Graph Exchange

This file is the result of correlating data from Nepenthes, ip2country and ClamAV, the process is described in the paper
An approach to malware collection log visualization by Jaime Blasco

Regards

Graph of a Nessus scan as seen by Snort and Prelude LML using pig

Graph of a Saint scan as seen by Snort and Prelude LML using pig

Prelude IDMEF Grapher (PIG) shows IDMEF data on a multi-axes view for graphical alerts analysis. This graph shows what was displayed performing a scan using the Retina software. Snort and Prelude LML (log analysis) send their alerts to the prelude manager that we connect to using pig.

Next, a plot of the same data using the destination port number over time points to obvious port scanning in the form of diagonal lines as well as odd patterns that sync with the previous destination IP address plot.

All of these graphs were created by parsing firewalls logs using a perl script and loading them into Advizor Analyst.

When you plot the destination IP address as an integer over time, many interesting patterns are highlighted. Even more interesting than the horizontal patterns indicating continuous traffic to specific IP addresses are the vertical clusters with regularly repeating frequencies.

All of these graphs were created by parsing firewalls logs using a perl script and loading them into Advizor Analyst.

Two gnuplot bar graphs, one showing byte value counts of a binary file and the other showing the encrypted version of that same file.
From: http://pmelson.blogspot.com/2008/03/quicky-binary-file-visual-analysis.html

I use Afterglow to process Nepenthes' logged_submission[1] logs. I needed to see how many hosts are associated with the same malicious binary. So the graph above one can see attacking hosts (green), a host that is hosting the malware (grey) and the binary that gets pulled from it (blue).

While I'm at this I might as well mention that I made the graph above a couple of days before meeting Mr. Marty at a conf in Indonesia :-)

[1] A typical logged_submission logs look like this:
[2007-03-29T17:22:47] 172.16.0.100 -> 172.16.0.10 tftp://172.16.0.100:69/teekids.exe 7097c55ee0535457025dd158bb1988bb

The image shows a Nmap scan. It covers the middle half of class C network range (.64 to .192) and at the same time probes the popular ports at each address. It is a parallel network and port sweep with decoys to hide the true identity of the scanner - so it simultaneously address scans and port scans while spoofing other source addresses to obscure the scanners identity. The scan was generated by the Nmap command below:

nmap -sS 127.21.146.64-192 -e lo -F -T5 --host-timeout 10m --max-retries 0 --initial-rtt-timeout 25ms --max-rtt-timeout 250ms --max-scan-delay 250ms --scan-delay 10ms --min-hostgroup 32 --max-hostgroup 32 -D 16.0.0.1,64.0.0.1,216.0.0.1

In summary, the command tells Nmap to SYN scan the middle half of the loop-back network (-sS 127.21.146.64-192 -e lo) on common ports (-F) in a non-random manner (-r), and scan in parallel address blocks of 32 (--min-hostgroup 32 --max-hostgroup 32) while creating decoy packets with 3 spoofed addresses (-D 16.0.0.1,64.0.0.1,216.0.0.1).

The data is visualised in IneVis, a time-animated interactive 3-D packet trace visualisation. InetVis supports, IP ICMP, TCP, and UDP. Essentially, it's a 3-D scatter-plot:

• Green vertical y-axis: destination TPC/UDP port
• Blue horizontal x-axis: destination IP address
• Red horizontal z-axis: source IP address

In the sample image, the lines are 'sweeping' across popular ports at each address (in the direction of the blue axis). Note the concentration in the lower port range (bottom green axis) where most common service ports reside. The four identical 'columns' of activity are the sources (separated by red-axis). One of these is the true scanner, the other's are spoofed decoys. The image is shown with a 45 minute time-window and 'transparent' ageing which makes older packets fainter. The chosen colour scheme is by destination port.

InetVis was inspired by Stephen lau's Spinning Cube of Potential Doom. For more details about InetVis, see: http://www.cs.ru.ac.za/research/g02v2468/inetvis.html.