Date enrichment
geoiplookup
whoisgwhois
Visualization
- Network Traffic
EtherApe
InetVis
tnv
- Generic
Afterglow
LGL Viewer
Mondrian
R Project
Non-concluding list of tools
PDF User Manualbull Quick start guide
bull Network setup information
bull Tool usage examples
bull Links to online resource Tool home pages manuals tutorials
bull Customizing DAVIX
- Customizing ISO image
- Creating new modules
- Installation on USB stick or hard drive
User Manual in the Menubull The manual is browsable by
chapter hellip
bull hellip or individual tool chapters
The Manual Is Notbull Not an introduction to security analysis methodologies
bull Not a collection of security analysis use-cases
bull Not covering exhaustive examples
- The usage examples are not security related
- It is a quick usage guide for the tools
bull Look at Raffaelrsquos book to get these details
Customizationsbull The DAVIX and SLAX can be modified in two ways
- LZM modules
Adding or removing modules in the directory slaxmodules
Modules are highly compressed software packages
- rootcopy
Overwrite or add individual files of LZM modules by copyingmodified files to the directory slaxrootcopy
bull LZM modules can be generated out of standard Slackware or dropline GNOME packages using tgz2lzm
Visualization
Information Visualization Process
16
Capture Process Visualize
Data Formatsbull CSV TSV
100028023212failed
100028023215success
bull TM3
Source Port Destination Action
STRING INTEGER STRING STRING
10002 80 23212 failed
bull GML
17
bull DOT
digraph structs
graph [label=rdquoMy Graphrdquo]
node [shape=ellipse]
edge [len=1]
ldquoramrdquo -gt ldquoactivity 1rdquo
ldquoramrdquo [fillcolor=white]
bull
AfterGlow 1x
CSV File
AfterGlowGraph
LanguageFile
digraph structs graph [label=AfterGlow 158 fontsize=8] node [shape=ellipse style=filled fontsize=10 width=1 height=1 fixedsize=true] edge [len=16]
aaelenes -gt Printing Resume abbe -gt Information Encryption aanna -gt Patent Access aatharuv -gt Ping
aaelenesPrinting ResumeabbeInformation Encrytion
aannaPatent AccessaatharuyPing
Parser Grapher
AfterGlow 1x
CSV File
AfterGlowGraph
LanguageFile
digraph structs graph [label=AfterGlow 158 fontsize=8] node [shape=ellipse style=filled fontsize=10 width=1 height=1 fixedsize=true] edge [len=16]
aaelenes -gt Printing Resume abbe -gt Information Encryption aanna -gt Patent Access aatharuv -gt Ping
aaelenesPrinting ResumeabbeInformation Encrytion
aannaPatent AccessaatharuyPing
Parser Grapher
An Example Analysis
Worms in Mobile Networksbull Problem Find worms in mobile networks
bull Data Call Detail Records (CDR)
20051117225657 GMT 20051117225657 GMT 4179543xxxx 4176448xxxx 0 63517 20051117225657 GMT 19700101000000 GMT imagejpeg CHEC1_MMSC1 MM4Rrecord 0 1 MM1 22801351822xxxx 22802071035xxxx 2 1132 26821763098xxxx
bull Process
cat mmscdr | awk -o VFS= lsquoprint $5 $6rsquo
bull Visual Transformation
Multimedia Message Service
21
Multimedia Message Service
21
Service Numbers
Multimedia Message Service
22
Multimedia Message Service
22
Long Chains
Hands-on Analysis
Letrsquos Gobull Captures are in rootdavix_workshop_capturespcap
bull Find something interesting Come show
bull Hints
bull tcpdump -nlr rootdavix_workshop_capturespcap
bull tcpdump2csvpl
bull afterglowpl -h
bull barpl -h
AfterGlow Variable and Color
variable=violation=(Backdoor Access HackerTool Downloadrdquo)colortarget=orange if (grep($fields[1]violation))colortarget=palegreen
Node Size and Threshold
maxnodesize=1sizesource=$fields[2] size=05sumtarget=0thresholdsource=14
Color and Clustercolorsource=palegreen if ($fields[0] =~ ^111)colorsource=redcolortarget=palegreenclustersource=regex_replace((d+)d+)8
Thank You
davix secviz org
S
E
C I
V
Z
secviz org
![Page 4: V DAVIX Visualization D X Workshop - SecViz- Getting tools running is simple User can concentrate on analysis - Easy customizable Users can add missing things - Perfect workspace to](https://reader034.vdocument.in/reader034/viewer/2022042221/5ec7ec33b0586619b6106cea/html5/thumbnails/4.jpg)
Chief Security Strategist SplunkgtPassion for Visualization
httpsecvizorghttpafterglowsourceforgenet
Raffael Marty Jan P MonschSenior Security AnalystDAVIX initiator and engineer
httpdavixsecvizorghttpwwwiplosioncom
Applied Security VisualizationPaperback 552 pages
Publisher Addison Wesley (August 2008)ISBN 0321510100
Workshop Preparationbull 30 DAVIX CDs- DAVIX image
- DAVIX manual
- PCAP file for analysis in root
bull Recommended setupbull VMware Player or VMware Fusion
bull Bridged or NAT networking
bull Configure host to access DEFCON wireless network
Copy files to your disk and hand the CD to your neighbor
VM setup assistanceChapter 611 and 612in the manual
AgendaDAVIX
Visualization
Example analysis
Hands-on analysis
Show us what you got
4
AgendaDAVIX
Visualization
Example analysis
Hands-on analysis
Show us what you got
4
GoalYou can use DAVIX
to analyze your data
Visualization Questionsbull Who analyzes logs
bull Who uses visualization for log analysis
bull Who has used DAVIX
bull Have you heard of SecVizorg
bull What tools are you using for log analysis
5
Data Analysis and Visualization LinuxDAVIX
D
V
X
What is DAVIXbull Live Linux CD system based on SLAX 6
- Software packages are modularized
- Easy customizable
- Runs from CDDVD USB stick or hard drive
bull Collection of free tools for data processing amp visualization
- Tools work out of the box
- No compilation or installation of tools required
bull Comes with documentation
- Quick start description for the most important tools
- Links to manuals and tutorials
Why Did We Build DAVIXbull No free solution offering wide range of visualization tools
- Huge hurdle for people to get start with visualization
bull Cumbersome to get tools running
- Compiler issues eg gcc 3 vs gcc 4
- Dependencies with uncommon and old libraries
- Different runtime environments
bull DAVIX Goals
- Getting tools running is simple User can concentrate on analysis
- Easy customizable Users can add missing things
- Perfect workspace to get you started with visualization
User Interface - Menu Organizationbull Menu organized around the information visualization process
bull Tools often cover more than one category
- Afterglow Process Visualize
bull Additional toolsservices
- Apache MySQL NTP
Capture Process Visualize
ToolsCapture
- Network tools
Argus
Snort
Wireshark
- Logging
syslog-ng
- Fetching data
wget
ftp
scp
Processing
- Shell tools
awk grep sed
- Graphic preprocessing
Afterglow
LGL
- Date enrichment
geoiplookup
whoisgwhois
Visualization
- Network Traffic
EtherApe
InetVis
tnv
- Generic
Afterglow
LGL Viewer
Mondrian
R Project
Non-concluding list of tools
PDF User Manualbull Quick start guide
bull Network setup information
bull Tool usage examples
bull Links to online resource Tool home pages manuals tutorials
bull Customizing DAVIX
- Customizing ISO image
- Creating new modules
- Installation on USB stick or hard drive
User Manual in the Menubull The manual is browsable by
chapter hellip
bull hellip or individual tool chapters
The Manual Is Notbull Not an introduction to security analysis methodologies
bull Not a collection of security analysis use-cases
bull Not covering exhaustive examples
- The usage examples are not security related
- It is a quick usage guide for the tools
bull Look at Raffaelrsquos book to get these details
Customizationsbull The DAVIX and SLAX can be modified in two ways
- LZM modules
Adding or removing modules in the directory slaxmodules
Modules are highly compressed software packages
- rootcopy
Overwrite or add individual files of LZM modules by copyingmodified files to the directory slaxrootcopy
bull LZM modules can be generated out of standard Slackware or dropline GNOME packages using tgz2lzm
Visualization
Information Visualization Process
16
Capture Process Visualize
Data Formatsbull CSV TSV
100028023212failed
100028023215success
bull TM3
Source Port Destination Action
STRING INTEGER STRING STRING
10002 80 23212 failed
bull GML
17
bull DOT
digraph structs
graph [label=rdquoMy Graphrdquo]
node [shape=ellipse]
edge [len=1]
ldquoramrdquo -gt ldquoactivity 1rdquo
ldquoramrdquo [fillcolor=white]
bull
AfterGlow 1x
CSV File
AfterGlowGraph
LanguageFile
digraph structs graph [label=AfterGlow 158 fontsize=8] node [shape=ellipse style=filled fontsize=10 width=1 height=1 fixedsize=true] edge [len=16]
aaelenes -gt Printing Resume abbe -gt Information Encryption aanna -gt Patent Access aatharuv -gt Ping
aaelenesPrinting ResumeabbeInformation Encrytion
aannaPatent AccessaatharuyPing
Parser Grapher
AfterGlow 1x
CSV File
AfterGlowGraph
LanguageFile
digraph structs graph [label=AfterGlow 158 fontsize=8] node [shape=ellipse style=filled fontsize=10 width=1 height=1 fixedsize=true] edge [len=16]
aaelenes -gt Printing Resume abbe -gt Information Encryption aanna -gt Patent Access aatharuv -gt Ping
aaelenesPrinting ResumeabbeInformation Encrytion
aannaPatent AccessaatharuyPing
Parser Grapher
An Example Analysis
Worms in Mobile Networksbull Problem Find worms in mobile networks
bull Data Call Detail Records (CDR)
20051117225657 GMT 20051117225657 GMT 4179543xxxx 4176448xxxx 0 63517 20051117225657 GMT 19700101000000 GMT imagejpeg CHEC1_MMSC1 MM4Rrecord 0 1 MM1 22801351822xxxx 22802071035xxxx 2 1132 26821763098xxxx
bull Process
cat mmscdr | awk -o VFS= lsquoprint $5 $6rsquo
bull Visual Transformation
Multimedia Message Service
21
Multimedia Message Service
21
Service Numbers
Multimedia Message Service
22
Multimedia Message Service
22
Long Chains
Hands-on Analysis
Letrsquos Gobull Captures are in rootdavix_workshop_capturespcap
bull Find something interesting Come show
bull Hints
bull tcpdump -nlr rootdavix_workshop_capturespcap
bull tcpdump2csvpl
bull afterglowpl -h
bull barpl -h
AfterGlow Variable and Color
variable=violation=(Backdoor Access HackerTool Downloadrdquo)colortarget=orange if (grep($fields[1]violation))colortarget=palegreen
Node Size and Threshold
maxnodesize=1sizesource=$fields[2] size=05sumtarget=0thresholdsource=14
Color and Clustercolorsource=palegreen if ($fields[0] =~ ^111)colorsource=redcolortarget=palegreenclustersource=regex_replace((d+)d+)8
Thank You
davix secviz org
S
E
C I
V
Z
secviz org
![Page 5: V DAVIX Visualization D X Workshop - SecViz- Getting tools running is simple User can concentrate on analysis - Easy customizable Users can add missing things - Perfect workspace to](https://reader034.vdocument.in/reader034/viewer/2022042221/5ec7ec33b0586619b6106cea/html5/thumbnails/5.jpg)
Workshop Preparationbull 30 DAVIX CDs- DAVIX image
- DAVIX manual
- PCAP file for analysis in root
bull Recommended setupbull VMware Player or VMware Fusion
bull Bridged or NAT networking
bull Configure host to access DEFCON wireless network
Copy files to your disk and hand the CD to your neighbor
VM setup assistanceChapter 611 and 612in the manual
AgendaDAVIX
Visualization
Example analysis
Hands-on analysis
Show us what you got
4
AgendaDAVIX
Visualization
Example analysis
Hands-on analysis
Show us what you got
4
GoalYou can use DAVIX
to analyze your data
Visualization Questionsbull Who analyzes logs
bull Who uses visualization for log analysis
bull Who has used DAVIX
bull Have you heard of SecVizorg
bull What tools are you using for log analysis
5
Data Analysis and Visualization LinuxDAVIX
D
V
X
What is DAVIXbull Live Linux CD system based on SLAX 6
- Software packages are modularized
- Easy customizable
- Runs from CDDVD USB stick or hard drive
bull Collection of free tools for data processing amp visualization
- Tools work out of the box
- No compilation or installation of tools required
bull Comes with documentation
- Quick start description for the most important tools
- Links to manuals and tutorials
Why Did We Build DAVIXbull No free solution offering wide range of visualization tools
- Huge hurdle for people to get start with visualization
