DAVIX VisualizationWorkshop
D
V
X
DAVIX VisualizationWorkshop
Jan Monsch at iplosion comRaffael Marty at secviz org
D
V
X
Chief Security Strategist SplunkgtPassion for Visualization
httpsecvizorghttpafterglowsourceforgenet
Senior Security AnalystDAVIX initiator and engineer
httpdavixsecvizorghttpwwwiplosioncom
Applied Security VisualizationPaperback 552 pages
Publisher Addison Wesley (August 2008)ISBN 0321510100
Chief Security Strategist SplunkgtPassion for Visualization
httpsecvizorghttpafterglowsourceforgenet
Raffael Marty Jan P MonschSenior Security AnalystDAVIX initiator and engineer
httpdavixsecvizorghttpwwwiplosioncom
Applied Security VisualizationPaperback 552 pages
Publisher Addison Wesley (August 2008)ISBN 0321510100
Workshop Preparationbull 30 DAVIX CDs- DAVIX image
- DAVIX manual
- PCAP file for analysis in root
bull Recommended setupbull VMware Player or VMware Fusion
bull Bridged or NAT networking
bull Configure host to access DEFCON wireless network
Copy files to your disk and hand the CD to your neighbor
VM setup assistanceChapter 611 and 612in the manual
AgendaDAVIX
Visualization
Example analysis
Hands-on analysis
Show us what you got
4
AgendaDAVIX
Visualization
Example analysis
Hands-on analysis
Show us what you got
4
GoalYou can use DAVIX
to analyze your data
Visualization Questionsbull Who analyzes logs
bull Who uses visualization for log analysis
bull Who has used DAVIX
bull Have you heard of SecVizorg
bull What tools are you using for log analysis
5
Data Analysis and Visualization LinuxDAVIX
D
V
X
What is DAVIXbull Live Linux CD system based on SLAX 6
- Software packages are modularized
- Easy customizable
- Runs from CDDVD USB stick or hard drive
bull Collection of free tools for data processing amp visualization
- Tools work out of the box
- No compilation or installation of tools required
bull Comes with documentation
- Quick start description for the most important tools
- Links to manuals and tutorials
Why Did We Build DAVIXbull No free solution offering wide range of visualization tools
- Huge hurdle for people to get start with visualization
bull Cumbersome to get tools running
- Compiler issues eg gcc 3 vs gcc 4
- Dependencies with uncommon and old libraries
- Different runtime environments
bull DAVIX Goals
- Getting tools running is simple User can concentrate on analysis
- Easy customizable Users can add missing things
- Perfect workspace to get you started with visualization
User Interface - Menu Organizationbull Menu organized around the information visualization process
bull Tools often cover more than one category
- Afterglow Process Visualize
bull Additional toolsservices
- Apache MySQL NTP
Capture Process Visualize
ToolsCapture
- Network tools
Argus
Snort
Wireshark
- Logging
syslog-ng
- Fetching data
wget
ftp
scp
Processing
- Shell tools
awk grep sed
- Graphic preprocessing
Afterglow
LGL
- Date enrichment
geoiplookup
whoisgwhois
Visualization
- Network Traffic
EtherApe
InetVis
tnv
- Generic
Afterglow
LGL Viewer
Mondrian
R Project
Non-concluding list of tools
PDF User Manualbull Quick start guide
bull Network setup information
bull Tool usage examples
bull Links to online resource Tool home pages manuals tutorials
bull Customizing DAVIX
- Customizing ISO image
- Creating new modules
- Installation on USB stick or hard drive
User Manual in the Menubull The manual is browsable by
chapter hellip
bull hellip or individual tool chapters
The Manual Is Notbull Not an introduction to security analysis methodologies
bull Not a collection of security analysis use-cases
bull Not covering exhaustive examples
- The usage examples are not security related
- It is a quick usage guide for the tools
bull Look at Raffaelrsquos book to get these details
Customizationsbull The DAVIX and SLAX can be modified in two ways
- LZM modules
Adding or removing modules in the directory slaxmodules
Modules are highly compressed software packages
- rootcopy
Overwrite or add individual files of LZM modules by copyingmodified files to the directory slaxrootcopy
bull LZM modules can be generated out of standard Slackware or dropline GNOME packages using tgz2lzm
Visualization
Information Visualization Process
16
Capture Process Visualize
Data Formatsbull CSV TSV
100028023212failed
100028023215success
bull TM3
Source Port Destination Action
STRING INTEGER STRING STRING
10002 80 23212 failed
bull GML
17
bull DOT
digraph structs
graph [label=rdquoMy Graphrdquo]
node [shape=ellipse]
edge [len=1]
ldquoramrdquo -gt ldquoactivity 1rdquo
ldquoramrdquo [fillcolor=white]
bull
AfterGlow 1x
CSV File
AfterGlowGraph
LanguageFile
digraph structs graph [label=AfterGlow 158 fontsize=8] node [shape=ellipse style=filled fontsize=10 width=1 height=1 fixedsize=true] edge [len=16]
aaelenes -gt Printing Resume abbe -gt Information Encryption aanna -gt Patent Access aatharuv -gt Ping
aaelenesPrinting ResumeabbeInformation Encrytion
aannaPatent AccessaatharuyPing
Parser Grapher
AfterGlow 1x
CSV File
AfterGlowGraph
LanguageFile
digraph structs graph [label=AfterGlow 158 fontsize=8] node [shape=ellipse style=filled fontsize=10 width=1 height=1 fixedsize=true] edge [len=16]
aaelenes -gt Printing Resume abbe -gt Information Encryption aanna -gt Patent Access aatharuv -gt Ping
aaelenesPrinting ResumeabbeInformation Encrytion
aannaPatent AccessaatharuyPing
Parser Grapher
An Example Analysis
Worms in Mobile Networksbull Problem Find worms in mobile networks
bull Data Call Detail Records (CDR)
20051117225657 GMT 20051117225657 GMT 4179543xxxx 4176448xxxx 0 63517 20051117225657 GMT 19700101000000 GMT imagejpeg CHEC1_MMSC1 MM4Rrecord 0 1 MM1 22801351822xxxx 22802071035xxxx 2 1132 26821763098xxxx
bull Process
cat mmscdr | awk -o VFS= lsquoprint $5 $6rsquo
bull Visual Transformation
Multimedia Message Service
21
Multimedia Message Service
21
Service Numbers
Multimedia Message Service
22
Multimedia Message Service
22
Long Chains
Hands-on Analysis
Letrsquos Gobull Captures are in rootdavix_workshop_capturespcap
bull Find something interesting Come show
bull Hints
bull tcpdump -nlr rootdavix_workshop_capturespcap
bull tcpdump2csvpl
bull afterglowpl -h
bull barpl -h
AfterGlow Variable and Color
variable=violation=(Backdoor Access HackerTool Downloadrdquo)colortarget=orange if (grep($fields[1]violation))colortarget=palegreen
Node Size and Threshold
maxnodesize=1sizesource=$fields[2] size=05sumtarget=0thresholdsource=14
Color and Clustercolorsource=palegreen if ($fields[0] =~ ^111)colorsource=redcolortarget=palegreenclustersource=regex_replace((d+)d+)8
Thank You
davix secviz org
S
E
C I
V
Z
secviz org
DAVIX VisualizationWorkshop
Jan Monsch at iplosion comRaffael Marty at secviz org
D
V
X
Chief Security Strategist SplunkgtPassion for Visualization
httpsecvizorghttpafterglowsourceforgenet
Senior Security AnalystDAVIX initiator and engineer
httpdavixsecvizorghttpwwwiplosioncom
Applied Security VisualizationPaperback 552 pages
Publisher Addison Wesley (August 2008)ISBN 0321510100
Chief Security Strategist SplunkgtPassion for Visualization
httpsecvizorghttpafterglowsourceforgenet
Raffael Marty Jan P MonschSenior Security AnalystDAVIX initiator and engineer
httpdavixsecvizorghttpwwwiplosioncom
Applied Security VisualizationPaperback 552 pages
Publisher Addison Wesley (August 2008)ISBN 0321510100
Workshop Preparationbull 30 DAVIX CDs- DAVIX image
- DAVIX manual
- PCAP file for analysis in root
bull Recommended setupbull VMware Player or VMware Fusion
bull Bridged or NAT networking
bull Configure host to access DEFCON wireless network
Copy files to your disk and hand the CD to your neighbor
