Discussions

This is where you can start discussions around security visualization topics.

NOTE: If you want to submit an image, post it in the graph exchange library!

You might also want to consider posting your question or comment on the SecViz Mailinglist!

Discussion Entries

DNS Behavior - Puzzle

I need your help!

I am looking through an old log file of a server with IP address 195.141.69.45 that I operated in 2002. The machine was running SuSE linux 6.0 (i386). It ran bind (9.1.0), sendmail (8.11.2), and was mainly used as a SMTP server to send mails for a number of users. I found these logs from my pf firewall that was in front of the box:

Oct 21 06:06:58.096785 rule 57/0(match): pass in on xl1: 195.141.69.45.1030 > 61.215.160.253.53: 2520 [1au][|domain] (DF)
Oct 21 06:06:58.401472 rule 57/0(match): pass in on xl1: 195.141.69.45.1030 > 210.175.50.163.53: 16979 [1au][|domain] (DF)
Oct 21 06:07:00.407500 rule 57/0(match): pass in on xl1: 195.141.69.45.1030 > 210.175.50.162.53: 47817 [1au][|domain] (DF)
Oct 21 06:07:02.417637 rule 57/0(match): pass in on xl1: 195.141.69.45.1030 > 61.215.160.254.53: 34849[|domain] (DF)
Oct 21 06:07:11.298946 rule 57/0(match): pass in on xl1: 195.141.69.45.1030 > 204.123.2.19.53: 20792 [1au] MX? www.com.ar. (39) (DF)
Oct 21 06:07:11.477536 rule 57/0(match): pass in on xl1: 195.141.69.45.1030 > 200.10.202.3.53: 21611 [1au] MX? www.com.ar. (39) (DF)
Oct 21 06:07:11.804894 rule 57/0(match): pass in on xl1: 195.141.69.45.1030 > 200.68.93.195.53: 21263 [1au] MX? www.com.ar. (39) (DF)
Oct 21 06:15:19.667120 rule 57/0(match): pass in on xl1: 195.141.69.45.1030 > 194.83.244.131.53: 60127 [1au] MX? sticksandstones.co.uk. (50) (DF)
Oct 21 06:15:19.691967 rule 57/0(match): pass in on xl1: 195.141.69.45.1030 > 212.62.7.30.53: 58792 [1au] MX? sticksandstones.co.uk. (50) (DF)
Oct 21 06:20:00.844472 rule 57/0(match): pass in on xl1: 195.141.69.45.1030 > 192.12.94.30.53: 29396 MX? about.com. (27) (DF)
Oct 21 06:20:00.859900 rule 57/0(match): pass in on xl1: 195.141.69.45.1030 > 205.151.222.254.53: 14698[|domain] (DF)
Oct 21 06:20:01.021076 rule 57/0(match): pass in on xl1: 195.141.69.45.1030 > 207.126.123.236.53: 13317 [1au] MX? about.com. (38) (DF)
Oct 21 06:20:01.070317 rule 57/0(match): pass in on xl1: 195.141.69.45.1030 > 65.214.161.5.53: 14337 [1au] MX? mx13.crazed.com. (48) (DF)
Oct 21 06:21:02.121813 rule 57/0(match): pass in on xl1: 195.141.69.45.1030 > 192.33.14.30.53: 34672 MX? poetic.com. (28) (DF)
Oct 21 06:21:02.297033 rule 57/0(match): pass in on xl1: 195.141.69.45.1030 > 216.21.234.76.53: 25081 [1au] MX? poetic.com. (39) (DF)

As you can see, there are a number of DNS lookups. They span a total of about two weeks and ALL of them are using a source port of 1030. Why 1030? Why is it fixed all the time? Shouldn't the source port change?

There are other logs intermixed, where DNS lookups happen from other source ports:

Oct 13 20:46:03.915405 rule 184/0(match): pass in on xl1: 195.141.69.42.63994 > 193.192.227.3.53: 60676+[|domain]

Those are normal and I completely understand those. Any ideas why all these others have 1030 as a source port?

DAVIX 2014 - Released

Visual Analytics Workshop - Link Collection Part VII - Visualization Tools

The section probably most anticipated during the Visual Analytics Workshop is probably the one where we get hands-on exposure with a number of visualization tools. We look at both actual tools and programming libraries. Here we go:

These are the tools and libraries we discuss during the workshop. Obviously, there are many more libraries and tools that I like to use in my daily work. But that will be a separate post at some point in the future.

Looking for the previous list of links for the workshop?

- Introductionary Links
- Data Sources
- Data Processing
- Log Management and SIEM
- Big Data
- Visualization

Wanna know more about the visualization workshop? Email me or visit http://pixlcloud.com/training

Visual Analytics Workshop - Link Collection Part VI - Visualization

Next up: Visualization, the sixth module of the Visual Analytics Workshop. Note, this section is mostly content from books and not related to many Web-based resources that could be linked here. Hence kind of a short collection.

Looking for the previous list of links for the workshop?

- Introductionary Links
- Data Sources
- Data Processing
- Log Management and SIEM
- Big Data

Wanna know more about the visualization workshop? Email me or visit http://pixlcloud.com/training

Next up: Visualization Tools

Workshop: Big Data Visualization for Security

I had the pleasure of attending the Underground Economy Conference this year in Bucharest, Romania. I ran a 90 minute workshop on big data and visualization. The workshop covered a number of tools, such as:

Firewall Log in Gephi


Here are the slides from the workshop [Well, almost all of them. Having attended the workshop, you will have seen some more]. In addition, you can download the DAVIX image that you need for the exercise.

Visual Analytics Workshop - Link Collection Part V - Big Data

This next module of the Visual Analytics Workshop is about Big Data. And here are the links that show up during this section. Keep in mind that especially this module is constantly evolving and has in the last months. New sections and links will be added to the training class very frequently.

Looking for the previous list of links for the workshop?

- Introductionary Links
- Data Sources
- Data Processing
- Log Management and SIEM

Wanna know more about the visualization workshop? Email me or visit http://pixlcloud.com/training

Stay tuned for the next link collection!

Visual Analytics Workshop - Link Collection Part IV - Log Management and SIEM

This is the Labor Day issue of the link collection series. The third module of the Visual Analytics Workshop is about Log Management and SIEM.

Looking for the previous list of links for the workshop?

- Introductionary Links
- Data Sources
- Data Processing

Wanna know more about the visualization workshop? Email me or visit http://pixlcloud.com/training

Stay tuned for the next link collection which will be on big data!

Visual Analytics Workshop - Link Collection Part III - Data Processing

Here is part three of the link collection series. The second module of the Visual Analytics Workshop is about Log Data Processing.

- CommandlineFu
- Regex Lib
- Regular Expressio Information
- Regex One
- RegExr
- Geo Lookup On The Commandline
- Log Analysis Scripts
- DAVIX
- httpry
- dnstop
- Emerging Threats
- HoneySnap
- LogParser
- LogParser Studio

Looking for the previous list of links for the workshop?

- Introductionary Links
- Data Sources

Wanna know more about the visualization workshop? Email me or visit http://pixlcloud.com/training

Next workshop is in Amsterdam

Visual Analytics Workshop - Link Collection Part II - Data Sources

The first module of the Visual Analytics Workshop is about Data Sources.

As a foundation for later visualizations, we need to first understand what the data means. Following are the links of tools and additional material we are going through: (Note that the links might not cover all of the tools in this module. They are merely all the links that show up on the slides.)

Find the previous list of links at the first link collection post.

Wanna know more about the visualization workshop? Email me or visit http://pixlcloud.com/training