bull Cumbersome to get tools running
- Compiler issues eg gcc 3 vs gcc 4
- Dependencies with uncommon and old libraries
- Different runtime environments
bull DAVIX Goals
- Getting tools running is simple User can concentrate on analysis
- Easy customizable Users can add missing things
- Perfect workspace to get you started with visualization
User Interface - Menu Organizationbull Menu organized around the information visualization process
bull Tools often cover more than one category
- Afterglow Process Visualize
bull Additional toolsservices
- Apache MySQL NTP
Capture Process Visualize
ToolsCapture
- Network tools
Argus
Snort
Wireshark
- Logging
syslog-ng
- Fetching data
wget
ftp
scp
Processing
- Shell tools
awk grep sed
- Graphic preprocessing
Afterglow
LGL
- Date enrichment
geoiplookup
whoisgwhois
Visualization
- Network Traffic
EtherApe
InetVis
tnv
- Generic
Afterglow
LGL Viewer
Mondrian
R Project
Non-concluding list of tools
PDF User Manualbull Quick start guide
bull Network setup information
bull Tool usage examples
bull Links to online resource Tool home pages manuals tutorials
bull Customizing DAVIX
- Customizing ISO image
- Creating new modules
- Installation on USB stick or hard drive
User Manual in the Menubull The manual is browsable by
chapter hellip
bull hellip or individual tool chapters
The Manual Is Notbull Not an introduction to security analysis methodologies
bull Not a collection of security analysis use-cases
bull Not covering exhaustive examples
- The usage examples are not security related
- It is a quick usage guide for the tools
bull Look at Raffaelrsquos book to get these details
Customizationsbull The DAVIX and SLAX can be modified in two ways
- LZM modules
Adding or removing modules in the directory slaxmodules
Modules are highly compressed software packages
- rootcopy
Overwrite or add individual files of LZM modules by copyingmodified files to the directory slaxrootcopy
bull LZM modules can be generated out of standard Slackware or dropline GNOME packages using tgz2lzm
Visualization
Information Visualization Process
16
Capture Process Visualize
Data Formatsbull CSV TSV
100028023212failed
100028023215success
bull TM3
Source Port Destination Action
STRING INTEGER STRING STRING
10002 80 23212 failed
bull GML
17
bull DOT
digraph structs
graph [label=rdquoMy Graphrdquo]
node [shape=ellipse]
edge [len=1]
ldquoramrdquo -gt ldquoactivity 1rdquo
ldquoramrdquo [fillcolor=white]
bull
AfterGlow 1x
CSV File
AfterGlowGraph
LanguageFile
digraph structs graph [label=AfterGlow 158 fontsize=8] node [shape=ellipse style=filled fontsize=10 width=1 height=1 fixedsize=true] edge [len=16]
aaelenes -gt Printing Resume abbe -gt Information Encryption aanna -gt Patent Access aatharuv -gt Ping
aaelenesPrinting ResumeabbeInformation Encrytion
aannaPatent AccessaatharuyPing
Parser Grapher
AfterGlow 1x
CSV File
AfterGlowGraph
LanguageFile
digraph structs graph [label=AfterGlow 158 fontsize=8] node [shape=ellipse style=filled fontsize=10 width=1 height=1 fixedsize=true] edge [len=16]
aaelenes -gt Printing Resume abbe -gt Information Encryption aanna -gt Patent Access aatharuv -gt Ping
aaelenesPrinting ResumeabbeInformation Encrytion
aannaPatent AccessaatharuyPing
Parser Grapher
An Example Analysis
Worms in Mobile Networksbull Problem Find worms in mobile networks
bull Data Call Detail Records (CDR)
20051117225657 GMT 20051117225657 GMT 4179543xxxx 4176448xxxx 0 63517 20051117225657 GMT 19700101000000 GMT imagejpeg CHEC1_MMSC1 MM4Rrecord 0 1 MM1 22801351822xxxx 22802071035xxxx 2 1132 26821763098xxxx
bull Process
cat mmscdr | awk -o VFS= lsquoprint $5 $6rsquo
bull Visual Transformation
Multimedia Message Service
21
Multimedia Message Service
21
Service Numbers
Multimedia Message Service
22
Multimedia Message Service
22
Long Chains
Hands-on Analysis
Letrsquos Gobull Captures are in rootdavix_workshop_capturespcap
bull Find something interesting Come show
bull Hints
bull tcpdump -nlr rootdavix_workshop_capturespcap
bull tcpdump2csvpl
bull afterglowpl -h
bull barpl -h
AfterGlow Variable and Color
variable=violation=(Backdoor Access HackerTool Downloadrdquo)colortarget=orange if (grep($fields[1]violation))colortarget=palegreen
Node Size and Threshold
maxnodesize=1sizesource=$fields[2] size=05sumtarget=0thresholdsource=14
Color and Clustercolorsource=palegreen if ($fields[0] =~ ^111)colorsource=redcolortarget=palegreenclustersource=regex_replace((d+)d+)8
Thank You
davix secviz org
S
E
C I
V
Z
secviz org
![Page 6: V DAVIX Visualization D X Workshop - SecViz- Getting tools running is simple User can concentrate on analysis - Easy customizable Users can add missing things - Perfect workspace to](https://reader034.vdocument.in/reader034/viewer/2022042221/5ec7ec33b0586619b6106cea/html5/thumbnails/6.jpg)
AgendaDAVIX
Visualization
Example analysis
Hands-on analysis
Show us what you got
4
AgendaDAVIX
Visualization
Example analysis
Hands-on analysis
Show us what you got
4
GoalYou can use DAVIX
to analyze your data
Visualization Questionsbull Who analyzes logs
bull Who uses visualization for log analysis
bull Who has used DAVIX
bull Have you heard of SecVizorg
bull What tools are you using for log analysis
5
Data Analysis and Visualization LinuxDAVIX
D
V
X
What is DAVIXbull Live Linux CD system based on SLAX 6
- Software packages are modularized
- Easy customizable
- Runs from CDDVD USB stick or hard drive
bull Collection of free tools for data processing amp visualization
- Tools work out of the box
- No compilation or installation of tools required
bull Comes with documentation
- Quick start description for the most important tools
- Links to manuals and tutorials
Why Did We Build DAVIXbull No free solution offering wide range of visualization tools
- Huge hurdle for people to get start with visualization
bull Cumbersome to get tools running
- Compiler issues eg gcc 3 vs gcc 4
- Dependencies with uncommon and old libraries
- Different runtime environments
bull DAVIX Goals
- Getting tools running is simple User can concentrate on analysis
- Easy customizable Users can add missing things
- Perfect workspace to get you started with visualization
User Interface - Menu Organizationbull Menu organized around the information visualization process
bull Tools often cover more than one category
- Afterglow Process Visualize
bull Additional toolsservices
- Apache MySQL NTP
Capture Process Visualize
ToolsCapture
- Network tools
Argus
Snort
Wireshark
- Logging
syslog-ng
- Fetching data
wget
ftp
scp
Processing
- Shell tools
awk grep sed
- Graphic preprocessing
Afterglow
LGL
- Date enrichment
geoiplookup
whoisgwhois
Visualization
- Network Traffic
EtherApe
InetVis
tnv
- Generic
Afterglow
LGL Viewer
Mondrian
R Project
Non-concluding list of tools
PDF User Manualbull Quick start guide
bull Network setup information
bull Tool usage examples
bull Links to online resource Tool home pages manuals tutorials
bull Customizing DAVIX
- Customizing ISO image
- Creating new modules
- Installation on USB stick or hard drive
User Manual in the Menubull The manual is browsable by
chapter hellip
bull hellip or individual tool chapters
The Manual Is Notbull Not an introduction to security analysis methodologies
bull Not a collection of security analysis use-cases
bull Not covering exhaustive examples
- The usage examples are not security related
- It is a quick usage guide for the tools
bull Look at Raffaelrsquos book to get these details
Customizationsbull The DAVIX and SLAX can be modified in two ways
- LZM modules
Adding or removing modules in the directory slaxmodules
Modules are highly compressed software packages
- rootcopy
Overwrite or add individual files of LZM modules by copyingmodified files to the directory slaxrootcopy
bull LZM modules can be generated out of standard Slackware or dropline GNOME packages using tgz2lzm
Visualization
Information Visualization Process
16
Capture Process Visualize
Data Formatsbull CSV TSV
100028023212failed
100028023215success
bull TM3
Source Port Destination Action
STRING INTEGER STRING STRING
10002 80 23212 failed
bull GML
17
bull DOT
digraph structs
graph [label=rdquoMy Graphrdquo]
node [shape=ellipse]
edge [len=1]
ldquoramrdquo -gt ldquoactivity 1rdquo
ldquoramrdquo [fillcolor=white]
bull
AfterGlow 1x
CSV File
AfterGlowGraph
LanguageFile
digraph structs graph [label=AfterGlow 158 fontsize=8] node [shape=ellipse style=filled fontsize=10 width=1 height=1 fixedsize=true] edge [len=16]
aaelenes -gt Printing Resume abbe -gt Information Encryption aanna -gt Patent Access aatharuv -gt Ping
aaelenesPrinting ResumeabbeInformation Encrytion
aannaPatent AccessaatharuyPing
Parser Grapher
AfterGlow 1x
CSV File
AfterGlowGraph
LanguageFile
digraph structs graph [label=AfterGlow 158 fontsize=8] node [shape=ellipse style=filled fontsize=10 width=1 height=1 fixedsize=true] edge [len=16]
aaelenes -gt Printing Resume abbe -gt Information Encryption aanna -gt Patent Access aatharuv -gt Ping
aaelenesPrinting ResumeabbeInformation Encrytion
aannaPatent AccessaatharuyPing
Parser Grapher
An Example Analysis
Worms in Mobile Networksbull Problem Find worms in mobile networks
bull Data Call Detail Records (CDR)
20051117225657 GMT 20051117225657 GMT 4179543xxxx 4176448xxxx 0 63517 20051117225657 GMT 19700101000000 GMT imagejpeg CHEC1_MMSC1 MM4Rrecord 0 1 MM1 22801351822xxxx 22802071035xxxx 2 1132 26821763098xxxx
bull Process
cat mmscdr | awk -o VFS= lsquoprint $5 $6rsquo
bull Visual Transformation
Multimedia Message Service
21
Multimedia Message Service
21
Service Numbers
Multimedia Message Service
22
Multimedia Message Service
22
Long Chains
Hands-on Analysis
Letrsquos Gobull Captures are in rootdavix_workshop_capturespcap
bull Find something interesting Come show
bull Hints
bull tcpdump -nlr rootdavix_workshop_capturespcap
bull tcpdump2csvpl
bull afterglowpl -h
bull barpl -h
AfterGlow Variable and Color
variable=violation=(Backdoor Access HackerTool Downloadrdquo)colortarget=orange if (grep($fields[1]violation))colortarget=palegreen
Node Size and Threshold
maxnodesize=1sizesource=$fields[2] size=05sumtarget=0thresholdsource=14
Color and Clustercolorsource=palegreen if ($fields[0] =~ ^111)colorsource=redcolortarget=palegreenclustersource=regex_replace((d+)d+)8
Thank You
davix secviz org
S
E
C I
V
Z
secviz org
![Page 7: V DAVIX Visualization D X Workshop - SecViz- Getting tools running is simple User can concentrate on analysis - Easy customizable Users can add missing things - Perfect workspace to](https://reader034.vdocument.in/reader034/viewer/2022042221/5ec7ec33b0586619b6106cea/html5/thumbnails/7.jpg)
AgendaDAVIX
Visualization
Example analysis
Hands-on analysis
Show us what you got
4
GoalYou can use DAVIX
to analyze your data
Visualization Questionsbull Who analyzes logs
bull Who uses visualization for log analysis
bull Who has used DAVIX
bull Have you heard of SecVizorg
bull What tools are you using for log analysis
5
Data Analysis and Visualization LinuxDAVIX
D
V
X
What is DAVIXbull Live Linux CD system based on SLAX 6
- Software packages are modularized
- Easy customizable
- Runs from CDDVD USB stick or hard drive
bull Collection of free tools for data processing amp visualization
- Tools work out of the box
- No compilation or installation of tools required
bull Comes with documentation
- Quick start description for the most important tools
- Links to manuals and tutorials
Why Did We Build DAVIXbull No free solution offering wide range of visualization tools
- Huge hurdle for people to get start with visualization
bull Cumbersome to get tools running
- Compiler issues eg gcc 3 vs gcc 4
- Dependencies with uncommon and old libraries
- Different runtime environments
bull DAVIX Goals
- Getting tools running is simple User can concentrate on analysis
- Easy customizable Users can add missing things
