Presentation is loading. Please wait.

Presentation is loading. Please wait.

Embracing the chaos mark lorenc

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Embracing the chaos mark lorenc"— Presentation transcript:

1 embracing the chaos mark lorenc lorencm@ornl.gov

2 2Managed by UT-Battelle for the U.S. Department of Energy embracing the chaos cyber security geek ORNL for a year formerly unix sysadmin open networks

3 3Managed by UT-Battelle for the U.S. Department of Energy embracing the chaos virtual computing data cloud

4 4Managed by UT-Battelle for the U.S. Department of Energy embracing the chaos

5 5Managed by UT-Battelle for the U.S. Department of Energy embracing the chaos [a-z0-9!#$%&'*+/=?^_`{|}~-]+(?:\.[a-z0-9!#$%&'*+/=?^_`{|}~-]+)*@(?:[a-z0- 9](?:[a-z0-9-]*[a-z0-9])?\.)+[a-z0-9](?:[a-z0-9-]*[a-z0-9])?

6 6Managed by UT-Battelle for the U.S. Department of Energy embracing the chaos [a-z0-9!#$%&'*+/=?^_`{|}~-]+(?:\.[a-z0-9!#$%&'*+/=?^_`{|}~-]+)*@(?:[a-z0- 9](?:[a-z0-9-]*[a-z0-9])?\.)+[a-z0-9](?:[a-z0-9-]*[a-z0-9])? “What could possibly go wrong?”

7 7Managed by UT-Battelle for the U.S. Department of Energy embracing the chaos “Cisco IOS NetFlow efficiently provides a key set of services for IP applications, including network traffic accounting, usage-based network billing, network planning, security, Denial of Service monitoring capabilities, and network monitoring. NetFlow provides valuable information about network users and applications, peak usage times, and traffic routing.”

8 8Managed by UT-Battelle for the U.S. Department of Energy embracing the chaos “Cisco IOS NetFlow efficiently provides a key set of services for IP applications, including network traffic accounting, usage-based network billing, network planning, security, Denial of Service monitoring capabilities, and network monitoring. NetFlow provides valuable information about network users and applications, peak usage times, and traffic routing.”

9 9Managed by UT-Battelle for the U.S. Department of Energy embracing the chaos “Cisco IOS NetFlow efficiently provides a key set of services for IP applications, including network traffic accounting, usage-based network billing, network planning, security, Denial of Service monitoring capabilities, and network monitoring. NetFlow provides valuable information about network users and applications, peak usage times, and traffic routing.”

10 10Managed by UT-Battelle for the U.S. Department of Energy embracing the chaos “Cisco IOS NetFlow efficiently provides a key set of services for IP applications, including network traffic accounting, usage-based network billing, network planning, security, Denial of Service monitoring capabilities, and network monitoring. NetFlow provides valuable information about network users and applications, peak usage times, and traffic routing.”

11 11Managed by UT-Battelle for the U.S. Department of Energy embracing the chaos netflow version 5 source IP address destination IP address next hop router IP address packet count byte count source port destination port TCP flags layer 4 protocol time at start of flow time at end of flow

12 12Managed by UT-Battelle for the U.S. Department of Energy embracing the chaos

13 13Managed by UT-Battelle for the U.S. Department of Energy embracing the chaos

14 14Managed by UT-Battelle for the U.S. Department of Energy embracing the chaos

15 15Managed by UT-Battelle for the U.S. Department of Energy embracing the chaos SANS top 10? hot botnet of the week? today’s current spearphishing attack? long term trending? advanced host /network filtering? unflattering Halloween costume?

16 16Managed by UT-Battelle for the U.S. Department of Energy embracing the chaos flow-tools, fprobe, probescan, flowd, psyche, ntop, lots of others flow-tools discrete remote IPs and timestamps database of your liking grind through data, possibly index profit!

17 17Managed by UT-Battelle for the U.S. Department of Energy embracing the chaos

18 18Managed by UT-Battelle for the U.S. Department of Energy embracing the chaos easy to get lost in the minutiae duplication of work amongst analysts make sure your datasets are complete documentation is the sad answer mailing lists command line entries full blown ticketing system (please no) sit everyone in the same room problems: solutions:

19 19Managed by UT-Battelle for the U.S. Department of Energy embracing the chaos

20 20Managed by UT-Battelle for the U.S. Department of Energy embracing the chaos

21 21Managed by UT-Battelle for the U.S. Department of Energy embracing the chaos

22 22Managed by UT-Battelle for the U.S. Department of Energy embracing the chaos

23 23Managed by UT-Battelle for the U.S. Department of Energy embracing the chaos May 22 15:17:59 160.91.1.30 srcip=160.91.1.30 named[23144]: [ID 873579 local3.info] 22-May-2009 15:17:59.997 queries: info: client 128.219.232.138#62031: view ns1: query: hfirw5.ornl.gov IN A + DNS Logs

24 24Managed by UT-Battelle for the U.S. Department of Energy embracing the chaos

25 25Managed by UT-Battelle for the U.S. Department of Energy embracing the chaos URL Common Logs (urlsnarf) 160.91.20.87 - - [22/May/2009:15:20:17 -0400] "GET http://photos-f.ak.fbcdn.net/photos-ak- sf2p/v43/33/68557016085/app_1_68557016085_5504.gif HTTP/1.1" - - "http://apps.facebook.com/schoolofmagic/?src=sidenav&ref=t s" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.1;.NET CLR 1.1.4322;.NET CLR 2.0.50727;.NET CLR 3.0.04506.30;.NET CLR 3.0.04506.648;.NET CLR 3.0.4506.2152;.NET CLR 3.5.30729; MS-RTC LM 8)"

