Download - e mbracing the chaos
![Page 2: e mbracing the chaos](https://reader036.vdocuments.us/reader036/viewer/2022081505/568165a5550346895dd88a71/html5/thumbnails/2.jpg)
2 Managed by UT-Battellefor the U.S. Department of Energy embracing the chaos
• cyber security geek• ORNL for a year• formerly unix sysadmin• open networks
![Page 3: e mbracing the chaos](https://reader036.vdocuments.us/reader036/viewer/2022081505/568165a5550346895dd88a71/html5/thumbnails/3.jpg)
3 Managed by UT-Battellefor the U.S. Department of Energy embracing the chaos
virtual computing data cloud
![Page 4: e mbracing the chaos](https://reader036.vdocuments.us/reader036/viewer/2022081505/568165a5550346895dd88a71/html5/thumbnails/4.jpg)
4 Managed by UT-Battellefor the U.S. Department of Energy embracing the chaos
![Page 5: e mbracing the chaos](https://reader036.vdocuments.us/reader036/viewer/2022081505/568165a5550346895dd88a71/html5/thumbnails/5.jpg)
5 Managed by UT-Battellefor the U.S. Department of Energy embracing the chaos
[a-z0-9!#$%&'*+/=?^_`{|}~-]+(?:\.[a-z0-9!#$%&'*+/=?^_`{|}~-]+)*@(?:[a-z0-9](?:[a-z0-9-]*[a-z0-9])?\.)+[a-
z0-9](?:[a-z0-9-]*[a-z0-9])?
![Page 6: e mbracing the chaos](https://reader036.vdocuments.us/reader036/viewer/2022081505/568165a5550346895dd88a71/html5/thumbnails/6.jpg)
6 Managed by UT-Battellefor the U.S. Department of Energy embracing the chaos
[a-z0-9!#$%&'*+/=?^_`{|}~-]+(?:\.[a-z0-9!#$%&'*+/=?^_`{|}~-]+)*@(?:[a-z0-9](?:[a-z0-9-]*[a-z0-9])?\.)+[a-
z0-9](?:[a-z0-9-]*[a-z0-9])?
“What could possibly go wrong?”
![Page 7: e mbracing the chaos](https://reader036.vdocuments.us/reader036/viewer/2022081505/568165a5550346895dd88a71/html5/thumbnails/7.jpg)
7 Managed by UT-Battellefor the U.S. Department of Energy embracing the chaos
“Cisco IOS NetFlow efficiently provides a key set of services for IP applications, including network traffic accounting, usage-based network billing, network planning, security, Denial of Service monitoring capabilities, and network monitoring. NetFlow provides valuable information about network users and applications, peak usage times, and traffic routing.”
![Page 8: e mbracing the chaos](https://reader036.vdocuments.us/reader036/viewer/2022081505/568165a5550346895dd88a71/html5/thumbnails/8.jpg)
8 Managed by UT-Battellefor the U.S. Department of Energy embracing the chaos
“Cisco IOS NetFlow efficiently provides a key set of services for IP applications, including network traffic accounting, usage-based network billing, network planning, security, Denial of Service monitoring capabilities, and network monitoring. NetFlow provides valuable information about network users and applications, peak usage times, and traffic routing.”
![Page 9: e mbracing the chaos](https://reader036.vdocuments.us/reader036/viewer/2022081505/568165a5550346895dd88a71/html5/thumbnails/9.jpg)
9 Managed by UT-Battellefor the U.S. Department of Energy embracing the chaos
“Cisco IOS NetFlow efficiently provides a key set of services for IP applications, including network traffic accounting, usage-based network billing, network planning, security, Denial of Service monitoring capabilities, and network monitoring. NetFlow provides valuable information about network users and applications, peak usage times, and traffic routing.”
![Page 10: e mbracing the chaos](https://reader036.vdocuments.us/reader036/viewer/2022081505/568165a5550346895dd88a71/html5/thumbnails/10.jpg)
10 Managed by UT-Battellefor the U.S. Department of Energy embracing the chaos
“Cisco IOS NetFlow efficiently provides a key set of services for IP applications, including network traffic accounting, usage-based network billing, network planning, security, Denial of Service monitoring capabilities, and network monitoring. NetFlow provides valuable information about network users and applications, peak usage times, and traffic routing.”