- Perfect workspace to get you started with visualization
User Interface - Menu Organizationbull Menu organized around the information visualization process
bull Tools often cover more than one category
- Afterglow Process Visualize
bull Additional toolsservices
- Apache MySQL NTP
Capture Process Visualize
ToolsCapture
- Network tools
Argus
Snort
Wireshark
- Logging
syslog-ng
- Fetching data
wget
ftp
scp
Processing
- Shell tools
awk grep sed
- Graphic preprocessing
Afterglow
LGL
- Date enrichment
geoiplookup
whoisgwhois
Visualization
- Network Traffic
EtherApe
InetVis
tnv
- Generic
Afterglow
LGL Viewer
Mondrian
R Project
Non-concluding list of tools
PDF User Manualbull Quick start guide
bull Network setup information
bull Tool usage examples
bull Links to online resource Tool home pages manuals tutorials
bull Customizing DAVIX
- Customizing ISO image
- Creating new modules
- Installation on USB stick or hard drive
User Manual in the Menubull The manual is browsable by
chapter hellip
bull hellip or individual tool chapters
The Manual Is Notbull Not an introduction to security analysis methodologies
bull Not a collection of security analysis use-cases
bull Not covering exhaustive examples
- The usage examples are not security related
- It is a quick usage guide for the tools
bull Look at Raffaelrsquos book to get these details
Customizationsbull The DAVIX and SLAX can be modified in two ways
- LZM modules
Adding or removing modules in the directory slaxmodules
Modules are highly compressed software packages
- rootcopy
Overwrite or add individual files of LZM modules by copyingmodified files to the directory slaxrootcopy
bull LZM modules can be generated out of standard Slackware or dropline GNOME packages using tgz2lzm
Visualization
Information Visualization Process
16
Capture Process Visualize
Data Formatsbull CSV TSV
100028023212failed
100028023215success
bull TM3
Source Port Destination Action
STRING INTEGER STRING STRING
10002 80 23212 failed
bull GML
17
bull DOT
digraph structs
graph [label=rdquoMy Graphrdquo]
node [shape=ellipse]
edge [len=1]
ldquoramrdquo -gt ldquoactivity 1rdquo
ldquoramrdquo [fillcolor=white]
bull
AfterGlow 1x
CSV File
AfterGlowGraph
LanguageFile
digraph structs graph [label=AfterGlow 158 fontsize=8] node [shape=ellipse style=filled fontsize=10 width=1 height=1 fixedsize=true] edge [len=16]
aaelenes -gt Printing Resume abbe -gt Information Encryption aanna -gt Patent Access aatharuv -gt Ping
aaelenesPrinting ResumeabbeInformation Encrytion
aannaPatent AccessaatharuyPing
Parser Grapher
AfterGlow 1x
CSV File
AfterGlowGraph
LanguageFile
digraph structs graph [label=AfterGlow 158 fontsize=8] node [shape=ellipse style=filled fontsize=10 width=1 height=1 fixedsize=true] edge [len=16]
aaelenes -gt Printing Resume abbe -gt Information Encryption aanna -gt Patent Access aatharuv -gt Ping
aaelenesPrinting ResumeabbeInformation Encrytion
aannaPatent AccessaatharuyPing
Parser Grapher
An Example Analysis
Worms in Mobile Networksbull Problem Find worms in mobile networks
bull Data Call Detail Records (CDR)
20051117225657 GMT 20051117225657 GMT 4179543xxxx 4176448xxxx 0 63517 20051117225657 GMT 19700101000000 GMT imagejpeg CHEC1_MMSC1 MM4Rrecord 0 1 MM1 22801351822xxxx 22802071035xxxx 2 1132 26821763098xxxx
bull Process
cat mmscdr | awk -o VFS= lsquoprint $5 $6rsquo
bull Visual Transformation
Multimedia Message Service
21
Multimedia Message Service
21
Service Numbers
Multimedia Message Service
22
Multimedia Message Service
22
Long Chains
Hands-on Analysis
Letrsquos Gobull Captures are in rootdavix_workshop_capturespcap
bull Find something interesting Come show
bull Hints
bull tcpdump -nlr rootdavix_workshop_capturespcap
bull tcpdump2csvpl
bull afterglowpl -h
bull barpl -h
AfterGlow Variable and Color
variable=violation=(Backdoor Access HackerTool Downloadrdquo)colortarget=orange if (grep($fields[1]violation))colortarget=palegreen
Node Size and Threshold
maxnodesize=1sizesource=$fields[2] size=05sumtarget=0thresholdsource=14
Color and Clustercolorsource=palegreen if ($fields[0] =~ ^111)colorsource=redcolortarget=palegreenclustersource=regex_replace((d+)d+)8
Thank You
davix secviz org
S
E
C I
V
Z
secviz org
![Page 8: V DAVIX Visualization D X Workshop - SecViz- Getting tools running is simple User can concentrate on analysis - Easy customizable Users can add missing things - Perfect workspace to](https://reader034.vdocument.in/reader034/viewer/2022042221/5ec7ec33b0586619b6106cea/html5/thumbnails/8.jpg)
Visualization Questionsbull Who analyzes logs
bull Who uses visualization for log analysis
bull Who has used DAVIX
bull Have you heard of SecVizorg
bull What tools are you using for log analysis
5
Data Analysis and Visualization LinuxDAVIX
D
V
X
What is DAVIXbull Live Linux CD system based on SLAX 6
- Software packages are modularized
- Easy customizable
- Runs from CDDVD USB stick or hard drive
bull Collection of free tools for data processing amp visualization
- Tools work out of the box
- No compilation or installation of tools required
bull Comes with documentation
- Quick start description for the most important tools
- Links to manuals and tutorials
Why Did We Build DAVIXbull No free solution offering wide range of visualization tools
- Huge hurdle for people to get start with visualization
bull Cumbersome to get tools running
- Compiler issues eg gcc 3 vs gcc 4
- Dependencies with uncommon and old libraries
- Different runtime environments
bull DAVIX Goals
- Getting tools running is simple User can concentrate on analysis
- Easy customizable Users can add missing things
- Perfect workspace to get you started with visualization
User Interface - Menu Organizationbull Menu organized around the information visualization process
bull Tools often cover more than one category
- Afterglow Process Visualize
bull Additional toolsservices
- Apache MySQL NTP
Capture Process Visualize
ToolsCapture
- Network tools
Argus
Snort
Wireshark
- Logging
syslog-ng
- Fetching data
wget
ftp
scp
Processing
- Shell tools
awk grep sed
- Graphic preprocessing
Afterglow
LGL
- Date enrichment
geoiplookup
whoisgwhois
Visualization
- Network Traffic
EtherApe
InetVis
tnv
- Generic
Afterglow
LGL Viewer
Mondrian
R Project
Non-concluding list of tools
PDF User Manualbull Quick start guide
bull Network setup information
bull Tool usage examples
bull Links to online resource Tool home pages manuals tutorials
bull Customizing DAVIX
- Customizing ISO image
- Creating new modules
- Installation on USB stick or hard drive
User Manual in the Menubull The manual is browsable by
chapter hellip
bull hellip or individual tool chapters
The Manual Is Notbull Not an introduction to security analysis methodologies
bull Not a collection of security analysis use-cases
bull Not covering exhaustive examples
- The usage examples are not security related
- It is a quick usage guide for the tools
bull Look at Raffaelrsquos book to get these details
Customizationsbull The DAVIX and SLAX can be modified in two ways
- LZM modules
Adding or removing modules in the directory slaxmodules
Modules are highly compressed software packages
- rootcopy
Overwrite or add individual files of LZM modules by copyingmodified files to the directory slaxrootcopy
bull LZM modules can be generated out of standard Slackware or dropline GNOME packages using tgz2lzm
Visualization
Information Visualization Process
16
Capture Process Visualize
Data Formatsbull CSV TSV
100028023212failed
100028023215success
bull TM3
Source Port Destination Action
STRING INTEGER STRING STRING
10002 80 23212 failed
bull GML
17
bull DOT
digraph structs
graph [label=rdquoMy Graphrdquo]
node [shape=ellipse]
edge [len=1]
ldquoramrdquo -gt ldquoactivity 1rdquo
ldquoramrdquo [fillcolor=white]
bull
AfterGlow 1x
CSV File
AfterGlowGraph
LanguageFile
digraph structs graph [label=AfterGlow 158 fontsize=8] node [shape=ellipse style=filled fontsize=10 width=1 height=1 fixedsize=true] edge [len=16]
aaelenes -gt Printing Resume abbe -gt Information Encryption aanna -gt Patent Access aatharuv -gt Ping
aaelenesPrinting ResumeabbeInformation Encrytion
aannaPatent AccessaatharuyPing
Parser Grapher
AfterGlow 1x
CSV File
AfterGlowGraph
LanguageFile
digraph structs graph [label=AfterGlow 158 fontsize=8] node [shape=ellipse style=filled fontsize=10 width=1 height=1 fixedsize=true] edge [len=16]
aaelenes -gt Printing Resume abbe -gt Information Encryption aanna -gt Patent Access aatharuv -gt Ping
aaelenesPrinting ResumeabbeInformation Encrytion
aannaPatent AccessaatharuyPing
Parser Grapher
An Example Analysis
Worms in Mobile Networksbull Problem Find worms in mobile networks
bull Data Call Detail Records (CDR)
20051117225657 GMT 20051117225657 GMT 4179543xxxx 4176448xxxx 0 63517 20051117225657 GMT 19700101000000 GMT imagejpeg CHEC1_MMSC1 MM4Rrecord 0 1 MM1 22801351822xxxx 22802071035xxxx 2 1132 26821763098xxxx
bull Process
cat mmscdr | awk -o VFS= lsquoprint $5 $6rsquo
bull Visual Transformation
Multimedia Message Service
21
Multimedia Message Service
21
Service Numbers
Multimedia Message Service
22
Multimedia Message Service
22
Long Chains
Hands-on Analysis
Letrsquos Gobull Captures are in rootdavix_workshop_capturespcap
bull Find something interesting Come show
bull Hints
bull tcpdump -nlr rootdavix_workshop_capturespcap
bull tcpdump2csvpl
bull afterglowpl -h
bull barpl -h
AfterGlow Variable and Color
variable=violation=(Backdoor Access HackerTool Downloadrdquo)colortarget=orange if (grep($fields[1]violation))colortarget=palegreen
Node Size and Threshold
maxnodesize=1sizesource=$fields[2] size=05sumtarget=0thresholdsource=14
Color and Clustercolorsource=palegreen if ($fields[0] =~ ^111)colorsource=redcolortarget=palegreenclustersource=regex_replace((d+)d+)8
Thank You
davix secviz org
S
E
C I
V
Z
secviz org
![Page 9: V DAVIX Visualization D X Workshop - SecViz- Getting tools running is simple User can concentrate on analysis - Easy customizable Users can add missing things - Perfect workspace to](https://reader034.vdocument.in/reader034/viewer/2022042221/5ec7ec33b0586619b6106cea/html5/thumbnails/9.jpg)
Data Analysis and Visualization LinuxDAVIX
D
V
X
What is DAVIXbull Live Linux CD system based on SLAX 6
- Software packages are modularized
- Easy customizable
- Runs from CDDVD USB stick or hard drive
bull Collection of free tools for data processing amp visualization
- Tools work out of the box
- No compilation or installation of tools required
bull Comes with documentation
- Quick start description for the most important tools
- Links to manuals and tutorials
Why Did We Build DAVIXbull No free solution offering wide range of visualization tools
- Huge hurdle for people to get start with visualization
bull Cumbersome to get tools running
- Compiler issues eg gcc 3 vs gcc 4
- Dependencies with uncommon and old libraries
- Different runtime environments
bull DAVIX Goals
- Getting tools running is simple User can concentrate on analysis
- Easy customizable Users can add missing things
- Perfect workspace to get you started with visualization
User Interface - Menu Organizationbull Menu organized around the information visualization process
bull Tools often cover more than one category
- Afterglow Process Visualize
bull Additional toolsservices
- Apache MySQL NTP
Capture Process Visualize
ToolsCapture
- Network tools
Argus
Snort
Wireshark
- Logging
syslog-ng
- Fetching data
wget
ftp
scp
Processing
- Shell tools
awk grep sed
- Graphic preprocessing
Afterglow
LGL
- Date enrichment
geoiplookup
whoisgwhois
Visualization
- Network Traffic
EtherApe
InetVis
tnv
- Generic
Afterglow
LGL Viewer
Mondrian
R Project
Non-concluding list of tools
PDF User Manualbull Quick start guide
bull Network setup information
bull Tool usage examples
bull Links to online resource Tool home pages manuals tutorials
bull Customizing DAVIX