VM setup assistanceChapter 611 and 612in the manual
AgendaDAVIX
Visualization
Example analysis
Hands-on analysis
Show us what you got
4
AgendaDAVIX
Visualization
Example analysis
Hands-on analysis
Show us what you got
4
GoalYou can use DAVIX
to analyze your data
Visualization Questionsbull Who analyzes logs
bull Who uses visualization for log analysis
bull Who has used DAVIX
bull Have you heard of SecVizorg
bull What tools are you using for log analysis
5
Data Analysis and Visualization LinuxDAVIX
D
V
X
What is DAVIXbull Live Linux CD system based on SLAX 6
- Software packages are modularized
- Easy customizable
- Runs from CDDVD USB stick or hard drive
bull Collection of free tools for data processing amp visualization
- Tools work out of the box
- No compilation or installation of tools required
bull Comes with documentation
- Quick start description for the most important tools
- Links to manuals and tutorials
Why Did We Build DAVIXbull No free solution offering wide range of visualization tools
- Huge hurdle for people to get start with visualization
bull Cumbersome to get tools running
- Compiler issues eg gcc 3 vs gcc 4
- Dependencies with uncommon and old libraries
- Different runtime environments
bull DAVIX Goals
- Getting tools running is simple User can concentrate on analysis
- Easy customizable Users can add missing things
- Perfect workspace to get you started with visualization
User Interface - Menu Organizationbull Menu organized around the information visualization process
bull Tools often cover more than one category
- Afterglow Process Visualize
bull Additional toolsservices
- Apache MySQL NTP
Capture Process Visualize
ToolsCapture
- Network tools
Argus
Snort
Wireshark
- Logging
syslog-ng
- Fetching data
wget
ftp
scp
Processing
- Shell tools
awk grep sed
- Graphic preprocessing
Afterglow
LGL
- Date enrichment
geoiplookup
whoisgwhois
Visualization
- Network Traffic
EtherApe
InetVis
tnv
- Generic
Afterglow
LGL Viewer
Mondrian
R Project
Non-concluding list of tools
PDF User Manualbull Quick start guide
bull Network setup information
bull Tool usage examples
bull Links to online resource Tool home pages manuals tutorials
bull Customizing DAVIX
- Customizing ISO image
- Creating new modules
- Installation on USB stick or hard drive
User Manual in the Menubull The manual is browsable by
chapter hellip
bull hellip or individual tool chapters
The Manual Is Notbull Not an introduction to security analysis methodologies
bull Not a collection of security analysis use-cases
bull Not covering exhaustive examples
- The usage examples are not security related
- It is a quick usage guide for the tools
bull Look at Raffaelrsquos book to get these details
Customizationsbull The DAVIX and SLAX can be modified in two ways
- LZM modules
Adding or removing modules in the directory slaxmodules
Modules are highly compressed software packages
- rootcopy
Overwrite or add individual files of LZM modules by copyingmodified files to the directory slaxrootcopy
bull LZM modules can be generated out of standard Slackware or dropline GNOME packages using tgz2lzm
Visualization
Information Visualization Process
16
Capture Process Visualize
Data Formatsbull CSV TSV
100028023212failed
100028023215success
bull TM3
Source Port Destination Action
STRING INTEGER STRING STRING
10002 80 23212 failed
bull GML
17
bull DOT
digraph structs
graph [label=rdquoMy Graphrdquo]
node [shape=ellipse]
edge [len=1]
ldquoramrdquo -gt ldquoactivity 1rdquo
ldquoramrdquo [fillcolor=white]
bull
AfterGlow 1x
CSV File
AfterGlowGraph
LanguageFile
digraph structs graph [label=AfterGlow 158 fontsize=8] node [shape=ellipse style=filled fontsize=10 width=1 height=1 fixedsize=true] edge [len=16]
aaelenes -gt Printing Resume abbe -gt Information Encryption aanna -gt Patent Access aatharuv -gt Ping
aaelenesPrinting ResumeabbeInformation Encrytion
aannaPatent AccessaatharuyPing
Parser Grapher
AfterGlow 1x
CSV File
AfterGlowGraph
LanguageFile
digraph structs graph [label=AfterGlow 158 fontsize=8] node [shape=ellipse style=filled fontsize=10 width=1 height=1 fixedsize=true] edge [len=16]
aaelenes -gt Printing Resume abbe -gt Information Encryption aanna -gt Patent Access aatharuv -gt Ping
aaelenesPrinting ResumeabbeInformation Encrytion
aannaPatent AccessaatharuyPing
Parser Grapher
An Example Analysis
Worms in Mobile Networksbull Problem Find worms in mobile networks
bull Data Call Detail Records (CDR)
20051117225657 GMT 20051117225657 GMT 4179543xxxx 4176448xxxx 0 63517 20051117225657 GMT 19700101000000 GMT imagejpeg CHEC1_MMSC1 MM4Rrecord 0 1 MM1 22801351822xxxx 22802071035xxxx 2 1132 26821763098xxxx
bull Process
cat mmscdr | awk -o VFS= lsquoprint $5 $6rsquo
bull Visual Transformation
Multimedia Message Service
21
Multimedia Message Service
21
Service Numbers
Multimedia Message Service
22
Multimedia Message Service
22
Long Chains
Hands-on Analysis
Letrsquos Gobull Captures are in rootdavix_workshop_capturespcap
bull Find something interesting Come show
bull Hints
bull tcpdump -nlr rootdavix_workshop_capturespcap
bull tcpdump2csvpl
bull afterglowpl -h
bull barpl -h
AfterGlow Variable and Color
variable=violation=(Backdoor Access HackerTool Downloadrdquo)colortarget=orange if (grep($fields[1]violation))colortarget=palegreen
Node Size and Threshold
maxnodesize=1sizesource=$fields[2] size=05sumtarget=0thresholdsource=14
Color and Clustercolorsource=palegreen if ($fields[0] =~ ^111)colorsource=redcolortarget=palegreenclustersource=regex_replace((d+)d+)8
Thank You
davix secviz org
S
E
C I
V
Z
secviz org
Chief Security Strategist SplunkgtPassion for Visualization
httpsecvizorghttpafterglowsourceforgenet
Senior Security AnalystDAVIX initiator and engineer
httpdavixsecvizorghttpwwwiplosioncom
Applied Security VisualizationPaperback 552 pages
Publisher Addison Wesley (August 2008)ISBN 0321510100
Chief Security Strategist SplunkgtPassion for Visualization
httpsecvizorghttpafterglowsourceforgenet
Raffael Marty Jan P MonschSenior Security AnalystDAVIX initiator and engineer
httpdavixsecvizorghttpwwwiplosioncom
Applied Security VisualizationPaperback 552 pages
Publisher Addison Wesley (August 2008)ISBN 0321510100
Workshop Preparationbull 30 DAVIX CDs- DAVIX image
- DAVIX manual
- PCAP file for analysis in root
bull Recommended setupbull VMware Player or VMware Fusion
bull Bridged or NAT networking
bull Configure host to access DEFCON wireless network
Copy files to your disk and hand the CD to your neighbor
VM setup assistanceChapter 611 and 612in the manual
AgendaDAVIX
Visualization
Example analysis
Hands-on analysis
Show us what you got
4
AgendaDAVIX
Visualization
Example analysis
Hands-on analysis
Show us what you got
4
GoalYou can use DAVIX
to analyze your data
Visualization Questionsbull Who analyzes logs
bull Who uses visualization for log analysis
bull Who has used DAVIX
bull Have you heard of SecVizorg
bull What tools are you using for log analysis
5
Data Analysis and Visualization LinuxDAVIX
D
V
X
What is DAVIXbull Live Linux CD system based on SLAX 6
- Software packages are modularized
- Easy customizable
- Runs from CDDVD USB stick or hard drive
bull Collection of free tools for data processing amp visualization
- Tools work out of the box
- No compilation or installation of tools required
bull Comes with documentation
- Quick start description for the most important tools
- Links to manuals and tutorials
Why Did We Build DAVIXbull No free solution offering wide range of visualization tools
- Huge hurdle for people to get start with visualization
bull Cumbersome to get tools running
