Visualizing Bro Logs

Visualizing Bro Logs

It might not be the pretties graph, but it tells a story. This graphs was generated with R and shows the number of HTTP connections per Host header field. I generated this graph with data from Bro's HTTP.log file.

A few other graphs and R scripts can be found on my blog, http://anthonykasza.webs.com/blog23.html

SSL Trust Delegation

SSL Trust Delegation

This graph shows a part of the global SSL trust relationships. It was generated with AfterGlow and Gephi (by using the -k parameter of AfterGlow to generate a GDF file). Node size is based on the number of children for each node. The big green node is the DFN CERT. And no, it doesn't mean that the DNF CERT is trusted more than any other certificate authority...

C&C ASN "Clusters"

C&C ASN "Clusters"

As I've been putting together an R package for mining open source IP "intelligence" data, I decided to play with visualizing malicious host categories in AlienValut's IP reputation database. This image is a network graph plot (using R & igraph) of AlienVault identified C&C nodes as they relate to host ASNs (with ASN peers included). Red nodes are the C&C hosts, gold nodes are the the ASNs.

I did the same with a subset of "Malicious Hosts" in AlienValut's db and am thinking that tracking these over a day (/week/month/year) would make for an interesting view of the ebb & flow of C&C hosts.

Security Visualization Events

In December I'll be presenting on security intelligence and the interplay of visualization and data mining.

I wrote a blog post that introduces the talk in Palo Alto a little bit. It's about Supercharging Visualization with DataMining. Check it out and make sure you RSVP for the event tomorrow.

Security Visualization Training in Dubai

There are a couple of seats open for next week's security visualization workshop in Dubai. The training is held Friday and Saturday, November 9th and 10th in Dubai.

The topics are anything from data sources to log processing to a lot of eye-catching visualizations, and a great module on big data. The signup link contains all the information you need.

Hope to see you in Dubai next week!

VizSec 2012 - Keynote

A week ago, in Seattle, VizSec 2012 was taking place. I had the honor to present the keynote, which I used as an opportunity to talk about the state of the security visualization space. Here is the video of the talk.

This is a quick outline of the talk:

  • Security visualization - The most exciting field
  • The vision - This section talks about some of the challenges that we have in security visualization and what I would like to see in a security visualization application. Well, some of what I would like to see, there are some parts I left out and will hopefully deliver through pixlcloud in the not so far future.
  • Why is security visualization so hard? I am talking about a few reasons why we have such a hard time with visualizing security data. One of the issues is that we are different; security visualization is different from all the other fields out there. We have problems and data that no other area deals with. We have a lot of IP addresses, for example or port numbers. If we try to work with other domain experts, for example from the data mining space, they don't understand our data well enough to build good algorithms. One very common problem are 'distance functions'. They are incredible hard to define and because our data is mostly categorical and not numerical, that presents a significant problem. I also see port numbers being treated as continuous variables, which is just plain wrong.
  • Security analysts - I am providing a little bit of a provocative view of security analysts. There is no defined way of analyzing security data and therefore, every analyst is doing his/her work differently. If we try to build a tool for any one of them, the next one might not be able to use it at all.
  • Visualizing big data - I am offering a little bit of an answer on how to visualize a large amount of data. It all comes back to Ben Shneiderman with his information seeking mantra.
  • Data mining - I have been looking into data mining a lot lately. I am trying to define what the right interplay between data mining and visualization is. Either of the disciplines alone won't solve our problems. Together they can unlock a lot of insights, however. But don't be fooled. Data mining is super hard to get right.
  • Moving forward - I quickly outline what's going on out there. Visualization contests seem to gain popularity. I close with my challenge to everyone of solving the many problems that we still face. If you are a researcher, have a look at this slide and help us solve some of the problems.
    • Following are the slides from the talk. Unfortunately, my video recording from the VizSec keynote failed. I was presenting at Microsoft however, the same week and I was able to record my talk there. Same slides.

More SPAM

The past couple of months have been pretty clean from SPAM in the secviz feed, after I implemented a moderator queue for all the content. This seems to work pretty well. However, the system doesn't let me enable a moderator queue for images in the image gallery. That's why you have seen a few SPAM images in the feed (for example this morning).
I took another step to prevent this. When signing up as a user, you will have to be approved from now on. This seems to be the only way for me to prevent SPAM once and for all. I hope I'll be able to distinguish real users from spammers upon signup. I'll figure that one out.

Looking forward to seeing your posts here!

Pretty Nessus with Prenus

Pretty Nessus with Prenus

After a series of Nessus jobs (with hundreds of nodes and thousands of findings) I scrapped together Prenus, the pretty Nessus .. thing. Consuming Nessus XML files and outputting in a few different formats, including Afterglow or Circos formatted files, can help construct these sorts of images. Useful if you have stacks of data. You can read more over here.

Hourly Network Traffic for Thousands Computers

Hourly Network Traffic for Thousands Computers

The picture shows the hourly amount of network traffic for thousands of hosts in a large computer network for 24 hours. The different nested circles represent the subnet hierarchy of the IP addresses. Each filled circle represents a whole subnet or a single hosts. Each circle consists of 24 segments, while each colored segment visualizes the number of bytes transferred in the respective hour.