- Customizing ISO image
- Creating new modules
- Installation on USB stick or hard drive
User Manual in the Menubull The manual is browsable by
chapter hellip
bull hellip or individual tool chapters
The Manual Is Notbull Not an introduction to security analysis methodologies
bull Not a collection of security analysis use-cases
bull Not covering exhaustive examples
- The usage examples are not security related
- It is a quick usage guide for the tools
bull Look at Raffaelrsquos book to get these details
Customizationsbull The DAVIX and SLAX can be modified in two ways
- LZM modules
Adding or removing modules in the directory slaxmodules
Modules are highly compressed software packages
- rootcopy
Overwrite or add individual files of LZM modules by copyingmodified files to the directory slaxrootcopy
bull LZM modules can be generated out of standard Slackware or dropline GNOME packages using tgz2lzm
Visualization
Information Visualization Process
16
Capture Process Visualize
Data Formatsbull CSV TSV
100028023212failed
100028023215success
bull TM3
Source Port Destination Action
STRING INTEGER STRING STRING
10002 80 23212 failed
bull GML
17
bull DOT
digraph structs
graph [label=rdquoMy Graphrdquo]
node [shape=ellipse]
edge [len=1]
ldquoramrdquo -gt ldquoactivity 1rdquo
ldquoramrdquo [fillcolor=white]
bull
AfterGlow 1x
CSV File
AfterGlowGraph
LanguageFile
digraph structs graph [label=AfterGlow 158 fontsize=8] node [shape=ellipse style=filled fontsize=10 width=1 height=1 fixedsize=true] edge [len=16]
aaelenes -gt Printing Resume abbe -gt Information Encryption aanna -gt Patent Access aatharuv -gt Ping
aaelenesPrinting ResumeabbeInformation Encrytion
aannaPatent AccessaatharuyPing
Parser Grapher
AfterGlow 1x
CSV File
AfterGlowGraph
LanguageFile
digraph structs graph [label=AfterGlow 158 fontsize=8] node [shape=ellipse style=filled fontsize=10 width=1 height=1 fixedsize=true] edge [len=16]
aaelenes -gt Printing Resume abbe -gt Information Encryption aanna -gt Patent Access aatharuv -gt Ping
aaelenesPrinting ResumeabbeInformation Encrytion
aannaPatent AccessaatharuyPing
Parser Grapher
An Example Analysis
Worms in Mobile Networksbull Problem Find worms in mobile networks
bull Data Call Detail Records (CDR)
20051117225657 GMT 20051117225657 GMT 4179543xxxx 4176448xxxx 0 63517 20051117225657 GMT 19700101000000 GMT imagejpeg CHEC1_MMSC1 MM4Rrecord 0 1 MM1 22801351822xxxx 22802071035xxxx 2 1132 26821763098xxxx
bull Process
cat mmscdr | awk -o VFS= lsquoprint $5 $6rsquo
bull Visual Transformation
Multimedia Message Service
21
Multimedia Message Service
21
Service Numbers
Multimedia Message Service
22
Multimedia Message Service
22
Long Chains
Hands-on Analysis
Letrsquos Gobull Captures are in rootdavix_workshop_capturespcap
bull Find something interesting Come show
bull Hints
bull tcpdump -nlr rootdavix_workshop_capturespcap
bull tcpdump2csvpl
bull afterglowpl -h
bull barpl -h
AfterGlow Variable and Color
variable=violation=(Backdoor Access HackerTool Downloadrdquo)colortarget=orange if (grep($fields[1]violation))colortarget=palegreen
Node Size and Threshold
maxnodesize=1sizesource=$fields[2] size=05sumtarget=0thresholdsource=14
Color and Clustercolorsource=palegreen if ($fields[0] =~ ^111)colorsource=redcolortarget=palegreenclustersource=regex_replace((d+)d+)8
Thank You
davix secviz org
S
E
C I
V
Z
secviz org
![Page 10: V DAVIX Visualization D X Workshop - SecViz- Getting tools running is simple User can concentrate on analysis - Easy customizable Users can add missing things - Perfect workspace to](https://reader034.vdocument.in/reader034/viewer/2022042221/5ec7ec33b0586619b6106cea/html5/thumbnails/10.jpg)
What is DAVIXbull Live Linux CD system based on SLAX 6
- Software packages are modularized
- Easy customizable
- Runs from CDDVD USB stick or hard drive
bull Collection of free tools for data processing amp visualization
- Tools work out of the box
- No compilation or installation of tools required
bull Comes with documentation
- Quick start description for the most important tools
- Links to manuals and tutorials
Why Did We Build DAVIXbull No free solution offering wide range of visualization tools
- Huge hurdle for people to get start with visualization
bull Cumbersome to get tools running
- Compiler issues eg gcc 3 vs gcc 4
- Dependencies with uncommon and old libraries
- Different runtime environments
bull DAVIX Goals
- Getting tools running is simple User can concentrate on analysis
- Easy customizable Users can add missing things
- Perfect workspace to get you started with visualization
User Interface - Menu Organizationbull Menu organized around the information visualization process
bull Tools often cover more than one category
- Afterglow Process Visualize
bull Additional toolsservices
- Apache MySQL NTP
Capture Process Visualize
ToolsCapture
- Network tools
Argus
Snort
Wireshark
- Logging
syslog-ng
- Fetching data
wget
ftp
scp
Processing
- Shell tools
awk grep sed
- Graphic preprocessing
Afterglow
LGL
- Date enrichment
geoiplookup
whoisgwhois
Visualization
- Network Traffic
EtherApe
InetVis
tnv
- Generic
Afterglow
LGL Viewer
Mondrian
R Project
Non-concluding list of tools
PDF User Manualbull Quick start guide
bull Network setup information
bull Tool usage examples
bull Links to online resource Tool home pages manuals tutorials
bull Customizing DAVIX
- Customizing ISO image
- Creating new modules
- Installation on USB stick or hard drive
User Manual in the Menubull The manual is browsable by
chapter hellip
bull hellip or individual tool chapters
The Manual Is Notbull Not an introduction to security analysis methodologies
bull Not a collection of security analysis use-cases
bull Not covering exhaustive examples
- The usage examples are not security related
- It is a quick usage guide for the tools
bull Look at Raffaelrsquos book to get these details
Customizationsbull The DAVIX and SLAX can be modified in two ways
- LZM modules
Adding or removing modules in the directory slaxmodules
Modules are highly compressed software packages
- rootcopy
Overwrite or add individual files of LZM modules by copyingmodified files to the directory slaxrootcopy
bull LZM modules can be generated out of standard Slackware or dropline GNOME packages using tgz2lzm
Visualization
Information Visualization Process
16
Capture Process Visualize
Data Formatsbull CSV TSV
100028023212failed
100028023215success
bull TM3
Source Port Destination Action
STRING INTEGER STRING STRING
10002 80 23212 failed
bull GML
17
bull DOT
digraph structs
graph [label=rdquoMy Graphrdquo]
node [shape=ellipse]
edge [len=1]
ldquoramrdquo -gt ldquoactivity 1rdquo
ldquoramrdquo [fillcolor=white]
bull
AfterGlow 1x
CSV File
AfterGlowGraph
LanguageFile
digraph structs graph [label=AfterGlow 158 fontsize=8] node [shape=ellipse style=filled fontsize=10 width=1 height=1 fixedsize=true] edge [len=16]
aaelenes -gt Printing Resume abbe -gt Information Encryption aanna -gt Patent Access aatharuv -gt Ping
aaelenesPrinting ResumeabbeInformation Encrytion
aannaPatent AccessaatharuyPing
Parser Grapher
AfterGlow 1x
CSV File
AfterGlowGraph
LanguageFile
digraph structs graph [label=AfterGlow 158 fontsize=8] node [shape=ellipse style=filled fontsize=10 width=1 height=1 fixedsize=true] edge [len=16]
aaelenes -gt Printing Resume abbe -gt Information Encryption aanna -gt Patent Access aatharuv -gt Ping
aaelenesPrinting ResumeabbeInformation Encrytion
aannaPatent AccessaatharuyPing
Parser Grapher
An Example Analysis
Worms in Mobile Networksbull Problem Find worms in mobile networks
bull Data Call Detail Records (CDR)
20051117225657 GMT 20051117225657 GMT 4179543xxxx 4176448xxxx 0 63517 20051117225657 GMT 19700101000000 GMT imagejpeg CHEC1_MMSC1 MM4Rrecord 0 1 MM1 22801351822xxxx 22802071035xxxx 2 1132 26821763098xxxx
bull Process
cat mmscdr | awk -o VFS= lsquoprint $5 $6rsquo
bull Visual Transformation
Multimedia Message Service
21
Multimedia Message Service
21
Service Numbers
Multimedia Message Service
22
Multimedia Message Service
22
Long Chains
Hands-on Analysis
Letrsquos Gobull Captures are in rootdavix_workshop_capturespcap
bull Find something interesting Come show
bull Hints
bull tcpdump -nlr rootdavix_workshop_capturespcap
bull tcpdump2csvpl
bull afterglowpl -h
bull barpl -h
AfterGlow Variable and Color
variable=violation=(Backdoor Access HackerTool Downloadrdquo)colortarget=orange if (grep($fields[1]violation))colortarget=palegreen
Node Size and Threshold
maxnodesize=1sizesource=$fields[2] size=05sumtarget=0thresholdsource=14
Color and Clustercolorsource=palegreen if ($fields[0] =~ ^111)colorsource=redcolortarget=palegreenclustersource=regex_replace((d+)d+)8
Thank You
davix secviz org
S
E
C I
V
Z
secviz org
![Page 11: V DAVIX Visualization D X Workshop - SecViz- Getting tools running is simple User can concentrate on analysis - Easy customizable Users can add missing things - Perfect workspace to](https://reader034.vdocument.in/reader034/viewer/2022042221/5ec7ec33b0586619b6106cea/html5/thumbnails/11.jpg)
Why Did We Build DAVIXbull No free solution offering wide range of visualization tools
- Huge hurdle for people to get start with visualization
bull Cumbersome to get tools running
- Compiler issues eg gcc 3 vs gcc 4
- Dependencies with uncommon and old libraries
- Different runtime environments
bull DAVIX Goals
- Getting tools running is simple User can concentrate on analysis
- Easy customizable Users can add missing things
- Perfect workspace to get you started with visualization
User Interface - Menu Organizationbull Menu organized around the information visualization process
bull Tools often cover more than one category
- Afterglow Process Visualize
bull Additional toolsservices
- Apache MySQL NTP
Capture Process Visualize
ToolsCapture
- Network tools
Argus
Snort
Wireshark
- Logging
syslog-ng
- Fetching data
wget
ftp
scp
Processing
- Shell tools
awk grep sed
- Graphic preprocessing
Afterglow
LGL
- Date enrichment
geoiplookup
whoisgwhois
Visualization
- Network Traffic
EtherApe
InetVis
tnv
- Generic
Afterglow
LGL Viewer
Mondrian
R Project
Non-concluding list of tools
PDF User Manualbull Quick start guide
bull Network setup information
bull Tool usage examples
bull Links to online resource Tool home pages manuals tutorials
bull Customizing DAVIX
- Customizing ISO image
- Creating new modules
- Installation on USB stick or hard drive
User Manual in the Menubull The manual is browsable by
chapter hellip
bull hellip or individual tool chapters
The Manual Is Notbull Not an introduction to security analysis methodologies
bull Not a collection of security analysis use-cases
bull Not covering exhaustive examples
- The usage examples are not security related
- It is a quick usage guide for the tools
bull Look at Raffaelrsquos book to get these details
Customizationsbull The DAVIX and SLAX can be modified in two ways
- LZM modules
Adding or removing modules in the directory slaxmodules
Modules are highly compressed software packages
- rootcopy
Overwrite or add individual files of LZM modules by copyingmodified files to the directory slaxrootcopy
bull LZM modules can be generated out of standard Slackware or dropline GNOME packages using tgz2lzm
Visualization
Information Visualization Process
16
Capture Process Visualize
Data Formatsbull CSV TSV
100028023212failed
100028023215success
bull TM3
Source Port Destination Action
STRING INTEGER STRING STRING
10002 80 23212 failed
bull GML
17
bull DOT
digraph structs
graph [label=rdquoMy Graphrdquo]
node [shape=ellipse]
edge [len=1]
ldquoramrdquo -gt ldquoactivity 1rdquo
ldquoramrdquo [fillcolor=white]
bull
AfterGlow 1x
CSV File
AfterGlowGraph
LanguageFile
digraph structs graph [label=AfterGlow 158 fontsize=8] node [shape=ellipse style=filled fontsize=10 width=1 height=1 fixedsize=true] edge [len=16]