- Compiler issues eg gcc 3 vs gcc 4
- Dependencies with uncommon and old libraries
- Different runtime environments
bull DAVIX Goals
- Getting tools running is simple User can concentrate on analysis
- Easy customizable Users can add missing things
- Perfect workspace to get you started with visualization
User Interface - Menu Organizationbull Menu organized around the information visualization process
bull Tools often cover more than one category
- Afterglow Process Visualize
bull Additional toolsservices
- Apache MySQL NTP
Capture Process Visualize
ToolsCapture
- Network tools
Argus
Snort
Wireshark
- Logging
syslog-ng
- Fetching data
wget
ftp
scp
Processing
- Shell tools
awk grep sed
- Graphic preprocessing
Afterglow
LGL
- Date enrichment
geoiplookup
whoisgwhois
Visualization
- Network Traffic
EtherApe
InetVis
tnv
- Generic
Afterglow
LGL Viewer
Mondrian
R Project
Non-concluding list of tools
PDF User Manualbull Quick start guide
bull Network setup information
bull Tool usage examples
bull Links to online resource Tool home pages manuals tutorials
bull Customizing DAVIX
- Customizing ISO image
- Creating new modules
- Installation on USB stick or hard drive
User Manual in the Menubull The manual is browsable by
chapter hellip
bull hellip or individual tool chapters
The Manual Is Notbull Not an introduction to security analysis methodologies
bull Not a collection of security analysis use-cases
bull Not covering exhaustive examples
- The usage examples are not security related
- It is a quick usage guide for the tools
bull Look at Raffaelrsquos book to get these details
Customizationsbull The DAVIX and SLAX can be modified in two ways
- LZM modules
Adding or removing modules in the directory slaxmodules
Modules are highly compressed software packages
- rootcopy
Overwrite or add individual files of LZM modules by copyingmodified files to the directory slaxrootcopy
bull LZM modules can be generated out of standard Slackware or dropline GNOME packages using tgz2lzm
Visualization
Information Visualization Process
16
Capture Process Visualize
Data Formatsbull CSV TSV
100028023212failed
100028023215success
bull TM3
Source Port Destination Action
STRING INTEGER STRING STRING
10002 80 23212 failed
bull GML
17
bull DOT
digraph structs
graph [label=rdquoMy Graphrdquo]
node [shape=ellipse]
edge [len=1]
ldquoramrdquo -gt ldquoactivity 1rdquo
ldquoramrdquo [fillcolor=white]
bull
AfterGlow 1x
CSV File
AfterGlowGraph
LanguageFile
digraph structs graph [label=AfterGlow 158 fontsize=8] node [shape=ellipse style=filled fontsize=10 width=1 height=1 fixedsize=true] edge [len=16]
aaelenes -gt Printing Resume abbe -gt Information Encryption aanna -gt Patent Access aatharuv -gt Ping
aaelenesPrinting ResumeabbeInformation Encrytion
aannaPatent AccessaatharuyPing
Parser Grapher
AfterGlow 1x
CSV File
AfterGlowGraph
LanguageFile
digraph structs graph [label=AfterGlow 158 fontsize=8] node [shape=ellipse style=filled fontsize=10 width=1 height=1 fixedsize=true] edge [len=16]
aaelenes -gt Printing Resume abbe -gt Information Encryption aanna -gt Patent Access aatharuv -gt Ping
aaelenesPrinting ResumeabbeInformation Encrytion
aannaPatent AccessaatharuyPing
Parser Grapher
An Example Analysis
Worms in Mobile Networksbull Problem Find worms in mobile networks
bull Data Call Detail Records (CDR)
20051117225657 GMT 20051117225657 GMT 4179543xxxx 4176448xxxx 0 63517 20051117225657 GMT 19700101000000 GMT imagejpeg CHEC1_MMSC1 MM4Rrecord 0 1 MM1 22801351822xxxx 22802071035xxxx 2 1132 26821763098xxxx
bull Process
cat mmscdr | awk -o VFS= lsquoprint $5 $6rsquo
bull Visual Transformation
Multimedia Message Service
21
Multimedia Message Service
21
Service Numbers
Multimedia Message Service
22
Multimedia Message Service
22
Long Chains
Hands-on Analysis
Letrsquos Gobull Captures are in rootdavix_workshop_capturespcap
bull Find something interesting Come show
bull Hints
bull tcpdump -nlr rootdavix_workshop_capturespcap
bull tcpdump2csvpl
bull afterglowpl -h
bull barpl -h
AfterGlow Variable and Color
variable=violation=(Backdoor Access HackerTool Downloadrdquo)colortarget=orange if (grep($fields[1]violation))colortarget=palegreen
Node Size and Threshold
maxnodesize=1sizesource=$fields[2] size=05sumtarget=0thresholdsource=14
Color and Clustercolorsource=palegreen if ($fields[0] =~ ^111)colorsource=redcolortarget=palegreenclustersource=regex_replace((d+)d+)8
Thank You
davix secviz org
S
E
C I
V
Z
secviz org
Chief Security Strategist SplunkgtPassion for Visualization
httpsecvizorghttpafterglowsourceforgenet
Raffael Marty Jan P MonschSenior Security AnalystDAVIX initiator and engineer
httpdavixsecvizorghttpwwwiplosioncom
Applied Security VisualizationPaperback 552 pages
Publisher Addison Wesley (August 2008)ISBN 0321510100
Workshop Preparationbull 30 DAVIX CDs- DAVIX image
- DAVIX manual
- PCAP file for analysis in root
bull Recommended setupbull VMware Player or VMware Fusion
bull Bridged or NAT networking
bull Configure host to access DEFCON wireless network
Copy files to your disk and hand the CD to your neighbor
VM setup assistanceChapter 611 and 612in the manual
AgendaDAVIX
Visualization
Example analysis
Hands-on analysis
Show us what you got
4
AgendaDAVIX
Visualization
Example analysis
Hands-on analysis
Show us what you got
4
GoalYou can use DAVIX
to analyze your data
Visualization Questionsbull Who analyzes logs
bull Who uses visualization for log analysis
bull Who has used DAVIX
bull Have you heard of SecVizorg
bull What tools are you using for log analysis
5
Data Analysis and Visualization LinuxDAVIX
D
V
X
What is DAVIXbull Live Linux CD system based on SLAX 6
- Software packages are modularized
- Easy customizable
- Runs from CDDVD USB stick or hard drive
bull Collection of free tools for data processing amp visualization
- Tools work out of the box
- No compilation or installation of tools required
bull Comes with documentation
- Quick start description for the most important tools
- Links to manuals and tutorials
Why Did We Build DAVIXbull No free solution offering wide range of visualization tools
- Huge hurdle for people to get start with visualization
bull Cumbersome to get tools running
- Compiler issues eg gcc 3 vs gcc 4
- Dependencies with uncommon and old libraries
- Different runtime environments
bull DAVIX Goals
- Getting tools running is simple User can concentrate on analysis
- Easy customizable Users can add missing things
- Perfect workspace to get you started with visualization
User Interface - Menu Organizationbull Menu organized around the information visualization process
bull Tools often cover more than one category
- Afterglow Process Visualize
bull Additional toolsservices
- Apache MySQL NTP
Capture Process Visualize
ToolsCapture
- Network tools
Argus
Snort
Wireshark
- Logging
syslog-ng
- Fetching data
wget
ftp
scp
Processing
- Shell tools
awk grep sed
- Graphic preprocessing
Afterglow
LGL
- Date enrichment
geoiplookup
whoisgwhois
Visualization
- Network Traffic
EtherApe
InetVis
tnv
- Generic
Afterglow
LGL Viewer
Mondrian
R Project
Non-concluding list of tools
PDF User Manualbull Quick start guide
bull Network setup information
bull Tool usage examples
bull Links to online resource Tool home pages manuals tutorials
bull Customizing DAVIX
- Customizing ISO image
- Creating new modules
- Installation on USB stick or hard drive
User Manual in the Menubull The manual is browsable by
chapter hellip
bull hellip or individual tool chapters
The Manual Is Notbull Not an introduction to security analysis methodologies
bull Not a collection of security analysis use-cases