26 26Managed by UT-Battelle for the U.S. Department of Energy embracing the chaos

27 27Managed by UT-Battelle for the U.S. Department of Energy embracing the chaos

28 28Managed by UT-Battelle for the U.S. Department of Energy embracing the chaos Homebrew data sources #!/bin/bash unique=`netstat -an |grep :9997 |grep EST |sed -e 's/.*:9997 *//' -e 's/:.*//'|sort |uniq |wc -l` total=`netstat -an |grep :9997 |grep EST |wc -l` echo "netstat total=$total unique=$unique"

29 29Managed by UT-Battelle for the U.S. Department of Energy embracing the chaos

30 30Managed by UT-Battelle for the U.S. Department of Energy embracing the chaos

31 31Managed by UT-Battelle for the U.S. Department of Energy embracing the chaos Windows Event Logs

32 32Managed by UT-Battelle for the U.S. Department of Energy embracing the chaos A few notes about windows event logs for the brave... Different operating systems have different codes Overloaded variable names exist in one event Inconsistent formats between applications Forced API usage – no flat text file interface Difficult to adjust what should or should not be logged Designed around forensics and not discovery

33 33Managed by UT-Battelle for the U.S. Department of Energy embracing the chaos

34 34Managed by UT-Battelle for the U.S. Department of Energy embracing the chaos PCAP – raw data capture your largest dataset easily the hardest to use computationally intensive smoking gun (unless the traffic is encrypted...) location of the tap? software used? tcpdump, time machine, wireshark, tshark... many technologies All of these technologies can be combined to create something beautiful!

35 35Managed by UT-Battelle for the U.S. Department of Energy embracing the chaos thanks!

Download ppt "Embracing the chaos mark lorenc"

Similar presentations

Top-Down Network Design Chapter Nine Developing Network Management Strategies Copyright 2010 Cisco Press & Priscilla Oppenheimer.

Top-Down Network Design Chapter Nine Developing Network Management Strategies Copyright 2010 Cisco Press & Priscilla Oppenheimer.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 8: Monitoring the Network Connecting Networks.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 8: Monitoring the Network Connecting Networks.
Snort & ACID. UTSA IS 6973 Computer Forensics SNORT.

Snort & ACID. UTSA IS 6973 Computer Forensics SNORT.
Chapter 10: Data Centre and Network Security Proxies and Gateways * Firewalls * Virtual Private Network (VPN) * Security issues * * * * Objectives:

Chapter 10: Data Centre and Network Security Proxies and Gateways * Firewalls * Virtual Private Network (VPN) * Security issues * * * * Objectives:
Capture Packets using Wireshark. Introduction Wireshark – – Packet analysis software – Open source.

Capture Packets using Wireshark. Introduction Wireshark – – Packet analysis software – Open source.
Monitoring a Large-Scale Network: Selecting the Right Tool Sayadur Rahman United International University & Network Manager, Financial Service.

Monitoring a Large-Scale Network: Selecting the Right Tool Sayadur Rahman United International University & Network Manager, Financial Service.
1 © 2003, Cisco Systems, Inc. All rights reserved. CCNA 1 v3.0 Module 11 TCP/IP Transport and Application Layers.

1 © 2003, Cisco Systems, Inc. All rights reserved. CCNA 1 v3.0 Module 11 TCP/IP Transport and Application Layers.
How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.

How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.
Practical Networking. Introduction  Interfaces, network connections  Netstat tool  Tcpdump: Popular network debugging tool  Used to intercept and.

Practical Networking. Introduction  Interfaces, network connections  Netstat tool  Tcpdump: Popular network debugging tool  Used to intercept and.
CAP6135: Malware and Software Vulnerability Analysis Network Traffic Monitoring Using Wireshark Cliff Zou Spring 2013.

CAP6135: Malware and Software Vulnerability Analysis Network Traffic Monitoring Using Wireshark Cliff Zou Spring 2013.
COEN 252: Computer Forensics Router Investigation.

COEN 252: Computer Forensics Router Investigation.
Wireshark and TCP/IP Basics ACM SIG-Security Lance Pendergrass.

Wireshark and TCP/IP Basics ACM SIG-Security Lance Pendergrass.
Experiences in Analyzing Network Traffic Shou-Chuan Lai National Tsing Hua University Computer and Communication Center Nov. 20, 2003.

Experiences in Analyzing Network Traffic Shou-Chuan Lai National Tsing Hua University Computer and Communication Center Nov. 20, 2003.
Forensic and Investigative Accounting

Forensic and Investigative Accounting
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Troubleshooting Your Network Networking for Home and Small Businesses.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Troubleshooting Your Network Networking for Home and Small Businesses.
Copyright © 2002 OSI Software, Inc. All rights reserved. PI-NetFlow and PacketCapture Eric Tam, OSIsoft.

Copyright © 2002 OSI Software, Inc. All rights reserved. PI-NetFlow and PacketCapture Eric Tam, OSIsoft.
COEN 252 Computer Forensics

COEN 252 Computer Forensics
Network Flow-Based Anomaly Detection of DDoS Attacks Vassilis Chatzigiannakis National Technical University of Athens, Greece TNC.

Network Flow-Based Anomaly Detection of DDoS Attacks Vassilis Chatzigiannakis National Technical University of Athens, Greece TNC.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Application Layer Functionality and Protocols.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Application Layer Functionality and Protocols.
COEN 252 Computer Forensics Collecting Network-based Evidence.

COEN 252 Computer Forensics Collecting Network-based Evidence.

Similar presentations

Ads by Google