aaelenes -gt Printing Resume abbe -gt Information Encryption aanna -gt Patent Access aatharuv -gt Ping
aaelenesPrinting ResumeabbeInformation Encrytion
aannaPatent AccessaatharuyPing
Parser Grapher
AfterGlow 1x
CSV File
AfterGlowGraph
LanguageFile
digraph structs graph [label=AfterGlow 158 fontsize=8] node [shape=ellipse style=filled fontsize=10 width=1 height=1 fixedsize=true] edge [len=16]
aaelenes -gt Printing Resume abbe -gt Information Encryption aanna -gt Patent Access aatharuv -gt Ping
aaelenesPrinting ResumeabbeInformation Encrytion
aannaPatent AccessaatharuyPing
Parser Grapher
An Example Analysis
Worms in Mobile Networksbull Problem Find worms in mobile networks
bull Data Call Detail Records (CDR)
20051117225657 GMT 20051117225657 GMT 4179543xxxx 4176448xxxx 0 63517 20051117225657 GMT 19700101000000 GMT imagejpeg CHEC1_MMSC1 MM4Rrecord 0 1 MM1 22801351822xxxx 22802071035xxxx 2 1132 26821763098xxxx
bull Process
cat mmscdr | awk -o VFS= lsquoprint $5 $6rsquo
bull Visual Transformation
Multimedia Message Service
21
Multimedia Message Service
21
Service Numbers
Multimedia Message Service
22
Multimedia Message Service
22
Long Chains
Hands-on Analysis
Letrsquos Gobull Captures are in rootdavix_workshop_capturespcap
bull Find something interesting Come show
bull Hints
bull tcpdump -nlr rootdavix_workshop_capturespcap
bull tcpdump2csvpl
bull afterglowpl -h
bull barpl -h
AfterGlow Variable and Color
variable=violation=(Backdoor Access HackerTool Downloadrdquo)colortarget=orange if (grep($fields[1]violation))colortarget=palegreen
Node Size and Threshold
maxnodesize=1sizesource=$fields[2] size=05sumtarget=0thresholdsource=14
Color and Clustercolorsource=palegreen if ($fields[0] =~ ^111)colorsource=redcolortarget=palegreenclustersource=regex_replace((d+)d+)8
Thank You
davix secviz org
S
E
C I
V
Z
secviz org
![Page 12: V DAVIX Visualization D X Workshop - SecViz- Getting tools running is simple User can concentrate on analysis - Easy customizable Users can add missing things - Perfect workspace to](https://reader034.vdocument.in/reader034/viewer/2022042221/5ec7ec33b0586619b6106cea/html5/thumbnails/12.jpg)
User Interface - Menu Organizationbull Menu organized around the information visualization process
bull Tools often cover more than one category
- Afterglow Process Visualize
bull Additional toolsservices
- Apache MySQL NTP
Capture Process Visualize
ToolsCapture
- Network tools
Argus
Snort
Wireshark
- Logging
syslog-ng
- Fetching data
wget
ftp
scp
Processing
- Shell tools
awk grep sed
- Graphic preprocessing
Afterglow
LGL
- Date enrichment
geoiplookup
whoisgwhois
Visualization
- Network Traffic
EtherApe
InetVis
tnv
- Generic
Afterglow
LGL Viewer
Mondrian
R Project
Non-concluding list of tools
PDF User Manualbull Quick start guide
bull Network setup information
bull Tool usage examples
bull Links to online resource Tool home pages manuals tutorials
bull Customizing DAVIX
- Customizing ISO image
- Creating new modules
- Installation on USB stick or hard drive
User Manual in the Menubull The manual is browsable by
chapter hellip
bull hellip or individual tool chapters
The Manual Is Notbull Not an introduction to security analysis methodologies
bull Not a collection of security analysis use-cases
bull Not covering exhaustive examples
- The usage examples are not security related
- It is a quick usage guide for the tools
bull Look at Raffaelrsquos book to get these details
Customizationsbull The DAVIX and SLAX can be modified in two ways
- LZM modules
Adding or removing modules in the directory slaxmodules
Modules are highly compressed software packages
- rootcopy
Overwrite or add individual files of LZM modules by copyingmodified files to the directory slaxrootcopy
bull LZM modules can be generated out of standard Slackware or dropline GNOME packages using tgz2lzm
Visualization
Information Visualization Process
16
Capture Process Visualize
Data Formatsbull CSV TSV
100028023212failed
100028023215success
bull TM3
Source Port Destination Action
STRING INTEGER STRING STRING
10002 80 23212 failed
bull GML
17
bull DOT
digraph structs
graph [label=rdquoMy Graphrdquo]
node [shape=ellipse]
edge [len=1]
ldquoramrdquo -gt ldquoactivity 1rdquo
ldquoramrdquo [fillcolor=white]
bull
AfterGlow 1x
CSV File
AfterGlowGraph
LanguageFile
digraph structs graph [label=AfterGlow 158 fontsize=8] node [shape=ellipse style=filled fontsize=10 width=1 height=1 fixedsize=true] edge [len=16]
aaelenes -gt Printing Resume abbe -gt Information Encryption aanna -gt Patent Access aatharuv -gt Ping
aaelenesPrinting ResumeabbeInformation Encrytion
aannaPatent AccessaatharuyPing
Parser Grapher
AfterGlow 1x
CSV File
AfterGlowGraph
LanguageFile
digraph structs graph [label=AfterGlow 158 fontsize=8] node [shape=ellipse style=filled fontsize=10 width=1 height=1 fixedsize=true] edge [len=16]
aaelenes -gt Printing Resume abbe -gt Information Encryption aanna -gt Patent Access aatharuv -gt Ping
aaelenesPrinting ResumeabbeInformation Encrytion
aannaPatent AccessaatharuyPing
Parser Grapher
An Example Analysis
Worms in Mobile Networksbull Problem Find worms in mobile networks
bull Data Call Detail Records (CDR)
20051117225657 GMT 20051117225657 GMT 4179543xxxx 4176448xxxx 0 63517 20051117225657 GMT 19700101000000 GMT imagejpeg CHEC1_MMSC1 MM4Rrecord 0 1 MM1 22801351822xxxx 22802071035xxxx 2 1132 26821763098xxxx
bull Process
cat mmscdr | awk -o VFS= lsquoprint $5 $6rsquo
bull Visual Transformation
Multimedia Message Service
21
Multimedia Message Service
21
Service Numbers
Multimedia Message Service
22
Multimedia Message Service
22
Long Chains
Hands-on Analysis
Letrsquos Gobull Captures are in rootdavix_workshop_capturespcap
bull Find something interesting Come show
bull Hints
bull tcpdump -nlr rootdavix_workshop_capturespcap
bull tcpdump2csvpl
bull afterglowpl -h
bull barpl -h
AfterGlow Variable and Color
variable=violation=(Backdoor Access HackerTool Downloadrdquo)colortarget=orange if (grep($fields[1]violation))colortarget=palegreen
Node Size and Threshold
maxnodesize=1sizesource=$fields[2] size=05sumtarget=0thresholdsource=14
Color and Clustercolorsource=palegreen if ($fields[0] =~ ^111)colorsource=redcolortarget=palegreenclustersource=regex_replace((d+)d+)8
Thank You
davix secviz org
S
E
C I
V
Z
secviz org
![Page 13: V DAVIX Visualization D X Workshop - SecViz- Getting tools running is simple User can concentrate on analysis - Easy customizable Users can add missing things - Perfect workspace to](https://reader034.vdocument.in/reader034/viewer/2022042221/5ec7ec33b0586619b6106cea/html5/thumbnails/13.jpg)
ToolsCapture
- Network tools
Argus
Snort
Wireshark
- Logging
syslog-ng
- Fetching data
wget
ftp
scp
Processing
- Shell tools
awk grep sed
- Graphic preprocessing
Afterglow
LGL
- Date enrichment
geoiplookup
whoisgwhois
Visualization
- Network Traffic
EtherApe
InetVis
tnv
- Generic
Afterglow
LGL Viewer
Mondrian
R Project
Non-concluding list of tools
PDF User Manualbull Quick start guide
bull Network setup information
bull Tool usage examples
bull Links to online resource Tool home pages manuals tutorials
bull Customizing DAVIX
- Customizing ISO image
- Creating new modules
- Installation on USB stick or hard drive
User Manual in the Menubull The manual is browsable by
chapter hellip
bull hellip or individual tool chapters
The Manual Is Notbull Not an introduction to security analysis methodologies
bull Not a collection of security analysis use-cases
bull Not covering exhaustive examples
- The usage examples are not security related
- It is a quick usage guide for the tools
bull Look at Raffaelrsquos book to get these details
Customizationsbull The DAVIX and SLAX can be modified in two ways
- LZM modules
Adding or removing modules in the directory slaxmodules
Modules are highly compressed software packages
- rootcopy
Overwrite or add individual files of LZM modules by copyingmodified files to the directory slaxrootcopy
bull LZM modules can be generated out of standard Slackware or dropline GNOME packages using tgz2lzm
Visualization
Information Visualization Process
16
Capture Process Visualize
Data Formatsbull CSV TSV
100028023212failed
100028023215success
bull TM3
Source Port Destination Action
STRING INTEGER STRING STRING
10002 80 23212 failed
bull GML
17
bull DOT
digraph structs
graph [label=rdquoMy Graphrdquo]
node [shape=ellipse]
edge [len=1]
ldquoramrdquo -gt ldquoactivity 1rdquo
ldquoramrdquo [fillcolor=white]
bull
AfterGlow 1x
CSV File
AfterGlowGraph
LanguageFile
digraph structs graph [label=AfterGlow 158 fontsize=8] node [shape=ellipse style=filled fontsize=10 width=1 height=1 fixedsize=true] edge [len=16]
aaelenes -gt Printing Resume abbe -gt Information Encryption aanna -gt Patent Access aatharuv -gt Ping
aaelenesPrinting ResumeabbeInformation Encrytion
aannaPatent AccessaatharuyPing
Parser Grapher
AfterGlow 1x
CSV File
AfterGlowGraph
LanguageFile
digraph structs graph [label=AfterGlow 158 fontsize=8] node [shape=ellipse style=filled fontsize=10 width=1 height=1 fixedsize=true] edge [len=16]
aaelenes -gt Printing Resume abbe -gt Information Encryption aanna -gt Patent Access aatharuv -gt Ping
aaelenesPrinting ResumeabbeInformation Encrytion
aannaPatent AccessaatharuyPing
Parser Grapher
An Example Analysis
Worms in Mobile Networksbull Problem Find worms in mobile networks
bull Data Call Detail Records (CDR)
20051117225657 GMT 20051117225657 GMT 4179543xxxx 4176448xxxx 0 63517 20051117225657 GMT 19700101000000 GMT imagejpeg CHEC1_MMSC1 MM4Rrecord 0 1 MM1 22801351822xxxx 22802071035xxxx 2 1132 26821763098xxxx
bull Process
cat mmscdr | awk -o VFS= lsquoprint $5 $6rsquo
bull Visual Transformation
Multimedia Message Service
21
Multimedia Message Service
21
Service Numbers
Multimedia Message Service
22
Multimedia Message Service
22
Long Chains
Hands-on Analysis
Letrsquos Gobull Captures are in rootdavix_workshop_capturespcap
bull Find something interesting Come show
bull Hints
bull tcpdump -nlr rootdavix_workshop_capturespcap
bull tcpdump2csvpl
bull afterglowpl -h
bull barpl -h
AfterGlow Variable and Color
variable=violation=(Backdoor Access HackerTool Downloadrdquo)colortarget=orange if (grep($fields[1]violation))colortarget=palegreen
Node Size and Threshold
maxnodesize=1sizesource=$fields[2] size=05sumtarget=0thresholdsource=14
Color and Clustercolorsource=palegreen if ($fields[0] =~ ^111)colorsource=redcolortarget=palegreenclustersource=regex_replace((d+)d+)8
Thank You
davix secviz org
S
E
C I
V
Z
secviz org
![Page 14: V DAVIX Visualization D X Workshop - SecViz- Getting tools running is simple User can concentrate on analysis - Easy customizable Users can add missing things - Perfect workspace to](https://reader034.vdocument.in/reader034/viewer/2022042221/5ec7ec33b0586619b6106cea/html5/thumbnails/14.jpg)
PDF User Manualbull Quick start guide
bull Network setup information
bull Tool usage examples
bull Links to online resource Tool home pages manuals tutorials
bull Customizing DAVIX
- Customizing ISO image
- Creating new modules
- Installation on USB stick or hard drive
User Manual in the Menubull The manual is browsable by
chapter hellip
bull hellip or individual tool chapters
The Manual Is Notbull Not an introduction to security analysis methodologies
bull Not a collection of security analysis use-cases
bull Not covering exhaustive examples
- The usage examples are not security related
- It is a quick usage guide for the tools
bull Look at Raffaelrsquos book to get these details
Customizationsbull The DAVIX and SLAX can be modified in two ways
- LZM modules
Adding or removing modules in the directory slaxmodules
Modules are highly compressed software packages
- rootcopy
Overwrite or add individual files of LZM modules by copyingmodified files to the directory slaxrootcopy
bull LZM modules can be generated out of standard Slackware or dropline GNOME packages using tgz2lzm
Visualization