bull Not covering exhaustive examples
- The usage examples are not security related
- It is a quick usage guide for the tools
bull Look at Raffaelrsquos book to get these details
Customizationsbull The DAVIX and SLAX can be modified in two ways
- LZM modules
Adding or removing modules in the directory slaxmodules
Modules are highly compressed software packages
- rootcopy
Overwrite or add individual files of LZM modules by copyingmodified files to the directory slaxrootcopy
bull LZM modules can be generated out of standard Slackware or dropline GNOME packages using tgz2lzm
Visualization
Information Visualization Process
16
Capture Process Visualize
Data Formatsbull CSV TSV
100028023212failed
100028023215success
bull TM3
Source Port Destination Action
STRING INTEGER STRING STRING
10002 80 23212 failed
bull GML
17
bull DOT
digraph structs
graph [label=rdquoMy Graphrdquo]
node [shape=ellipse]
edge [len=1]
ldquoramrdquo -gt ldquoactivity 1rdquo
ldquoramrdquo [fillcolor=white]
bull
AfterGlow 1x
CSV File
AfterGlowGraph
LanguageFile
digraph structs graph [label=AfterGlow 158 fontsize=8] node [shape=ellipse style=filled fontsize=10 width=1 height=1 fixedsize=true] edge [len=16]
aaelenes -gt Printing Resume abbe -gt Information Encryption aanna -gt Patent Access aatharuv -gt Ping
aaelenesPrinting ResumeabbeInformation Encrytion
aannaPatent AccessaatharuyPing
Parser Grapher
AfterGlow 1x
CSV File
AfterGlowGraph
LanguageFile
digraph structs graph [label=AfterGlow 158 fontsize=8] node [shape=ellipse style=filled fontsize=10 width=1 height=1 fixedsize=true] edge [len=16]
aaelenes -gt Printing Resume abbe -gt Information Encryption aanna -gt Patent Access aatharuv -gt Ping
aaelenesPrinting ResumeabbeInformation Encrytion
aannaPatent AccessaatharuyPing
Parser Grapher
An Example Analysis
Worms in Mobile Networksbull Problem Find worms in mobile networks
bull Data Call Detail Records (CDR)
20051117225657 GMT 20051117225657 GMT 4179543xxxx 4176448xxxx 0 63517 20051117225657 GMT 19700101000000 GMT imagejpeg CHEC1_MMSC1 MM4Rrecord 0 1 MM1 22801351822xxxx 22802071035xxxx 2 1132 26821763098xxxx
bull Process
cat mmscdr | awk -o VFS= lsquoprint $5 $6rsquo
bull Visual Transformation
Multimedia Message Service
21
Multimedia Message Service
21
Service Numbers
Multimedia Message Service
22
Multimedia Message Service
22
Long Chains
Hands-on Analysis
Letrsquos Gobull Captures are in rootdavix_workshop_capturespcap
bull Find something interesting Come show
bull Hints
bull tcpdump -nlr rootdavix_workshop_capturespcap
bull tcpdump2csvpl
bull afterglowpl -h
bull barpl -h
AfterGlow Variable and Color
variable=violation=(Backdoor Access HackerTool Downloadrdquo)colortarget=orange if (grep($fields[1]violation))colortarget=palegreen
Node Size and Threshold
maxnodesize=1sizesource=$fields[2] size=05sumtarget=0thresholdsource=14
Color and Clustercolorsource=palegreen if ($fields[0] =~ ^111)colorsource=redcolortarget=palegreenclustersource=regex_replace((d+)d+)8
Thank You
davix secviz org
S
E
C I
V
Z
secviz org
Workshop Preparationbull 30 DAVIX CDs- DAVIX image
- DAVIX manual
- PCAP file for analysis in root
bull Recommended setupbull VMware Player or VMware Fusion
bull Bridged or NAT networking
bull Configure host to access DEFCON wireless network
Copy files to your disk and hand the CD to your neighbor
VM setup assistanceChapter 611 and 612in the manual
AgendaDAVIX
Visualization
Example analysis
Hands-on analysis
Show us what you got
4
AgendaDAVIX
Visualization
Example analysis
Hands-on analysis
Show us what you got
4
GoalYou can use DAVIX
to analyze your data
Visualization Questionsbull Who analyzes logs
bull Who uses visualization for log analysis
bull Who has used DAVIX
bull Have you heard of SecVizorg
bull What tools are you using for log analysis
5
Data Analysis and Visualization LinuxDAVIX
D
V
X
What is DAVIXbull Live Linux CD system based on SLAX 6
- Software packages are modularized
- Easy customizable
- Runs from CDDVD USB stick or hard drive
bull Collection of free tools for data processing amp visualization
- Tools work out of the box
- No compilation or installation of tools required
bull Comes with documentation
- Quick start description for the most important tools
- Links to manuals and tutorials
Why Did We Build DAVIXbull No free solution offering wide range of visualization tools
- Huge hurdle for people to get start with visualization
bull Cumbersome to get tools running
- Compiler issues eg gcc 3 vs gcc 4
- Dependencies with uncommon and old libraries
- Different runtime environments
bull DAVIX Goals
- Getting tools running is simple User can concentrate on analysis
- Easy customizable Users can add missing things
- Perfect workspace to get you started with visualization
User Interface - Menu Organizationbull Menu organized around the information visualization process
bull Tools often cover more than one category
- Afterglow Process Visualize
bull Additional toolsservices
- Apache MySQL NTP
Capture Process Visualize
ToolsCapture
- Network tools
Argus
Snort
Wireshark
- Logging
syslog-ng
- Fetching data
wget
ftp
scp
Processing
- Shell tools
awk grep sed
- Graphic preprocessing
Afterglow
LGL
- Date enrichment
geoiplookup
whoisgwhois
Visualization
- Network Traffic
EtherApe
InetVis
tnv
- Generic
Afterglow
LGL Viewer
Mondrian
R Project
Non-concluding list of tools
PDF User Manualbull Quick start guide
bull Network setup information
bull Tool usage examples
bull Links to online resource Tool home pages manuals tutorials
bull Customizing DAVIX
- Customizing ISO image
- Creating new modules
- Installation on USB stick or hard drive
User Manual in the Menubull The manual is browsable by
chapter hellip
bull hellip or individual tool chapters
The Manual Is Notbull Not an introduction to security analysis methodologies
bull Not a collection of security analysis use-cases
bull Not covering exhaustive examples
- The usage examples are not security related
- It is a quick usage guide for the tools
bull Look at Raffaelrsquos book to get these details
Customizationsbull The DAVIX and SLAX can be modified in two ways
- LZM modules
Adding or removing modules in the directory slaxmodules
Modules are highly compressed software packages
- rootcopy
Overwrite or add individual files of LZM modules by copyingmodified files to the directory slaxrootcopy
bull LZM modules can be generated out of standard Slackware or dropline GNOME packages using tgz2lzm
Visualization
Information Visualization Process
16
Capture Process Visualize
Data Formatsbull CSV TSV
100028023212failed
100028023215success
bull TM3
Source Port Destination Action
STRING INTEGER STRING STRING
10002 80 23212 failed
bull GML
17
bull DOT
digraph structs
graph [label=rdquoMy Graphrdquo]
node [shape=ellipse]
edge [len=1]
ldquoramrdquo -gt ldquoactivity 1rdquo
ldquoramrdquo [fillcolor=white]
bull
AfterGlow 1x
CSV File
AfterGlowGraph
LanguageFile
digraph structs graph [label=AfterGlow 158 fontsize=8] node [shape=ellipse style=filled fontsize=10 width=1 height=1 fixedsize=true] edge [len=16]
aaelenes -gt Printing Resume abbe -gt Information Encryption aanna -gt Patent Access aatharuv -gt Ping
aaelenesPrinting ResumeabbeInformation Encrytion
aannaPatent AccessaatharuyPing
Parser Grapher
AfterGlow 1x
CSV File
AfterGlowGraph
LanguageFile
digraph structs graph [label=AfterGlow 158 fontsize=8] node [shape=ellipse style=filled fontsize=10 width=1 height=1 fixedsize=true] edge [len=16]
aaelenes -gt Printing Resume abbe -gt Information Encryption aanna -gt Patent Access aatharuv -gt Ping
aaelenesPrinting ResumeabbeInformation Encrytion