More Information and Interactive Demo on: http://ff.cx/clockmap/

AfterGlow Cloud: Second release

AfterGlow cloud has evolved further into another release; with many improvements added to the initial version. With GSoC 2012 approaching an end, we've covered all the additional features we planned for in the second phase of development, post mid-term. Building up on the initial version, this post will run you through the general features and additional improvements covered.

A live demo of this release can be found here: http://andromeda.ayrus.net:8080/

Data sources: In addition to the initial method of uploading AfterGlow compatible CSV file, the application now supports two new methods of visualizing your data. You can now upload your logs straight from the source and have it parsed (to a CSV file) and then, rendered on the fly. Additionally, AfterGlow Cloud is now integrated with Loggly.com's API. Loggly is a service which is used collect log data for monitoring and analyzing the data. With an account at Loggly, you can now search and import your logs straight from Loggly and have it visualized. Your authorization to the application to access your account at Loggly remains on our end for about a hundred days, beyond which you'll have to re-authenticate the application again. You can however revoke access to the application anytime. Both of these new additions, require you to specify a parsing scheme which is covered below.

Log parsing: Logs you upload directly or from your Loggly account have to be parsed initially for them to be visualized later. For this to happen, a regular expression has to be provided which groups two or three columns of data (if you're using two columns you'll have to check "Two Node Mode") from each line in your log. You can either specify a custom expression or select one the 'predefined' expressions. While provided a a custom regular
expression to parse your log, you're given an opt-in choice to save your expression as 'Predefined' for other users to use.

Settings tab: These define general settings over the way you want your final graph to be rendered. For example, "Print Node Count" prints the frequency at which each node occurs in the data uploaded beside the node's label while, "Text Label Colour" lets you choose the colour of text on each node. Each field on the application throughout is appended with a "?" help link. Hovering over this link, will provide you a small tip as to what they're supposed to do.

Advanced settings tab: These settings go a little beyond the general settings. As examples, "Soruce fan out threshold" will give a lower limit on the number of edges originating from each source node. If one or more source nodes don't have the required (threshold) number of edges originating from them, they're omitted on the graph. Same idea applies to "Omit threshold for each node" but with the threshold presiding over the frequency at which each node occurs throughout the data.

Configurations tab: These settings fine-tune your graph and often bring about interesting patterns, useful for visualization. Each fieldset in this tab provide a way to identify properties across the nodes in the graph. Examples: Option 'port' in clustering provides a way to cluster all the nodes with a specific bound for the port they represent. Giving a value of "2000" would mark and cluster (group) all the nodes representing a port higher than 2000 together. 'Number of occurrences' in Size fieldset, will have the size of each node proportionate to the frequency at which they appear throughout the log. A node with a heavy frequency would appear thick and vice-versa. This helps you to notice interesting patterns. If you're very familiar with the way configurations work with AfterGlow you also have the option of specifying these manually using the "Manual" option. You can simply cut/paste from a configuration file or write your configuration file by hand in a textbox. AfterGlow Cloud also saves your configuration every time you render a graph. When you choose to render a graph again, you can simply use your 'last used configuration' and it'd import the same configuration file you used last time. Alternatively, you can 'import' the last used configuration into the manual mode and further fine-tune it manually.

Rendering Engines: The application now supports using dot/sfdp in addition to using neato using GraphViz. More information about these, if you're unsure can be found here.

Gallery: You can submit the graphs you render using the application to a public gallery (with some details of it) for other users to view.

As an example (a very rudimentary example actually), here's how you might parse a typical Apache log. For this example we'll be using a very small portion of the log (attached), parse the client IP and the size of the request from it and try to render it.

We first point to the demo access log file from Apache and since we're uploading a log directory from our source, we'll have to select the "Log" option to have it parsed to a CSV (compatible with AfterGlow) and then render it. We've also checked the "Two node mode" box since, we'll be only extracting two columns (IP/Size) from our data. For the parser, we use a predefined regular expression which extracts the client IP and request size from an Apache log using the Common Log Format:

On the settings end, for some eye-candyness we define an edge length of 1.5 (length of an edge between two nodes) and define the text label colour as white:

Finally, on the configurations end, we add three colour configuration settings. All source node (Client IP) will be coloured with a shade of green. Target nodes (size nodes with a value of more than 2000 -- in this context it converts to more than 2000 bytes) will be coloured red. All the other target nodes will be coloured with a shade of orange. It's important to note here that configurations are read line-by-line hence, the line ordering matters. This type of configuration will show a really simple relation between how many bytes each client has requested in each request, but it will specifically mark the request with more than 2000 bytes in red (say you wanted to visualize the 'heavy' requests):

The resulting graph from these settings looks like:

You can see from the (really simple) example above some of the 'heavy' (we're classifying 'heavy' as >2000 bytes for the sake of an example here) requests from different clients.

From the development perspective, AfterGlow Cloud can now be deployed to a production like environment. The application (and the demo above) README cater to deploying the application on Apache using mod_wsgi. If you wish to run your own instance of the application, you can clone the source from the repository. A detailed README (pertaining to a machine running Ubuntu) is also available to help you setup. The README walks through the complete steps required from scratch to set the environment and the application (to the point that you can get it running on a fresh Ubuntu install without a hassle). The codebase has also been documented in detail, should you wish to fork and play with it.

This release marks the next version of AfterGlow Cloud. Please report any bugs or comments you have using the contact form on the demo :)