Graph Exchange

As I don't like duplication of the post, the detail explanation of the graph can be found at security.org.my here.

Cheers ;]

Hi folks,

I wanted to see if I could hook up Tenshi, a log monitoring application, with some pretty graph, for a long time. The current tree supports a csv output feature that allows pipeing to something like AfterGlow.

In order to get this you can use something like this in your tenshi configuration (if you use the latest version from the tree):

set csv [0 * * * *] /usr/local/bin/tenshi_graph.sh

Where tenshi_graph.sh could be

#!/bin/sh
/usr/local/bin/afterglow.pl -c /etc/afterglow.conf -t | neato -v -Tpng -o /var/lib/tenshi/tenshi_graph.png

and afterglow.conf configuration could be something like

color.source="green";
color.target="red" if ($fields[2] > 1000);
color.target="orange" if ($fields[2] > 500);
color.target="blue" if ($fields[2] > 100);
color.target="lightblue" if ($fields[2] > 50);
color.target="yellow" if ($fields[2] == 1);
color.target="white";

This allows having target node colours depending on the number of hits of the affected log, but of course it might be whatever conditions you want. You can see how it's possible to quickly evaluate logs that are common to different servers and their frequency.

Keep in mind that in order to have useful and readable graphs your tenshi configuration must be accordingly tuned. Arbitrary logs in the csv queue would quickly generate huge and unreadable node maps.

This is just an example, more advanced processing can be done. If you have new ideas please share them on tenshi-user@lists.inversepath.com mailing list and/or the SecViz portal :).

Cheers!

Andrea Barisani
andrea@inversepath.com

I’ve wanted to post this graph for a while but only just got round to anonymising the data.

Looking at piles of IRC logs can be very unilluminating, but it’s not obvious what to do with all the data. One nice way of getting a handle on links between channels is to plot channels with links between them weighted by the number of users in common.

The example above is from a honeynet we ran in 2004/5. The graph shows up a couple of things nicely:

1) There are two distinct groups of channels, and a look at the data shows that there two groups correspond to channels in different languages and,
2) The strong links between a couple of channels in the main group show up that these channels are related and looking at the data shows them to be used for discussing hacking, while the other channels are innocuous.

The original channel names have been replaced by ‘cN’ to protect the guilty.

For a full size copy of the image, see UK Honeynet blog where this was first posted.

Arthur

This is a first attempt at visualizating open ports detected by nmap in around 60 servers.
I've used Freshcookies-Treemap and custom scripts.
Ports are all TCP.

A directed graph of intranet SSH sessions as recorded by Argus, graphed using the "two node mode" of afterglow. Data collected with Argus V3.0 from multiple Cisco Netflow sources, graph generated using AfterGlow v1.5.7 and Neato v1.16, all running on OpenBSD.

The latest version of Argus can directly output CSV, so argus2csv is no longer needed. This particular graph was generated by the following:
racluster -r argus.cap -m saddr daddr dport -c, -s saddr daddr - 'tcp and dst port 22' | kevin-anonymize.pl | afterglow.pl -t -e 2 -c test.properties | neato -Tgif -o tcp22argus.gif

This directed graph reminds me of the social network you might see in a suburban high school, and revealed to us some interesting things, including the existence of a new network monitoring tool quietly installed by a rogue internal unix admin team... us and them, we're having a "come to Jesus" meeting tomorrow ;)

This graph shows the IPTables output graphically.
Blue is for UDP and Yellow for TCP.

Generated by Ruined (http://ruined.sf.net)

The red pillar in the image shows the barrage of HTTP requests over the whole content space (Z axis, vertical) from a single IP address (Y axis, horizontal). The red color is due to 5xx status code of the response. My article
A New, Improved Visualization for Web Server Logs has more details. Raju Varghese (raju -at- intellisoft.ch).

This is an image of a parallel coordinate plot (source IP, source TCP port, destination TCP port, source UDP port, destination UDP port, destination IP) that I created using the rumint visualization tool. TCP is in green and UDP is in orange. I deliberately jammed the visualization display by creating packets with random source IP addresses and sequential source and destination ports. If you are interested in more details they are available in this paper [PDF].

Screens of my survey. Interacting with the Graph. Moving Nodes to unsnarl the view. Later on, context menus will make it easy to filter on a special Node. Project is in Development. This is a picture from the design survey.

Tenable Network Security's Security Center includes a 3D visualization tool that can derive network topology information from distributed Nessus vulnerability scanners. Each node in the center helix of the above graph is detected router. Clicking on the router can expose the number of hosts "behind" each router. Placing your mouse over the node displays its vulnerabilities and placing your mouse over the router can display its links to other routers. The entire display can be rotated and loaded with different data sets. For example, a user could query the Security Center to get a list of all web servers, then perform a second query for all web servers which perhaps didn't have logging enabled and then display these locations on the topology. A video of the 3D tool in action is located here.