![Page 11: e mbracing the chaos](https://reader036.vdocuments.us/reader036/viewer/2022081505/568165a5550346895dd88a71/html5/thumbnails/11.jpg)
11 Managed by UT-Battellefor the U.S. Department of Energy embracing the chaos
netflow version 5
• source IP address• destination IP address• next hop router IP
address• packet count• byte count
• source port• destination port• TCP flags• layer 4 protocol• time at start of flow• time at end of flow
![Page 12: e mbracing the chaos](https://reader036.vdocuments.us/reader036/viewer/2022081505/568165a5550346895dd88a71/html5/thumbnails/12.jpg)
12 Managed by UT-Battellefor the U.S. Department of Energy embracing the chaos
![Page 13: e mbracing the chaos](https://reader036.vdocuments.us/reader036/viewer/2022081505/568165a5550346895dd88a71/html5/thumbnails/13.jpg)
13 Managed by UT-Battellefor the U.S. Department of Energy embracing the chaos
![Page 14: e mbracing the chaos](https://reader036.vdocuments.us/reader036/viewer/2022081505/568165a5550346895dd88a71/html5/thumbnails/14.jpg)
14 Managed by UT-Battellefor the U.S. Department of Energy embracing the chaos
![Page 15: e mbracing the chaos](https://reader036.vdocuments.us/reader036/viewer/2022081505/568165a5550346895dd88a71/html5/thumbnails/15.jpg)
15 Managed by UT-Battellefor the U.S. Department of Energy embracing the chaos
SANS top 10?
hot botnet of the week?
today’s curre
nt spearphish
ing attack?
long term trending?
advanced host /network filtering?
unflattering Halloween costume?
![Page 16: e mbracing the chaos](https://reader036.vdocuments.us/reader036/viewer/2022081505/568165a5550346895dd88a71/html5/thumbnails/16.jpg)
16 Managed by UT-Battellefor the U.S. Department of Energy embracing the chaos
flow-tools, fprobe, probescan, flowd, psyche, ntop, lots of others
flow-tools
discrete remote IPs and timestamps
database of your liking
grind through data, possibly index
profit!
![Page 17: e mbracing the chaos](https://reader036.vdocuments.us/reader036/viewer/2022081505/568165a5550346895dd88a71/html5/thumbnails/17.jpg)
17 Managed by UT-Battellefor the U.S. Department of Energy embracing the chaos
![Page 18: e mbracing the chaos](https://reader036.vdocuments.us/reader036/viewer/2022081505/568165a5550346895dd88a71/html5/thumbnails/18.jpg)
18 Managed by UT-Battellefor the U.S. Department of Energy embracing the chaos
• easy to get lost in the minutiae• duplication of work amongst analysts• make sure your datasets are complete
• documentation is the sad answer• mailing lists• command line entries• full blown ticketing system (please no)• sit everyone in the same room
problems:
solutions:
![Page 19: e mbracing the chaos](https://reader036.vdocuments.us/reader036/viewer/2022081505/568165a5550346895dd88a71/html5/thumbnails/19.jpg)
19 Managed by UT-Battellefor the U.S. Department of Energy embracing the chaos
![Page 20: e mbracing the chaos](https://reader036.vdocuments.us/reader036/viewer/2022081505/568165a5550346895dd88a71/html5/thumbnails/20.jpg)
20 Managed by UT-Battellefor the U.S. Department of Energy embracing the chaos
![Page 21: e mbracing the chaos](https://reader036.vdocuments.us/reader036/viewer/2022081505/568165a5550346895dd88a71/html5/thumbnails/21.jpg)
21 Managed by UT-Battellefor the U.S. Department of Energy embracing the chaos
![Page 22: e mbracing the chaos](https://reader036.vdocuments.us/reader036/viewer/2022081505/568165a5550346895dd88a71/html5/thumbnails/22.jpg)
22 Managed by UT-Battellefor the U.S. Department of Energy embracing the chaos
![Page 23: e mbracing the chaos](https://reader036.vdocuments.us/reader036/viewer/2022081505/568165a5550346895dd88a71/html5/thumbnails/23.jpg)
23 Managed by UT-Battellefor the U.S. Department of Energy embracing the chaos
May 22 15:17:59 160.91.1.30 srcip=160.91.1.30 named[23144]: [ID 873579 local3.info] 22-May-2009 15:17:59.997 queries: info: client 128.219.232.138#62031: view ns1: query: hfirw5.ornl.gov IN A +