Information Visualization Process
16
Capture Process Visualize
Data Formatsbull CSV TSV
100028023212failed
100028023215success
bull TM3
Source Port Destination Action
STRING INTEGER STRING STRING
10002 80 23212 failed
bull GML
17
bull DOT
digraph structs
graph [label=rdquoMy Graphrdquo]
node [shape=ellipse]
edge [len=1]
ldquoramrdquo -gt ldquoactivity 1rdquo
ldquoramrdquo [fillcolor=white]
bull
AfterGlow 1x
CSV File
AfterGlowGraph
LanguageFile
digraph structs graph [label=AfterGlow 158 fontsize=8] node [shape=ellipse style=filled fontsize=10 width=1 height=1 fixedsize=true] edge [len=16]
aaelenes -gt Printing Resume abbe -gt Information Encryption aanna -gt Patent Access aatharuv -gt Ping
aaelenesPrinting ResumeabbeInformation Encrytion
aannaPatent AccessaatharuyPing
Parser Grapher
AfterGlow 1x
CSV File
AfterGlowGraph
LanguageFile
digraph structs graph [label=AfterGlow 158 fontsize=8] node [shape=ellipse style=filled fontsize=10 width=1 height=1 fixedsize=true] edge [len=16]
aaelenes -gt Printing Resume abbe -gt Information Encryption aanna -gt Patent Access aatharuv -gt Ping
aaelenesPrinting ResumeabbeInformation Encrytion
aannaPatent AccessaatharuyPing
Parser Grapher
An Example Analysis
Worms in Mobile Networksbull Problem Find worms in mobile networks
bull Data Call Detail Records (CDR)
20051117225657 GMT 20051117225657 GMT 4179543xxxx 4176448xxxx 0 63517 20051117225657 GMT 19700101000000 GMT imagejpeg CHEC1_MMSC1 MM4Rrecord 0 1 MM1 22801351822xxxx 22802071035xxxx 2 1132 26821763098xxxx
bull Process
cat mmscdr | awk -o VFS= lsquoprint $5 $6rsquo
bull Visual Transformation
Multimedia Message Service
21
Multimedia Message Service
21
Service Numbers
Multimedia Message Service
22
Multimedia Message Service
22
Long Chains
Hands-on Analysis
Letrsquos Gobull Captures are in rootdavix_workshop_capturespcap
bull Find something interesting Come show
bull Hints
bull tcpdump -nlr rootdavix_workshop_capturespcap
bull tcpdump2csvpl
bull afterglowpl -h
bull barpl -h
AfterGlow Variable and Color
variable=violation=(Backdoor Access HackerTool Downloadrdquo)colortarget=orange if (grep($fields[1]violation))colortarget=palegreen
Node Size and Threshold
maxnodesize=1sizesource=$fields[2] size=05sumtarget=0thresholdsource=14
Color and Clustercolorsource=palegreen if ($fields[0] =~ ^111)colorsource=redcolortarget=palegreenclustersource=regex_replace((d+)d+)8
Thank You
davix secviz org
S
E
C I
V
Z
secviz org
![Page 15: V DAVIX Visualization D X Workshop - SecViz- Getting tools running is simple User can concentrate on analysis - Easy customizable Users can add missing things - Perfect workspace to](https://reader034.vdocument.in/reader034/viewer/2022042221/5ec7ec33b0586619b6106cea/html5/thumbnails/15.jpg)
User Manual in the Menubull The manual is browsable by
chapter hellip
bull hellip or individual tool chapters
The Manual Is Notbull Not an introduction to security analysis methodologies
bull Not a collection of security analysis use-cases
bull Not covering exhaustive examples
- The usage examples are not security related
- It is a quick usage guide for the tools
bull Look at Raffaelrsquos book to get these details
Customizationsbull The DAVIX and SLAX can be modified in two ways
- LZM modules
Adding or removing modules in the directory slaxmodules
Modules are highly compressed software packages
- rootcopy
Overwrite or add individual files of LZM modules by copyingmodified files to the directory slaxrootcopy
bull LZM modules can be generated out of standard Slackware or dropline GNOME packages using tgz2lzm
Visualization
Information Visualization Process
16
Capture Process Visualize
Data Formatsbull CSV TSV
100028023212failed
100028023215success
bull TM3
Source Port Destination Action
STRING INTEGER STRING STRING
10002 80 23212 failed
bull GML
17
bull DOT
digraph structs
graph [label=rdquoMy Graphrdquo]
node [shape=ellipse]
edge [len=1]
ldquoramrdquo -gt ldquoactivity 1rdquo
ldquoramrdquo [fillcolor=white]
bull
AfterGlow 1x
CSV File
AfterGlowGraph
LanguageFile
digraph structs graph [label=AfterGlow 158 fontsize=8] node [shape=ellipse style=filled fontsize=10 width=1 height=1 fixedsize=true] edge [len=16]
aaelenes -gt Printing Resume abbe -gt Information Encryption aanna -gt Patent Access aatharuv -gt Ping
aaelenesPrinting ResumeabbeInformation Encrytion
aannaPatent AccessaatharuyPing
Parser Grapher
AfterGlow 1x
CSV File
AfterGlowGraph
LanguageFile
digraph structs graph [label=AfterGlow 158 fontsize=8] node [shape=ellipse style=filled fontsize=10 width=1 height=1 fixedsize=true] edge [len=16]
aaelenes -gt Printing Resume abbe -gt Information Encryption aanna -gt Patent Access aatharuv -gt Ping
aaelenesPrinting ResumeabbeInformation Encrytion
aannaPatent AccessaatharuyPing
Parser Grapher
An Example Analysis
Worms in Mobile Networksbull Problem Find worms in mobile networks
bull Data Call Detail Records (CDR)
20051117225657 GMT 20051117225657 GMT 4179543xxxx 4176448xxxx 0 63517 20051117225657 GMT 19700101000000 GMT imagejpeg CHEC1_MMSC1 MM4Rrecord 0 1 MM1 22801351822xxxx 22802071035xxxx 2 1132 26821763098xxxx
bull Process
cat mmscdr | awk -o VFS= lsquoprint $5 $6rsquo
bull Visual Transformation
Multimedia Message Service
21
Multimedia Message Service
21
Service Numbers
Multimedia Message Service
22
Multimedia Message Service
22
Long Chains
Hands-on Analysis
Letrsquos Gobull Captures are in rootdavix_workshop_capturespcap
bull Find something interesting Come show
bull Hints
bull tcpdump -nlr rootdavix_workshop_capturespcap
bull tcpdump2csvpl
bull afterglowpl -h
bull barpl -h
AfterGlow Variable and Color
variable=violation=(Backdoor Access HackerTool Downloadrdquo)colortarget=orange if (grep($fields[1]violation))colortarget=palegreen
Node Size and Threshold
maxnodesize=1sizesource=$fields[2] size=05sumtarget=0thresholdsource=14
Color and Clustercolorsource=palegreen if ($fields[0] =~ ^111)colorsource=redcolortarget=palegreenclustersource=regex_replace((d+)d+)8
Thank You
davix secviz org
S
E
C I
V
Z
secviz org
![Page 16: V DAVIX Visualization D X Workshop - SecViz- Getting tools running is simple User can concentrate on analysis - Easy customizable Users can add missing things - Perfect workspace to](https://reader034.vdocument.in/reader034/viewer/2022042221/5ec7ec33b0586619b6106cea/html5/thumbnails/16.jpg)
The Manual Is Notbull Not an introduction to security analysis methodologies
bull Not a collection of security analysis use-cases
bull Not covering exhaustive examples
- The usage examples are not security related
- It is a quick usage guide for the tools
bull Look at Raffaelrsquos book to get these details
Customizationsbull The DAVIX and SLAX can be modified in two ways
- LZM modules
Adding or removing modules in the directory slaxmodules
Modules are highly compressed software packages
- rootcopy
Overwrite or add individual files of LZM modules by copyingmodified files to the directory slaxrootcopy
bull LZM modules can be generated out of standard Slackware or dropline GNOME packages using tgz2lzm
Visualization
Information Visualization Process
16
Capture Process Visualize
Data Formatsbull CSV TSV
100028023212failed
100028023215success
bull TM3
Source Port Destination Action
STRING INTEGER STRING STRING
10002 80 23212 failed
bull GML
17
bull DOT
digraph structs
graph [label=rdquoMy Graphrdquo]
node [shape=ellipse]
edge [len=1]
ldquoramrdquo -gt ldquoactivity 1rdquo
ldquoramrdquo [fillcolor=white]
bull
AfterGlow 1x
CSV File
AfterGlowGraph
LanguageFile
digraph structs graph [label=AfterGlow 158 fontsize=8] node [shape=ellipse style=filled fontsize=10 width=1 height=1 fixedsize=true] edge [len=16]
aaelenes -gt Printing Resume abbe -gt Information Encryption aanna -gt Patent Access aatharuv -gt Ping
aaelenesPrinting ResumeabbeInformation Encrytion
aannaPatent AccessaatharuyPing
Parser Grapher
AfterGlow 1x
CSV File
AfterGlowGraph
LanguageFile
digraph structs graph [label=AfterGlow 158 fontsize=8] node [shape=ellipse style=filled fontsize=10 width=1 height=1 fixedsize=true] edge [len=16]
aaelenes -gt Printing Resume abbe -gt Information Encryption aanna -gt Patent Access aatharuv -gt Ping
aaelenesPrinting ResumeabbeInformation Encrytion
aannaPatent AccessaatharuyPing
Parser Grapher
An Example Analysis
Worms in Mobile Networksbull Problem Find worms in mobile networks
bull Data Call Detail Records (CDR)
20051117225657 GMT 20051117225657 GMT 4179543xxxx 4176448xxxx 0 63517 20051117225657 GMT 19700101000000 GMT imagejpeg CHEC1_MMSC1 MM4Rrecord 0 1 MM1 22801351822xxxx 22802071035xxxx 2 1132 26821763098xxxx
bull Process
cat mmscdr | awk -o VFS= lsquoprint $5 $6rsquo
bull Visual Transformation
Multimedia Message Service
21
Multimedia Message Service
21
Service Numbers
Multimedia Message Service
22
Multimedia Message Service
22
Long Chains
Hands-on Analysis
Letrsquos Gobull Captures are in rootdavix_workshop_capturespcap
bull Find something interesting Come show
bull Hints
bull tcpdump -nlr rootdavix_workshop_capturespcap
bull tcpdump2csvpl
bull afterglowpl -h
bull barpl -h
AfterGlow Variable and Color
variable=violation=(Backdoor Access HackerTool Downloadrdquo)colortarget=orange if (grep($fields[1]violation))colortarget=palegreen
Node Size and Threshold
maxnodesize=1sizesource=$fields[2] size=05sumtarget=0thresholdsource=14
Color and Clustercolorsource=palegreen if ($fields[0] =~ ^111)colorsource=redcolortarget=palegreenclustersource=regex_replace((d+)d+)8
Thank You
davix secviz org
S
E
C I
V
Z
secviz org
![Page 17: V DAVIX Visualization D X Workshop - SecViz- Getting tools running is simple User can concentrate on analysis - Easy customizable Users can add missing things - Perfect workspace to](https://reader034.vdocument.in/reader034/viewer/2022042221/5ec7ec33b0586619b6106cea/html5/thumbnails/17.jpg)
Customizationsbull The DAVIX and SLAX can be modified in two ways
- LZM modules
Adding or removing modules in the directory slaxmodules
Modules are highly compressed software packages
- rootcopy
Overwrite or add individual files of LZM modules by copyingmodified files to the directory slaxrootcopy
bull LZM modules can be generated out of standard Slackware or dropline GNOME packages using tgz2lzm
Visualization
Information Visualization Process
16
Capture Process Visualize
Data Formatsbull CSV TSV
100028023212failed
100028023215success
bull TM3
Source Port Destination Action
STRING INTEGER STRING STRING
10002 80 23212 failed
bull GML
17
bull DOT
digraph structs
graph [label=rdquoMy Graphrdquo]
node [shape=ellipse]
edge [len=1]
ldquoramrdquo -gt ldquoactivity 1rdquo
ldquoramrdquo [fillcolor=white]
bull
AfterGlow 1x
CSV File
AfterGlowGraph
LanguageFile
digraph structs graph [label=AfterGlow 158 fontsize=8] node [shape=ellipse style=filled fontsize=10 width=1 height=1 fixedsize=true] edge [len=16]
aaelenes -gt Printing Resume abbe -gt Information Encryption aanna -gt Patent Access aatharuv -gt Ping
aaelenesPrinting ResumeabbeInformation Encrytion
aannaPatent AccessaatharuyPing
Parser Grapher
AfterGlow 1x
CSV File
AfterGlowGraph
LanguageFile
digraph structs graph [label=AfterGlow 158 fontsize=8] node [shape=ellipse style=filled fontsize=10 width=1 height=1 fixedsize=true] edge [len=16]
aaelenes -gt Printing Resume abbe -gt Information Encryption aanna -gt Patent Access aatharuv -gt Ping
aaelenesPrinting ResumeabbeInformation Encrytion
aannaPatent AccessaatharuyPing
Parser Grapher
An Example Analysis
Worms in Mobile Networksbull Problem Find worms in mobile networks
bull Data Call Detail Records (CDR)
20051117225657 GMT 20051117225657 GMT 4179543xxxx 4176448xxxx 0 63517 20051117225657 GMT 19700101000000 GMT imagejpeg CHEC1_MMSC1 MM4Rrecord 0 1 MM1 22801351822xxxx 22802071035xxxx 2 1132 26821763098xxxx
bull Process
cat mmscdr | awk -o VFS= lsquoprint $5 $6rsquo
bull Visual Transformation
Multimedia Message Service
21
Multimedia Message Service