aannaPatent AccessaatharuyPing
Parser Grapher
An Example Analysis
Worms in Mobile Networksbull Problem Find worms in mobile networks
bull Data Call Detail Records (CDR)
20051117225657 GMT 20051117225657 GMT 4179543xxxx 4176448xxxx 0 63517 20051117225657 GMT 19700101000000 GMT imagejpeg CHEC1_MMSC1 MM4Rrecord 0 1 MM1 22801351822xxxx 22802071035xxxx 2 1132 26821763098xxxx
bull Process
cat mmscdr | awk -o VFS= lsquoprint $5 $6rsquo
bull Visual Transformation
Multimedia Message Service
21
Multimedia Message Service
21
Service Numbers
Multimedia Message Service
22
Multimedia Message Service
22
Long Chains
Hands-on Analysis
Letrsquos Gobull Captures are in rootdavix_workshop_capturespcap
bull Find something interesting Come show
bull Hints
bull tcpdump -nlr rootdavix_workshop_capturespcap
bull tcpdump2csvpl
bull afterglowpl -h
bull barpl -h
AfterGlow Variable and Color
variable=violation=(Backdoor Access HackerTool Downloadrdquo)colortarget=orange if (grep($fields[1]violation))colortarget=palegreen
Node Size and Threshold
maxnodesize=1sizesource=$fields[2] size=05sumtarget=0thresholdsource=14
Color and Clustercolorsource=palegreen if ($fields[0] =~ ^111)colorsource=redcolortarget=palegreenclustersource=regex_replace((d+)d+)8
Thank You
davix secviz org
S
E
C I
V
Z
secviz org
AgendaDAVIX
Visualization
Example analysis
Hands-on analysis
Show us what you got
4
AgendaDAVIX
Visualization
Example analysis
Hands-on analysis
Show us what you got
4
GoalYou can use DAVIX
to analyze your data
Visualization Questionsbull Who analyzes logs
bull Who uses visualization for log analysis
bull Who has used DAVIX
bull Have you heard of SecVizorg
bull What tools are you using for log analysis
5
Data Analysis and Visualization LinuxDAVIX
D
V
X
What is DAVIXbull Live Linux CD system based on SLAX 6
- Software packages are modularized
- Easy customizable
- Runs from CDDVD USB stick or hard drive
bull Collection of free tools for data processing amp visualization
- Tools work out of the box
- No compilation or installation of tools required
bull Comes with documentation
- Quick start description for the most important tools
- Links to manuals and tutorials
Why Did We Build DAVIXbull No free solution offering wide range of visualization tools
- Huge hurdle for people to get start with visualization
bull Cumbersome to get tools running
- Compiler issues eg gcc 3 vs gcc 4
- Dependencies with uncommon and old libraries
- Different runtime environments
bull DAVIX Goals
- Getting tools running is simple User can concentrate on analysis
- Easy customizable Users can add missing things
- Perfect workspace to get you started with visualization
User Interface - Menu Organizationbull Menu organized around the information visualization process
bull Tools often cover more than one category
- Afterglow Process Visualize
bull Additional toolsservices
- Apache MySQL NTP
Capture Process Visualize
ToolsCapture
- Network tools
Argus
Snort
Wireshark
- Logging
syslog-ng
- Fetching data
wget
ftp
scp
Processing
- Shell tools
awk grep sed
- Graphic preprocessing
Afterglow
LGL
- Date enrichment
geoiplookup
whoisgwhois
Visualization
- Network Traffic
EtherApe
InetVis
tnv
- Generic
Afterglow
LGL Viewer
Mondrian
R Project
Non-concluding list of tools
PDF User Manualbull Quick start guide
bull Network setup information
bull Tool usage examples
bull Links to online resource Tool home pages manuals tutorials
bull Customizing DAVIX
- Customizing ISO image
- Creating new modules
- Installation on USB stick or hard drive
User Manual in the Menubull The manual is browsable by
chapter hellip
bull hellip or individual tool chapters
The Manual Is Notbull Not an introduction to security analysis methodologies
bull Not a collection of security analysis use-cases
bull Not covering exhaustive examples
- The usage examples are not security related
- It is a quick usage guide for the tools
bull Look at Raffaelrsquos book to get these details
Customizationsbull The DAVIX and SLAX can be modified in two ways
- LZM modules
Adding or removing modules in the directory slaxmodules
Modules are highly compressed software packages
- rootcopy
Overwrite or add individual files of LZM modules by copyingmodified files to the directory slaxrootcopy
bull LZM modules can be generated out of standard Slackware or dropline GNOME packages using tgz2lzm
Visualization
Information Visualization Process
16
Capture Process Visualize
Data Formatsbull CSV TSV
100028023212failed
100028023215success
bull TM3
Source Port Destination Action
STRING INTEGER STRING STRING
10002 80 23212 failed
bull GML
17
bull DOT
digraph structs
graph [label=rdquoMy Graphrdquo]
node [shape=ellipse]
edge [len=1]
ldquoramrdquo -gt ldquoactivity 1rdquo
ldquoramrdquo [fillcolor=white]
bull
AfterGlow 1x
CSV File
AfterGlowGraph
LanguageFile
digraph structs graph [label=AfterGlow 158 fontsize=8] node [shape=ellipse style=filled fontsize=10 width=1 height=1 fixedsize=true] edge [len=16]
aaelenes -gt Printing Resume abbe -gt Information Encryption aanna -gt Patent Access aatharuv -gt Ping
aaelenesPrinting ResumeabbeInformation Encrytion
aannaPatent AccessaatharuyPing
Parser Grapher
AfterGlow 1x
CSV File
AfterGlowGraph
LanguageFile
digraph structs graph [label=AfterGlow 158 fontsize=8] node [shape=ellipse style=filled fontsize=10 width=1 height=1 fixedsize=true] edge [len=16]
aaelenes -gt Printing Resume abbe -gt Information Encryption aanna -gt Patent Access aatharuv -gt Ping
aaelenesPrinting ResumeabbeInformation Encrytion
aannaPatent AccessaatharuyPing
Parser Grapher
An Example Analysis
Worms in Mobile Networksbull Problem Find worms in mobile networks
bull Data Call Detail Records (CDR)
20051117225657 GMT 20051117225657 GMT 4179543xxxx 4176448xxxx 0 63517 20051117225657 GMT 19700101000000 GMT imagejpeg CHEC1_MMSC1 MM4Rrecord 0 1 MM1 22801351822xxxx 22802071035xxxx 2 1132 26821763098xxxx
bull Process
cat mmscdr | awk -o VFS= lsquoprint $5 $6rsquo
bull Visual Transformation
Multimedia Message Service
21
Multimedia Message Service
21
Service Numbers
Multimedia Message Service
22
Multimedia Message Service
22
Long Chains
Hands-on Analysis
Letrsquos Gobull Captures are in rootdavix_workshop_capturespcap
bull Find something interesting Come show
bull Hints
bull tcpdump -nlr rootdavix_workshop_capturespcap
bull tcpdump2csvpl
bull afterglowpl -h
bull barpl -h
AfterGlow Variable and Color
variable=violation=(Backdoor Access HackerTool Downloadrdquo)colortarget=orange if (grep($fields[1]violation))colortarget=palegreen
Node Size and Threshold
maxnodesize=1sizesource=$fields[2] size=05sumtarget=0thresholdsource=14
Color and Clustercolorsource=palegreen if ($fields[0] =~ ^111)colorsource=redcolortarget=palegreenclustersource=regex_replace((d+)d+)8
Thank You
davix secviz org
S
E
C I
V
Z
secviz org
AgendaDAVIX
Visualization
Example analysis
Hands-on analysis
Show us what you got
4
GoalYou can use DAVIX
to analyze your data
Visualization Questionsbull Who analyzes logs
bull Who uses visualization for log analysis
bull Who has used DAVIX
bull Have you heard of SecVizorg
bull What tools are you using for log analysis
5
Data Analysis and Visualization LinuxDAVIX
D
V
X
What is DAVIXbull Live Linux CD system based on SLAX 6
- Software packages are modularized
- Easy customizable
- Runs from CDDVD USB stick or hard drive
bull Collection of free tools for data processing amp visualization
- Tools work out of the box
- No compilation or installation of tools required
bull Comes with documentation
- Quick start description for the most important tools