DNS Logs
![Page 24: e mbracing the chaos](https://reader036.vdocuments.us/reader036/viewer/2022081505/568165a5550346895dd88a71/html5/thumbnails/24.jpg)
24 Managed by UT-Battellefor the U.S. Department of Energy embracing the chaos
![Page 25: e mbracing the chaos](https://reader036.vdocuments.us/reader036/viewer/2022081505/568165a5550346895dd88a71/html5/thumbnails/25.jpg)
25 Managed by UT-Battellefor the U.S. Department of Energy embracing the chaos
URL Common Logs (urlsnarf)
160.91.20.87 - - [22/May/2009:15:20:17 -0400] "GET http://photos-f.ak.fbcdn.net/photos-ak-sf2p/v43/33/68557016085/app_1_68557016085_5504.gif HTTP/1.1" - - "http://apps.facebook.com/schoolofmagic/?src=sidenav&ref=ts" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; MS-RTC LM 8)"
![Page 26: e mbracing the chaos](https://reader036.vdocuments.us/reader036/viewer/2022081505/568165a5550346895dd88a71/html5/thumbnails/26.jpg)
26 Managed by UT-Battellefor the U.S. Department of Energy embracing the chaos
![Page 27: e mbracing the chaos](https://reader036.vdocuments.us/reader036/viewer/2022081505/568165a5550346895dd88a71/html5/thumbnails/27.jpg)
27 Managed by UT-Battellefor the U.S. Department of Energy embracing the chaos
![Page 28: e mbracing the chaos](https://reader036.vdocuments.us/reader036/viewer/2022081505/568165a5550346895dd88a71/html5/thumbnails/28.jpg)
28 Managed by UT-Battellefor the U.S. Department of Energy embracing the chaos
Homebrew data sources
#!/bin/bash
unique=`netstat -an |grep :9997 |grep EST |sed -e 's/.*:9997 *//' -e 's/:.*//'|sort |uniq |wc -l`
total=`netstat -an |grep :9997 |grep EST |wc -l`
echo "netstat total=$total unique=$unique"
![Page 29: e mbracing the chaos](https://reader036.vdocuments.us/reader036/viewer/2022081505/568165a5550346895dd88a71/html5/thumbnails/29.jpg)
29 Managed by UT-Battellefor the U.S. Department of Energy embracing the chaos
![Page 30: e mbracing the chaos](https://reader036.vdocuments.us/reader036/viewer/2022081505/568165a5550346895dd88a71/html5/thumbnails/30.jpg)
30 Managed by UT-Battellefor the U.S. Department of Energy embracing the chaos
![Page 31: e mbracing the chaos](https://reader036.vdocuments.us/reader036/viewer/2022081505/568165a5550346895dd88a71/html5/thumbnails/31.jpg)
31 Managed by UT-Battellefor the U.S. Department of Energy embracing the chaos
WindowsEventLogs
![Page 32: e mbracing the chaos](https://reader036.vdocuments.us/reader036/viewer/2022081505/568165a5550346895dd88a71/html5/thumbnails/32.jpg)
32 Managed by UT-Battellefor the U.S. Department of Energy embracing the chaos
A few notes about windows event logs for the brave...
• Different operating systems have different codes
• Overloaded variable names exist in one event
• Inconsistent formats between applications
• Forced API usage – no flat text file interface
• Difficult to adjust what should or should not be logged
• Designed around forensics and not discovery
![Page 33: e mbracing the chaos](https://reader036.vdocuments.us/reader036/viewer/2022081505/568165a5550346895dd88a71/html5/thumbnails/33.jpg)
33 Managed by UT-Battellefor the U.S. Department of Energy embracing the chaos
![Page 34: e mbracing the chaos](https://reader036.vdocuments.us/reader036/viewer/2022081505/568165a5550346895dd88a71/html5/thumbnails/34.jpg)
34 Managed by UT-Battellefor the U.S. Department of Energy embracing the chaos
PCAP – raw data capture
• your largest dataset• easily the hardest to use• computationally intensive• smoking gun (unless the
traffic is encrypted...)
• location of the tap?• software used?• tcpdump, time machine,
wireshark, tshark... many technologies
All of these technologies can be combined to create something beautiful!
![Page 35: e mbracing the chaos](https://reader036.vdocuments.us/reader036/viewer/2022081505/568165a5550346895dd88a71/html5/thumbnails/35.jpg)
35 Managed by UT-Battellefor the U.S. Department of Energy embracing the chaos
thanks!