21
Service Numbers
Multimedia Message Service
22
Multimedia Message Service
22
Long Chains
Hands-on Analysis
Letrsquos Gobull Captures are in rootdavix_workshop_capturespcap
bull Find something interesting Come show
bull Hints
bull tcpdump -nlr rootdavix_workshop_capturespcap
bull tcpdump2csvpl
bull afterglowpl -h
bull barpl -h
AfterGlow Variable and Color
variable=violation=(Backdoor Access HackerTool Downloadrdquo)colortarget=orange if (grep($fields[1]violation))colortarget=palegreen
Node Size and Threshold
maxnodesize=1sizesource=$fields[2] size=05sumtarget=0thresholdsource=14
Color and Clustercolorsource=palegreen if ($fields[0] =~ ^111)colorsource=redcolortarget=palegreenclustersource=regex_replace((d+)d+)8
Thank You
davix secviz org
S
E
C I
V
Z
secviz org
![Page 18: V DAVIX Visualization D X Workshop - SecViz- Getting tools running is simple User can concentrate on analysis - Easy customizable Users can add missing things - Perfect workspace to](https://reader034.vdocument.in/reader034/viewer/2022042221/5ec7ec33b0586619b6106cea/html5/thumbnails/18.jpg)
Visualization
Information Visualization Process
16
Capture Process Visualize
Data Formatsbull CSV TSV
100028023212failed
100028023215success
bull TM3
Source Port Destination Action
STRING INTEGER STRING STRING
10002 80 23212 failed
bull GML
17
bull DOT
digraph structs
graph [label=rdquoMy Graphrdquo]
node [shape=ellipse]
edge [len=1]
ldquoramrdquo -gt ldquoactivity 1rdquo
ldquoramrdquo [fillcolor=white]
bull
AfterGlow 1x
CSV File
AfterGlowGraph
LanguageFile
digraph structs graph [label=AfterGlow 158 fontsize=8] node [shape=ellipse style=filled fontsize=10 width=1 height=1 fixedsize=true] edge [len=16]
aaelenes -gt Printing Resume abbe -gt Information Encryption aanna -gt Patent Access aatharuv -gt Ping
aaelenesPrinting ResumeabbeInformation Encrytion
aannaPatent AccessaatharuyPing
Parser Grapher
AfterGlow 1x
CSV File
AfterGlowGraph
LanguageFile
digraph structs graph [label=AfterGlow 158 fontsize=8] node [shape=ellipse style=filled fontsize=10 width=1 height=1 fixedsize=true] edge [len=16]
aaelenes -gt Printing Resume abbe -gt Information Encryption aanna -gt Patent Access aatharuv -gt Ping
aaelenesPrinting ResumeabbeInformation Encrytion
aannaPatent AccessaatharuyPing
Parser Grapher
An Example Analysis
Worms in Mobile Networksbull Problem Find worms in mobile networks
bull Data Call Detail Records (CDR)
20051117225657 GMT 20051117225657 GMT 4179543xxxx 4176448xxxx 0 63517 20051117225657 GMT 19700101000000 GMT imagejpeg CHEC1_MMSC1 MM4Rrecord 0 1 MM1 22801351822xxxx 22802071035xxxx 2 1132 26821763098xxxx
bull Process
cat mmscdr | awk -o VFS= lsquoprint $5 $6rsquo
bull Visual Transformation
Multimedia Message Service
21
Multimedia Message Service
21
Service Numbers
Multimedia Message Service
22
Multimedia Message Service
22
Long Chains
Hands-on Analysis
Letrsquos Gobull Captures are in rootdavix_workshop_capturespcap
bull Find something interesting Come show
bull Hints
bull tcpdump -nlr rootdavix_workshop_capturespcap
bull tcpdump2csvpl
bull afterglowpl -h
bull barpl -h
AfterGlow Variable and Color
variable=violation=(Backdoor Access HackerTool Downloadrdquo)colortarget=orange if (grep($fields[1]violation))colortarget=palegreen
Node Size and Threshold
maxnodesize=1sizesource=$fields[2] size=05sumtarget=0thresholdsource=14
Color and Clustercolorsource=palegreen if ($fields[0] =~ ^111)colorsource=redcolortarget=palegreenclustersource=regex_replace((d+)d+)8
Thank You
davix secviz org
S
E
C I
V
Z
secviz org
![Page 19: V DAVIX Visualization D X Workshop - SecViz- Getting tools running is simple User can concentrate on analysis - Easy customizable Users can add missing things - Perfect workspace to](https://reader034.vdocument.in/reader034/viewer/2022042221/5ec7ec33b0586619b6106cea/html5/thumbnails/19.jpg)
Information Visualization Process
16
Capture Process Visualize
Data Formatsbull CSV TSV
100028023212failed
100028023215success
bull TM3
Source Port Destination Action
STRING INTEGER STRING STRING
10002 80 23212 failed
bull GML
17
bull DOT
digraph structs
graph [label=rdquoMy Graphrdquo]
node [shape=ellipse]
edge [len=1]
ldquoramrdquo -gt ldquoactivity 1rdquo
ldquoramrdquo [fillcolor=white]
bull
AfterGlow 1x
CSV File
AfterGlowGraph
LanguageFile
digraph structs graph [label=AfterGlow 158 fontsize=8] node [shape=ellipse style=filled fontsize=10 width=1 height=1 fixedsize=true] edge [len=16]
aaelenes -gt Printing Resume abbe -gt Information Encryption aanna -gt Patent Access aatharuv -gt Ping
aaelenesPrinting ResumeabbeInformation Encrytion
aannaPatent AccessaatharuyPing
Parser Grapher
AfterGlow 1x
CSV File
AfterGlowGraph
LanguageFile
digraph structs graph [label=AfterGlow 158 fontsize=8] node [shape=ellipse style=filled fontsize=10 width=1 height=1 fixedsize=true] edge [len=16]
aaelenes -gt Printing Resume abbe -gt Information Encryption aanna -gt Patent Access aatharuv -gt Ping
aaelenesPrinting ResumeabbeInformation Encrytion
aannaPatent AccessaatharuyPing
Parser Grapher
An Example Analysis
Worms in Mobile Networksbull Problem Find worms in mobile networks
bull Data Call Detail Records (CDR)
20051117225657 GMT 20051117225657 GMT 4179543xxxx 4176448xxxx 0 63517 20051117225657 GMT 19700101000000 GMT imagejpeg CHEC1_MMSC1 MM4Rrecord 0 1 MM1 22801351822xxxx 22802071035xxxx 2 1132 26821763098xxxx
bull Process
cat mmscdr | awk -o VFS= lsquoprint $5 $6rsquo
bull Visual Transformation
Multimedia Message Service
21
Multimedia Message Service
21
Service Numbers
Multimedia Message Service
22
Multimedia Message Service
22
Long Chains
Hands-on Analysis
Letrsquos Gobull Captures are in rootdavix_workshop_capturespcap
bull Find something interesting Come show
bull Hints
bull tcpdump -nlr rootdavix_workshop_capturespcap
bull tcpdump2csvpl
bull afterglowpl -h
bull barpl -h
AfterGlow Variable and Color
variable=violation=(Backdoor Access HackerTool Downloadrdquo)colortarget=orange if (grep($fields[1]violation))colortarget=palegreen
Node Size and Threshold
maxnodesize=1sizesource=$fields[2] size=05sumtarget=0thresholdsource=14
Color and Clustercolorsource=palegreen if ($fields[0] =~ ^111)colorsource=redcolortarget=palegreenclustersource=regex_replace((d+)d+)8
Thank You
davix secviz org
S
E
C I
V
Z
secviz org
![Page 20: V DAVIX Visualization D X Workshop - SecViz- Getting tools running is simple User can concentrate on analysis - Easy customizable Users can add missing things - Perfect workspace to](https://reader034.vdocument.in/reader034/viewer/2022042221/5ec7ec33b0586619b6106cea/html5/thumbnails/20.jpg)
Data Formatsbull CSV TSV
100028023212failed
100028023215success
bull TM3
Source Port Destination Action
STRING INTEGER STRING STRING
10002 80 23212 failed
bull GML
17
bull DOT
digraph structs
graph [label=rdquoMy Graphrdquo]
node [shape=ellipse]
edge [len=1]
ldquoramrdquo -gt ldquoactivity 1rdquo
ldquoramrdquo [fillcolor=white]
bull
AfterGlow 1x
CSV File
AfterGlowGraph
LanguageFile
digraph structs graph [label=AfterGlow 158 fontsize=8] node [shape=ellipse style=filled fontsize=10 width=1 height=1 fixedsize=true] edge [len=16]
aaelenes -gt Printing Resume abbe -gt Information Encryption aanna -gt Patent Access aatharuv -gt Ping
aaelenesPrinting ResumeabbeInformation Encrytion
aannaPatent AccessaatharuyPing
Parser Grapher
AfterGlow 1x
CSV File
AfterGlowGraph
LanguageFile
digraph structs graph [label=AfterGlow 158 fontsize=8] node [shape=ellipse style=filled fontsize=10 width=1 height=1 fixedsize=true] edge [len=16]
aaelenes -gt Printing Resume abbe -gt Information Encryption aanna -gt Patent Access aatharuv -gt Ping
aaelenesPrinting ResumeabbeInformation Encrytion
aannaPatent AccessaatharuyPing
Parser Grapher
An Example Analysis
Worms in Mobile Networksbull Problem Find worms in mobile networks
bull Data Call Detail Records (CDR)
20051117225657 GMT 20051117225657 GMT 4179543xxxx 4176448xxxx 0 63517 20051117225657 GMT 19700101000000 GMT imagejpeg CHEC1_MMSC1 MM4Rrecord 0 1 MM1 22801351822xxxx 22802071035xxxx 2 1132 26821763098xxxx
bull Process
cat mmscdr | awk -o VFS= lsquoprint $5 $6rsquo
bull Visual Transformation
Multimedia Message Service
21
Multimedia Message Service
21
Service Numbers
Multimedia Message Service
22
Multimedia Message Service
22
Long Chains
Hands-on Analysis
Letrsquos Gobull Captures are in rootdavix_workshop_capturespcap
bull Find something interesting Come show
bull Hints
bull tcpdump -nlr rootdavix_workshop_capturespcap
bull tcpdump2csvpl
bull afterglowpl -h
bull barpl -h
AfterGlow Variable and Color
variable=violation=(Backdoor Access HackerTool Downloadrdquo)colortarget=orange if (grep($fields[1]violation))colortarget=palegreen
Node Size and Threshold
maxnodesize=1sizesource=$fields[2] size=05sumtarget=0thresholdsource=14
Color and Clustercolorsource=palegreen if ($fields[0] =~ ^111)colorsource=redcolortarget=palegreenclustersource=regex_replace((d+)d+)8
Thank You
davix secviz org
S
E
C I
V
Z
secviz org
![Page 21: V DAVIX Visualization D X Workshop - SecViz- Getting tools running is simple User can concentrate on analysis - Easy customizable Users can add missing things - Perfect workspace to](https://reader034.vdocument.in/reader034/viewer/2022042221/5ec7ec33b0586619b6106cea/html5/thumbnails/21.jpg)
AfterGlow 1x
CSV File
AfterGlowGraph
LanguageFile
digraph structs graph [label=AfterGlow 158 fontsize=8] node [shape=ellipse style=filled fontsize=10 width=1 height=1 fixedsize=true] edge [len=16]
aaelenes -gt Printing Resume abbe -gt Information Encryption aanna -gt Patent Access aatharuv -gt Ping
aaelenesPrinting ResumeabbeInformation Encrytion
aannaPatent AccessaatharuyPing
Parser Grapher
AfterGlow 1x
CSV File
AfterGlowGraph
LanguageFile
digraph structs graph [label=AfterGlow 158 fontsize=8] node [shape=ellipse style=filled fontsize=10 width=1 height=1 fixedsize=true] edge [len=16]
aaelenes -gt Printing Resume abbe -gt Information Encryption aanna -gt Patent Access aatharuv -gt Ping
aaelenesPrinting ResumeabbeInformation Encrytion
aannaPatent AccessaatharuyPing
Parser Grapher
An Example Analysis
Worms in Mobile Networksbull Problem Find worms in mobile networks
bull Data Call Detail Records (CDR)
20051117225657 GMT 20051117225657 GMT 4179543xxxx 4176448xxxx 0 63517 20051117225657 GMT 19700101000000 GMT imagejpeg CHEC1_MMSC1 MM4Rrecord 0 1 MM1 22801351822xxxx 22802071035xxxx 2 1132 26821763098xxxx
bull Process
cat mmscdr | awk -o VFS= lsquoprint $5 $6rsquo
bull Visual Transformation
Multimedia Message Service
21
Multimedia Message Service
21
Service Numbers
Multimedia Message Service
22
Multimedia Message Service
22
Long Chains
Hands-on Analysis
Letrsquos Gobull Captures are in rootdavix_workshop_capturespcap
bull Find something interesting Come show
bull Hints
bull tcpdump -nlr rootdavix_workshop_capturespcap
bull tcpdump2csvpl
bull afterglowpl -h
bull barpl -h
AfterGlow Variable and Color
variable=violation=(Backdoor Access HackerTool Downloadrdquo)colortarget=orange if (grep($fields[1]violation))colortarget=palegreen
Node Size and Threshold
maxnodesize=1sizesource=$fields[2] size=05sumtarget=0thresholdsource=14
Color and Clustercolorsource=palegreen if ($fields[0] =~ ^111)colorsource=redcolortarget=palegreenclustersource=regex_replace((d+)d+)8
Thank You
davix secviz org
S
E
C I
V
Z
secviz org
![Page 22: V DAVIX Visualization D X Workshop - SecViz- Getting tools running is simple User can concentrate on analysis - Easy customizable Users can add missing things - Perfect workspace to](https://reader034.vdocument.in/reader034/viewer/2022042221/5ec7ec33b0586619b6106cea/html5/thumbnails/22.jpg)
AfterGlow 1x
CSV File
AfterGlowGraph
LanguageFile
digraph structs graph [label=AfterGlow 158 fontsize=8] node [shape=ellipse style=filled fontsize=10 width=1 height=1 fixedsize=true] edge [len=16]
aaelenes -gt Printing Resume abbe -gt Information Encryption aanna -gt Patent Access aatharuv -gt Ping