- Links to manuals and tutorials
Why Did We Build DAVIXbull No free solution offering wide range of visualization tools
- Huge hurdle for people to get start with visualization
bull Cumbersome to get tools running
- Compiler issues eg gcc 3 vs gcc 4
- Dependencies with uncommon and old libraries
- Different runtime environments
bull DAVIX Goals
- Getting tools running is simple User can concentrate on analysis
- Easy customizable Users can add missing things
- Perfect workspace to get you started with visualization
User Interface - Menu Organizationbull Menu organized around the information visualization process
bull Tools often cover more than one category
- Afterglow Process Visualize
bull Additional toolsservices
- Apache MySQL NTP
Capture Process Visualize
ToolsCapture
- Network tools
Argus
Snort
Wireshark
- Logging
syslog-ng
- Fetching data
wget
ftp
scp
Processing
- Shell tools
awk grep sed
- Graphic preprocessing
Afterglow
LGL
- Date enrichment
geoiplookup
whoisgwhois
Visualization
- Network Traffic
EtherApe
InetVis
tnv
- Generic
Afterglow
LGL Viewer
Mondrian
R Project
Non-concluding list of tools
PDF User Manualbull Quick start guide
bull Network setup information
bull Tool usage examples
bull Links to online resource Tool home pages manuals tutorials
bull Customizing DAVIX
- Customizing ISO image
- Creating new modules
- Installation on USB stick or hard drive
User Manual in the Menubull The manual is browsable by
chapter hellip
bull hellip or individual tool chapters
The Manual Is Notbull Not an introduction to security analysis methodologies
bull Not a collection of security analysis use-cases
bull Not covering exhaustive examples
- The usage examples are not security related
- It is a quick usage guide for the tools
bull Look at Raffaelrsquos book to get these details
Customizationsbull The DAVIX and SLAX can be modified in two ways
- LZM modules
Adding or removing modules in the directory slaxmodules
Modules are highly compressed software packages
- rootcopy
Overwrite or add individual files of LZM modules by copyingmodified files to the directory slaxrootcopy
bull LZM modules can be generated out of standard Slackware or dropline GNOME packages using tgz2lzm
Visualization
Information Visualization Process
16
Capture Process Visualize
Data Formatsbull CSV TSV
100028023212failed
100028023215success
bull TM3
Source Port Destination Action
STRING INTEGER STRING STRING
10002 80 23212 failed
bull GML
17
bull DOT
digraph structs
graph [label=rdquoMy Graphrdquo]
node [shape=ellipse]
edge [len=1]
ldquoramrdquo -gt ldquoactivity 1rdquo
ldquoramrdquo [fillcolor=white]
bull
AfterGlow 1x
CSV File
AfterGlowGraph
LanguageFile
digraph structs graph [label=AfterGlow 158 fontsize=8] node [shape=ellipse style=filled fontsize=10 width=1 height=1 fixedsize=true] edge [len=16]
aaelenes -gt Printing Resume abbe -gt Information Encryption aanna -gt Patent Access aatharuv -gt Ping
aaelenesPrinting ResumeabbeInformation Encrytion
aannaPatent AccessaatharuyPing
Parser Grapher
AfterGlow 1x
CSV File
AfterGlowGraph
LanguageFile
digraph structs graph [label=AfterGlow 158 fontsize=8] node [shape=ellipse style=filled fontsize=10 width=1 height=1 fixedsize=true] edge [len=16]
aaelenes -gt Printing Resume abbe -gt Information Encryption aanna -gt Patent Access aatharuv -gt Ping
aaelenesPrinting ResumeabbeInformation Encrytion
aannaPatent AccessaatharuyPing
Parser Grapher
An Example Analysis
Worms in Mobile Networksbull Problem Find worms in mobile networks
bull Data Call Detail Records (CDR)
20051117225657 GMT 20051117225657 GMT 4179543xxxx 4176448xxxx 0 63517 20051117225657 GMT 19700101000000 GMT imagejpeg CHEC1_MMSC1 MM4Rrecord 0 1 MM1 22801351822xxxx 22802071035xxxx 2 1132 26821763098xxxx
bull Process
cat mmscdr | awk -o VFS= lsquoprint $5 $6rsquo
bull Visual Transformation
Multimedia Message Service
21
Multimedia Message Service
21
Service Numbers
Multimedia Message Service
22
Multimedia Message Service
22
Long Chains
Hands-on Analysis
Letrsquos Gobull Captures are in rootdavix_workshop_capturespcap
bull Find something interesting Come show
bull Hints
bull tcpdump -nlr rootdavix_workshop_capturespcap
bull tcpdump2csvpl
bull afterglowpl -h
bull barpl -h
AfterGlow Variable and Color
variable=violation=(Backdoor Access HackerTool Downloadrdquo)colortarget=orange if (grep($fields[1]violation))colortarget=palegreen
Node Size and Threshold
maxnodesize=1sizesource=$fields[2] size=05sumtarget=0thresholdsource=14
Color and Clustercolorsource=palegreen if ($fields[0] =~ ^111)colorsource=redcolortarget=palegreenclustersource=regex_replace((d+)d+)8
Thank You
davix secviz org
S
E
C I
V
Z
secviz org
Visualization Questionsbull Who analyzes logs
bull Who uses visualization for log analysis
bull Who has used DAVIX
bull Have you heard of SecVizorg
bull What tools are you using for log analysis
5
Data Analysis and Visualization LinuxDAVIX
D
V
X
What is DAVIXbull Live Linux CD system based on SLAX 6
- Software packages are modularized
- Easy customizable
- Runs from CDDVD USB stick or hard drive
bull Collection of free tools for data processing amp visualization
- Tools work out of the box
- No compilation or installation of tools required
bull Comes with documentation
- Quick start description for the most important tools
- Links to manuals and tutorials
Why Did We Build DAVIXbull No free solution offering wide range of visualization tools
- Huge hurdle for people to get start with visualization
bull Cumbersome to get tools running
- Compiler issues eg gcc 3 vs gcc 4
- Dependencies with uncommon and old libraries
- Different runtime environments
bull DAVIX Goals
- Getting tools running is simple User can concentrate on analysis
- Easy customizable Users can add missing things
- Perfect workspace to get you started with visualization
User Interface - Menu Organizationbull Menu organized around the information visualization process
bull Tools often cover more than one category
- Afterglow Process Visualize
bull Additional toolsservices
- Apache MySQL NTP
Capture Process Visualize
ToolsCapture
- Network tools
Argus
Snort
Wireshark
- Logging
syslog-ng
- Fetching data
wget
ftp
scp
Processing
- Shell tools
awk grep sed
- Graphic preprocessing
Afterglow
LGL
- Date enrichment
geoiplookup
whoisgwhois
Visualization
- Network Traffic
EtherApe
InetVis
tnv
- Generic
Afterglow
LGL Viewer
Mondrian
R Project
Non-concluding list of tools
PDF User Manualbull Quick start guide
bull Network setup information
bull Tool usage examples
bull Links to online resource Tool home pages manuals tutorials
bull Customizing DAVIX
- Customizing ISO image
- Creating new modules
- Installation on USB stick or hard drive
User Manual in the Menubull The manual is browsable by
chapter hellip
bull hellip or individual tool chapters
The Manual Is Notbull Not an introduction to security analysis methodologies
bull Not a collection of security analysis use-cases
bull Not covering exhaustive examples
- The usage examples are not security related
- It is a quick usage guide for the tools
bull Look at Raffaelrsquos book to get these details
Customizationsbull The DAVIX and SLAX can be modified in two ways
- LZM modules
Adding or removing modules in the directory slaxmodules
Modules are highly compressed software packages
- rootcopy
Overwrite or add individual files of LZM modules by copyingmodified files to the directory slaxrootcopy
bull LZM modules can be generated out of standard Slackware or dropline GNOME packages using tgz2lzm
Visualization
Information Visualization Process
16
Capture Process Visualize
Data Formatsbull CSV TSV