aaelenesPrinting ResumeabbeInformation Encrytion
aannaPatent AccessaatharuyPing
Parser Grapher
An Example Analysis
Worms in Mobile Networksbull Problem Find worms in mobile networks
bull Data Call Detail Records (CDR)
20051117225657 GMT 20051117225657 GMT 4179543xxxx 4176448xxxx 0 63517 20051117225657 GMT 19700101000000 GMT imagejpeg CHEC1_MMSC1 MM4Rrecord 0 1 MM1 22801351822xxxx 22802071035xxxx 2 1132 26821763098xxxx
bull Process
cat mmscdr | awk -o VFS= lsquoprint $5 $6rsquo
bull Visual Transformation
Multimedia Message Service
21
Multimedia Message Service
21
Service Numbers
Multimedia Message Service
22
Multimedia Message Service
22
Long Chains
Hands-on Analysis
Letrsquos Gobull Captures are in rootdavix_workshop_capturespcap
bull Find something interesting Come show
bull Hints
bull tcpdump -nlr rootdavix_workshop_capturespcap
bull tcpdump2csvpl
bull afterglowpl -h
bull barpl -h
AfterGlow Variable and Color
variable=violation=(Backdoor Access HackerTool Downloadrdquo)colortarget=orange if (grep($fields[1]violation))colortarget=palegreen
Node Size and Threshold
maxnodesize=1sizesource=$fields[2] size=05sumtarget=0thresholdsource=14
Color and Clustercolorsource=palegreen if ($fields[0] =~ ^111)colorsource=redcolortarget=palegreenclustersource=regex_replace((d+)d+)8
Thank You
davix secviz org
S
E
C I
V
Z
secviz org
![Page 23: V DAVIX Visualization D X Workshop - SecViz- Getting tools running is simple User can concentrate on analysis - Easy customizable Users can add missing things - Perfect workspace to](https://reader034.vdocument.in/reader034/viewer/2022042221/5ec7ec33b0586619b6106cea/html5/thumbnails/23.jpg)
An Example Analysis
Worms in Mobile Networksbull Problem Find worms in mobile networks
bull Data Call Detail Records (CDR)
20051117225657 GMT 20051117225657 GMT 4179543xxxx 4176448xxxx 0 63517 20051117225657 GMT 19700101000000 GMT imagejpeg CHEC1_MMSC1 MM4Rrecord 0 1 MM1 22801351822xxxx 22802071035xxxx 2 1132 26821763098xxxx
bull Process
cat mmscdr | awk -o VFS= lsquoprint $5 $6rsquo
bull Visual Transformation
Multimedia Message Service
21
Multimedia Message Service
21
Service Numbers
Multimedia Message Service
22
Multimedia Message Service
22
Long Chains
Hands-on Analysis
Letrsquos Gobull Captures are in rootdavix_workshop_capturespcap
bull Find something interesting Come show
bull Hints
bull tcpdump -nlr rootdavix_workshop_capturespcap
bull tcpdump2csvpl
bull afterglowpl -h
bull barpl -h
AfterGlow Variable and Color
variable=violation=(Backdoor Access HackerTool Downloadrdquo)colortarget=orange if (grep($fields[1]violation))colortarget=palegreen
Node Size and Threshold
maxnodesize=1sizesource=$fields[2] size=05sumtarget=0thresholdsource=14
Color and Clustercolorsource=palegreen if ($fields[0] =~ ^111)colorsource=redcolortarget=palegreenclustersource=regex_replace((d+)d+)8
Thank You
davix secviz org
S
E
C I
V
Z
secviz org
![Page 24: V DAVIX Visualization D X Workshop - SecViz- Getting tools running is simple User can concentrate on analysis - Easy customizable Users can add missing things - Perfect workspace to](https://reader034.vdocument.in/reader034/viewer/2022042221/5ec7ec33b0586619b6106cea/html5/thumbnails/24.jpg)
Worms in Mobile Networksbull Problem Find worms in mobile networks
bull Data Call Detail Records (CDR)
20051117225657 GMT 20051117225657 GMT 4179543xxxx 4176448xxxx 0 63517 20051117225657 GMT 19700101000000 GMT imagejpeg CHEC1_MMSC1 MM4Rrecord 0 1 MM1 22801351822xxxx 22802071035xxxx 2 1132 26821763098xxxx
bull Process
cat mmscdr | awk -o VFS= lsquoprint $5 $6rsquo
bull Visual Transformation
Multimedia Message Service
21
Multimedia Message Service
21
Service Numbers
Multimedia Message Service
22
Multimedia Message Service
22
Long Chains
Hands-on Analysis
Letrsquos Gobull Captures are in rootdavix_workshop_capturespcap
bull Find something interesting Come show
bull Hints
bull tcpdump -nlr rootdavix_workshop_capturespcap
bull tcpdump2csvpl
bull afterglowpl -h
bull barpl -h
AfterGlow Variable and Color
variable=violation=(Backdoor Access HackerTool Downloadrdquo)colortarget=orange if (grep($fields[1]violation))colortarget=palegreen
Node Size and Threshold
maxnodesize=1sizesource=$fields[2] size=05sumtarget=0thresholdsource=14
Color and Clustercolorsource=palegreen if ($fields[0] =~ ^111)colorsource=redcolortarget=palegreenclustersource=regex_replace((d+)d+)8
Thank You
davix secviz org
S
E
C I
V
Z
secviz org
![Page 25: V DAVIX Visualization D X Workshop - SecViz- Getting tools running is simple User can concentrate on analysis - Easy customizable Users can add missing things - Perfect workspace to](https://reader034.vdocument.in/reader034/viewer/2022042221/5ec7ec33b0586619b6106cea/html5/thumbnails/25.jpg)
Multimedia Message Service
21
Multimedia Message Service
21
Service Numbers
Multimedia Message Service
22
Multimedia Message Service
22
Long Chains
Hands-on Analysis
Letrsquos Gobull Captures are in rootdavix_workshop_capturespcap
bull Find something interesting Come show
bull Hints
bull tcpdump -nlr rootdavix_workshop_capturespcap
bull tcpdump2csvpl
bull afterglowpl -h
bull barpl -h
AfterGlow Variable and Color
variable=violation=(Backdoor Access HackerTool Downloadrdquo)colortarget=orange if (grep($fields[1]violation))colortarget=palegreen
Node Size and Threshold
maxnodesize=1sizesource=$fields[2] size=05sumtarget=0thresholdsource=14
Color and Clustercolorsource=palegreen if ($fields[0] =~ ^111)colorsource=redcolortarget=palegreenclustersource=regex_replace((d+)d+)8
Thank You
davix secviz org
S
E
C I
V
Z
secviz org
![Page 26: V DAVIX Visualization D X Workshop - SecViz- Getting tools running is simple User can concentrate on analysis - Easy customizable Users can add missing things - Perfect workspace to](https://reader034.vdocument.in/reader034/viewer/2022042221/5ec7ec33b0586619b6106cea/html5/thumbnails/26.jpg)
Multimedia Message Service
21
Service Numbers
Multimedia Message Service
22
Multimedia Message Service
22
Long Chains
Hands-on Analysis
Letrsquos Gobull Captures are in rootdavix_workshop_capturespcap
bull Find something interesting Come show
bull Hints
bull tcpdump -nlr rootdavix_workshop_capturespcap
bull tcpdump2csvpl
bull afterglowpl -h
bull barpl -h
AfterGlow Variable and Color
variable=violation=(Backdoor Access HackerTool Downloadrdquo)colortarget=orange if (grep($fields[1]violation))colortarget=palegreen
Node Size and Threshold
maxnodesize=1sizesource=$fields[2] size=05sumtarget=0thresholdsource=14
Color and Clustercolorsource=palegreen if ($fields[0] =~ ^111)colorsource=redcolortarget=palegreenclustersource=regex_replace((d+)d+)8
Thank You
davix secviz org
S
E
C I
V
Z
secviz org
![Page 27: V DAVIX Visualization D X Workshop - SecViz- Getting tools running is simple User can concentrate on analysis - Easy customizable Users can add missing things - Perfect workspace to](https://reader034.vdocument.in/reader034/viewer/2022042221/5ec7ec33b0586619b6106cea/html5/thumbnails/27.jpg)
Multimedia Message Service
22
Multimedia Message Service
22
Long Chains
Hands-on Analysis
Letrsquos Gobull Captures are in rootdavix_workshop_capturespcap
bull Find something interesting Come show
bull Hints
bull tcpdump -nlr rootdavix_workshop_capturespcap
bull tcpdump2csvpl
bull afterglowpl -h
bull barpl -h
AfterGlow Variable and Color
variable=violation=(Backdoor Access HackerTool Downloadrdquo)colortarget=orange if (grep($fields[1]violation))colortarget=palegreen
Node Size and Threshold
maxnodesize=1sizesource=$fields[2] size=05sumtarget=0thresholdsource=14
Color and Clustercolorsource=palegreen if ($fields[0] =~ ^111)colorsource=redcolortarget=palegreenclustersource=regex_replace((d+)d+)8
Thank You
davix secviz org
S
E
C I
V
Z
secviz org
![Page 28: V DAVIX Visualization D X Workshop - SecViz- Getting tools running is simple User can concentrate on analysis - Easy customizable Users can add missing things - Perfect workspace to](https://reader034.vdocument.in/reader034/viewer/2022042221/5ec7ec33b0586619b6106cea/html5/thumbnails/28.jpg)
Multimedia Message Service
22
Long Chains
Hands-on Analysis
Letrsquos Gobull Captures are in rootdavix_workshop_capturespcap
bull Find something interesting Come show
bull Hints
bull tcpdump -nlr rootdavix_workshop_capturespcap
bull tcpdump2csvpl
bull afterglowpl -h
bull barpl -h
AfterGlow Variable and Color
variable=violation=(Backdoor Access HackerTool Downloadrdquo)colortarget=orange if (grep($fields[1]violation))colortarget=palegreen
Node Size and Threshold
maxnodesize=1sizesource=$fields[2] size=05sumtarget=0thresholdsource=14
Color and Clustercolorsource=palegreen if ($fields[0] =~ ^111)colorsource=redcolortarget=palegreenclustersource=regex_replace((d+)d+)8
Thank You
davix secviz org
S
E
C I
V
Z
secviz org
![Page 29: V DAVIX Visualization D X Workshop - SecViz- Getting tools running is simple User can concentrate on analysis - Easy customizable Users can add missing things - Perfect workspace to](https://reader034.vdocument.in/reader034/viewer/2022042221/5ec7ec33b0586619b6106cea/html5/thumbnails/29.jpg)
Hands-on Analysis
Letrsquos Gobull Captures are in rootdavix_workshop_capturespcap
bull Find something interesting Come show
bull Hints
bull tcpdump -nlr rootdavix_workshop_capturespcap
bull tcpdump2csvpl
bull afterglowpl -h
bull barpl -h
AfterGlow Variable and Color
variable=violation=(Backdoor Access HackerTool Downloadrdquo)colortarget=orange if (grep($fields[1]violation))colortarget=palegreen
Node Size and Threshold
maxnodesize=1sizesource=$fields[2] size=05sumtarget=0thresholdsource=14
Color and Clustercolorsource=palegreen if ($fields[0] =~ ^111)colorsource=redcolortarget=palegreenclustersource=regex_replace((d+)d+)8
Thank You
davix secviz org
S
E
C I
V
Z
secviz org
![Page 30: V DAVIX Visualization D X Workshop - SecViz- Getting tools running is simple User can concentrate on analysis - Easy customizable Users can add missing things - Perfect workspace to](https://reader034.vdocument.in/reader034/viewer/2022042221/5ec7ec33b0586619b6106cea/html5/thumbnails/30.jpg)
Letrsquos Gobull Captures are in rootdavix_workshop_capturespcap
bull Find something interesting Come show
bull Hints
bull tcpdump -nlr rootdavix_workshop_capturespcap
bull tcpdump2csvpl
bull afterglowpl -h
bull barpl -h
AfterGlow Variable and Color
variable=violation=(Backdoor Access HackerTool Downloadrdquo)colortarget=orange if (grep($fields[1]violation))colortarget=palegreen
Node Size and Threshold
maxnodesize=1sizesource=$fields[2] size=05sumtarget=0thresholdsource=14
Color and Clustercolorsource=palegreen if ($fields[0] =~ ^111)colorsource=redcolortarget=palegreenclustersource=regex_replace((d+)d+)8
Thank You
davix secviz org
S
E
C I
V
Z
secviz org
![Page 31: V DAVIX Visualization D X Workshop - SecViz- Getting tools running is simple User can concentrate on analysis - Easy customizable Users can add missing things - Perfect workspace to](https://reader034.vdocument.in/reader034/viewer/2022042221/5ec7ec33b0586619b6106cea/html5/thumbnails/31.jpg)
AfterGlow Variable and Color
variable=violation=(Backdoor Access HackerTool Downloadrdquo)colortarget=orange if (grep($fields[1]violation))colortarget=palegreen
Node Size and Threshold
maxnodesize=1sizesource=$fields[2] size=05sumtarget=0thresholdsource=14
Color and Clustercolorsource=palegreen if ($fields[0] =~ ^111)colorsource=redcolortarget=palegreenclustersource=regex_replace((d+)d+)8
Thank You
davix secviz org
S
E
C I
V
Z
secviz org
![Page 32: V DAVIX Visualization D X Workshop - SecViz- Getting tools running is simple User can concentrate on analysis - Easy customizable Users can add missing things - Perfect workspace to](https://reader034.vdocument.in/reader034/viewer/2022042221/5ec7ec33b0586619b6106cea/html5/thumbnails/32.jpg)
Thank You
davix secviz org
S
E
C I
V
Z
secviz org