100028023212failed
100028023215success
bull TM3
Source Port Destination Action
STRING INTEGER STRING STRING
10002 80 23212 failed
bull GML
17
bull DOT
digraph structs
graph [label=rdquoMy Graphrdquo]
node [shape=ellipse]
edge [len=1]
ldquoramrdquo -gt ldquoactivity 1rdquo
ldquoramrdquo [fillcolor=white]
bull
AfterGlow 1x
CSV File
AfterGlowGraph
LanguageFile
digraph structs graph [label=AfterGlow 158 fontsize=8] node [shape=ellipse style=filled fontsize=10 width=1 height=1 fixedsize=true] edge [len=16]
aaelenes -gt Printing Resume abbe -gt Information Encryption aanna -gt Patent Access aatharuv -gt Ping
aaelenesPrinting ResumeabbeInformation Encrytion
aannaPatent AccessaatharuyPing
Parser Grapher
AfterGlow 1x
CSV File
AfterGlowGraph
LanguageFile
digraph structs graph [label=AfterGlow 158 fontsize=8] node [shape=ellipse style=filled fontsize=10 width=1 height=1 fixedsize=true] edge [len=16]
aaelenes -gt Printing Resume abbe -gt Information Encryption aanna -gt Patent Access aatharuv -gt Ping
aaelenesPrinting ResumeabbeInformation Encrytion
aannaPatent AccessaatharuyPing
Parser Grapher
An Example Analysis
Worms in Mobile Networksbull Problem Find worms in mobile networks
bull Data Call Detail Records (CDR)
20051117225657 GMT 20051117225657 GMT 4179543xxxx 4176448xxxx 0 63517 20051117225657 GMT 19700101000000 GMT imagejpeg CHEC1_MMSC1 MM4Rrecord 0 1 MM1 22801351822xxxx 22802071035xxxx 2 1132 26821763098xxxx
bull Process
cat mmscdr | awk -o VFS= lsquoprint $5 $6rsquo
bull Visual Transformation
Multimedia Message Service
21
Multimedia Message Service
21
Service Numbers
Multimedia Message Service
22
Multimedia Message Service
22
Long Chains
Hands-on Analysis
Letrsquos Gobull Captures are in rootdavix_workshop_capturespcap
bull Find something interesting Come show
bull Hints
bull tcpdump -nlr rootdavix_workshop_capturespcap
bull tcpdump2csvpl
bull afterglowpl -h
bull barpl -h
AfterGlow Variable and Color
variable=violation=(Backdoor Access HackerTool Downloadrdquo)colortarget=orange if (grep($fields[1]violation))colortarget=palegreen
Node Size and Threshold
maxnodesize=1sizesource=$fields[2] size=05sumtarget=0thresholdsource=14
Color and Clustercolorsource=palegreen if ($fields[0] =~ ^111)colorsource=redcolortarget=palegreenclustersource=regex_replace((d+)d+)8
Thank You
davix secviz org
S
E
C I
V
Z
secviz org
Data Analysis and Visualization LinuxDAVIX
D
V
X
What is DAVIXbull Live Linux CD system based on SLAX 6
- Software packages are modularized
- Easy customizable
- Runs from CDDVD USB stick or hard drive
bull Collection of free tools for data processing amp visualization
- Tools work out of the box
- No compilation or installation of tools required
bull Comes with documentation
- Quick start description for the most important tools
- Links to manuals and tutorials
Why Did We Build DAVIXbull No free solution offering wide range of visualization tools
- Huge hurdle for people to get start with visualization
bull Cumbersome to get tools running
- Compiler issues eg gcc 3 vs gcc 4
- Dependencies with uncommon and old libraries
- Different runtime environments
bull DAVIX Goals
- Getting tools running is simple User can concentrate on analysis
- Easy customizable Users can add missing things
- Perfect workspace to get you started with visualization
User Interface - Menu Organizationbull Menu organized around the information visualization process
bull Tools often cover more than one category
- Afterglow Process Visualize
bull Additional toolsservices
- Apache MySQL NTP
Capture Process Visualize
ToolsCapture
- Network tools
Argus
Snort
Wireshark
- Logging
syslog-ng
- Fetching data
wget
ftp
scp
Processing
- Shell tools
awk grep sed
- Graphic preprocessing
Afterglow
LGL
- Date enrichment
geoiplookup
whoisgwhois
Visualization
- Network Traffic
EtherApe
InetVis
tnv
- Generic
Afterglow
LGL Viewer
Mondrian
R Project
Non-concluding list of tools
PDF User Manualbull Quick start guide
bull Network setup information
bull Tool usage examples
bull Links to online resource Tool home pages manuals tutorials
bull Customizing DAVIX
- Customizing ISO image
- Creating new modules
- Installation on USB stick or hard drive
User Manual in the Menubull The manual is browsable by
chapter hellip
bull hellip or individual tool chapters
The Manual Is Notbull Not an introduction to security analysis methodologies
bull Not a collection of security analysis use-cases
bull Not covering exhaustive examples
- The usage examples are not security related
- It is a quick usage guide for the tools
bull Look at Raffaelrsquos book to get these details
Customizationsbull The DAVIX and SLAX can be modified in two ways
- LZM modules
Adding or removing modules in the directory slaxmodules
Modules are highly compressed software packages
- rootcopy
Overwrite or add individual files of LZM modules by copyingmodified files to the directory slaxrootcopy
bull LZM modules can be generated out of standard Slackware or dropline GNOME packages using tgz2lzm
Visualization
Information Visualization Process
16
Capture Process Visualize
Data Formatsbull CSV TSV
100028023212failed
100028023215success
bull TM3
Source Port Destination Action
STRING INTEGER STRING STRING
10002 80 23212 failed
bull GML
17
bull DOT
digraph structs
graph [label=rdquoMy Graphrdquo]
node [shape=ellipse]
edge [len=1]
ldquoramrdquo -gt ldquoactivity 1rdquo
ldquoramrdquo [fillcolor=white]
bull
AfterGlow 1x
CSV File
AfterGlowGraph
LanguageFile
digraph structs graph [label=AfterGlow 158 fontsize=8] node [shape=ellipse style=filled fontsize=10 width=1 height=1 fixedsize=true] edge [len=16]
aaelenes -gt Printing Resume abbe -gt Information Encryption aanna -gt Patent Access aatharuv -gt Ping
aaelenesPrinting ResumeabbeInformation Encrytion
aannaPatent AccessaatharuyPing
Parser Grapher
AfterGlow 1x
CSV File
AfterGlowGraph
LanguageFile
digraph structs graph [label=AfterGlow 158 fontsize=8] node [shape=ellipse style=filled fontsize=10 width=1 height=1 fixedsize=true] edge [len=16]
aaelenes -gt Printing Resume abbe -gt Information Encryption aanna -gt Patent Access aatharuv -gt Ping
aaelenesPrinting ResumeabbeInformation Encrytion
aannaPatent AccessaatharuyPing
Parser Grapher
An Example Analysis
Worms in Mobile Networksbull Problem Find worms in mobile networks
bull Data Call Detail Records (CDR)
20051117225657 GMT 20051117225657 GMT 4179543xxxx 4176448xxxx 0 63517 20051117225657 GMT 19700101000000 GMT imagejpeg CHEC1_MMSC1 MM4Rrecord 0 1 MM1 22801351822xxxx 22802071035xxxx 2 1132 26821763098xxxx
bull Process
cat mmscdr | awk -o VFS= lsquoprint $5 $6rsquo
bull Visual Transformation
Multimedia Message Service
21
Multimedia Message Service
21
Service Numbers
Multimedia Message Service
22
Multimedia Message Service
22
Long Chains
Hands-on Analysis
Letrsquos Gobull Captures are in rootdavix_workshop_capturespcap
bull Find something interesting Come show
bull Hints
bull tcpdump -nlr rootdavix_workshop_capturespcap
bull tcpdump2csvpl
bull afterglowpl -h
bull barpl -h
AfterGlow Variable and Color
variable=violation=(Backdoor Access HackerTool Downloadrdquo)colortarget=orange if (grep($fields[1]violation))colortarget=palegreen
Node Size and Threshold
maxnodesize=1sizesource=$fields[2] size=05sumtarget=0thresholdsource=14
Color and Clustercolorsource=palegreen if ($fields[0] =~ ^111)colorsource=redcolortarget=palegreenclustersource=regex_replace((d+)d+)8
Thank You
davix secviz org
S
E
C I
V
Z
secviz org
What is DAVIXbull Live Linux CD system based on SLAX 6
- Software packages are modularized
- Easy customizable
- Runs from CDDVD USB stick or hard drive
bull Collection of free tools for data processing amp visualization
- Tools work out of the box
- No compilation or installation of tools required
bull Comes with documentation
- Quick start description for the most important tools
- Links to manuals and tutorials
Why Did We Build DAVIXbull No free solution offering wide range of visualization tools
- Huge hurdle for people to get start with visualization
bull Cumbersome to get tools running
- Compiler issues eg gcc 3 vs gcc 4
- Dependencies with uncommon and old libraries
- Different runtime environments
bull DAVIX Goals
- Getting tools running is simple User can concentrate on analysis
- Easy customizable Users can add missing things
- Perfect workspace to get you started with visualization
User Interface - Menu Organizationbull Menu organized around the information visualization process
bull Tools often cover more than one category
- Afterglow Process Visualize
bull Additional toolsservices
- Apache MySQL NTP
Capture Process Visualize
ToolsCapture
- Network tools
Argus
Snort
Wireshark
- Logging
syslog-ng
- Fetching data
wget
ftp
scp
Processing
- Shell tools
awk grep sed
- Graphic preprocessing
Afterglow
LGL
- Date enrichment
geoiplookup
whoisgwhois
Visualization
- Network Traffic
EtherApe
InetVis
tnv
- Generic
Afterglow
LGL Viewer
Mondrian
R Project
Non-concluding list of tools
PDF User Manualbull Quick start guide
bull Network setup information
bull Tool usage examples
bull Links to online resource Tool home pages manuals tutorials
bull Customizing DAVIX
- Customizing ISO image
- Creating new modules
- Installation on USB stick or hard drive
User Manual in the Menubull The manual is browsable by
chapter hellip
bull hellip or individual tool chapters
The Manual Is Notbull Not an introduction to security analysis methodologies
bull Not a collection of security analysis use-cases
bull Not covering exhaustive examples
- The usage examples are not security related
- It is a quick usage guide for the tools
bull Look at Raffaelrsquos book to get these details
Customizationsbull The DAVIX and SLAX can be modified in two ways
- LZM modules
Adding or removing modules in the directory slaxmodules
Modules are highly compressed software packages
- rootcopy
Overwrite or add individual files of LZM modules by copyingmodified files to the directory slaxrootcopy
bull LZM modules can be generated out of standard Slackware or dropline GNOME packages using tgz2lzm
Visualization
Information Visualization Process
16
Capture Process Visualize
Data Formatsbull CSV TSV
100028023212failed
100028023215success
bull TM3
Source Port Destination Action
STRING INTEGER STRING STRING
10002 80 23212 failed
bull GML
17
bull DOT
digraph structs
graph [label=rdquoMy Graphrdquo]
node [shape=ellipse]
edge [len=1]
ldquoramrdquo -gt ldquoactivity 1rdquo
ldquoramrdquo [fillcolor=white]
bull
AfterGlow 1x
CSV File
AfterGlowGraph
LanguageFile
digraph structs graph [label=AfterGlow 158 fontsize=8] node [shape=ellipse style=filled fontsize=10 width=1 height=1 fixedsize=true] edge [len=16]
aaelenes -gt Printing Resume abbe -gt Information Encryption aanna -gt Patent Access aatharuv -gt Ping
aaelenesPrinting ResumeabbeInformation Encrytion
aannaPatent AccessaatharuyPing
Parser Grapher
AfterGlow 1x
CSV File
AfterGlowGraph
LanguageFile
digraph structs graph [label=AfterGlow 158 fontsize=8] node [shape=ellipse style=filled fontsize=10 width=1 height=1 fixedsize=true] edge [len=16]
aaelenes -gt Printing Resume abbe -gt Information Encryption aanna -gt Patent Access aatharuv -gt Ping
aaelenesPrinting ResumeabbeInformation Encrytion
aannaPatent AccessaatharuyPing
Parser Grapher
An Example Analysis
Worms in Mobile Networksbull Problem Find worms in mobile networks
bull Data Call Detail Records (CDR)
20051117225657 GMT 20051117225657 GMT 4179543xxxx 4176448xxxx 0 63517 20051117225657 GMT 19700101000000 GMT imagejpeg CHEC1_MMSC1 MM4Rrecord 0 1 MM1 22801351822xxxx 22802071035xxxx 2 1132 26821763098xxxx
bull Process
cat mmscdr | awk -o VFS= lsquoprint $5 $6rsquo
bull Visual Transformation
Multimedia Message Service
21
Multimedia Message Service
21
Service Numbers
Multimedia Message Service
22
Multimedia Message Service
22
Long Chains
Hands-on Analysis
Letrsquos Gobull Captures are in rootdavix_workshop_capturespcap
bull Find something interesting Come show
bull Hints
bull tcpdump -nlr rootdavix_workshop_capturespcap
bull tcpdump2csvpl
bull afterglowpl -h
bull barpl -h
AfterGlow Variable and Color
variable=violation=(Backdoor Access HackerTool Downloadrdquo)colortarget=orange if (grep($fields[1]violation))colortarget=palegreen
Node Size and Threshold
maxnodesize=1sizesource=$fields[2] size=05sumtarget=0thresholdsource=14
Color and Clustercolorsource=palegreen if ($fields[0] =~ ^111)colorsource=redcolortarget=palegreenclustersource=regex_replace((d+)d+)8
Thank You
davix secviz org
S
E
C I
V
Z
secviz org
Why Did We Build DAVIXbull No free solution offering wide range of visualization tools
- Huge hurdle for people to get start with visualization
bull Cumbersome to get tools running
- Compiler issues eg gcc 3 vs gcc 4
- Dependencies with uncommon and old libraries
- Different runtime environments
bull DAVIX Goals
- Getting tools running is simple User can concentrate on analysis
- Easy customizable Users can add missing things
- Perfect workspace to get you started with visualization
User Interface - Menu Organizationbull Menu organized around the information visualization process
bull Tools often cover more than one category
- Afterglow Process Visualize
bull Additional toolsservices
- Apache MySQL NTP
Capture Process Visualize
ToolsCapture
- Network tools
Argus
Snort
Wireshark
- Logging
syslog-ng
- Fetching data
wget
ftp
scp
Processing
- Shell tools
awk grep sed
- Graphic preprocessing
Afterglow
LGL
- Date enrichment
geoiplookup
whoisgwhois
Visualization
- Network Traffic
EtherApe
InetVis
tnv
- Generic
Afterglow
LGL Viewer
Mondrian
R Project
Non-concluding list of tools
PDF User Manualbull Quick start guide
bull Network setup information
bull Tool usage examples
bull Links to online resource Tool home pages manuals tutorials
bull Customizing DAVIX
- Customizing ISO image
- Creating new modules
- Installation on USB stick or hard drive
User Manual in the Menubull The manual is browsable by
chapter hellip
bull hellip or individual tool chapters
The Manual Is Notbull Not an introduction to security analysis methodologies
bull Not a collection of security analysis use-cases
bull Not covering exhaustive examples
- The usage examples are not security related
- It is a quick usage guide for the tools
bull Look at Raffaelrsquos book to get these details
Customizationsbull The DAVIX and SLAX can be modified in two ways
- LZM modules
Adding or removing modules in the directory slaxmodules
Modules are highly compressed software packages
- rootcopy
Overwrite or add individual files of LZM modules by copyingmodified files to the directory slaxrootcopy
bull LZM modules can be generated out of standard Slackware or dropline GNOME packages using tgz2lzm
Visualization
Information Visualization Process
16
Capture Process Visualize
Data Formatsbull CSV TSV
100028023212failed
100028023215success
bull TM3
Source Port Destination Action
STRING INTEGER STRING STRING
10002 80 23212 failed
bull GML
17
bull DOT
digraph structs
graph [label=rdquoMy Graphrdquo]
node [shape=ellipse]
edge [len=1]
ldquoramrdquo -gt ldquoactivity 1rdquo
ldquoramrdquo [fillcolor=white]
bull
AfterGlow 1x
CSV File
AfterGlowGraph
LanguageFile
digraph structs graph [label=AfterGlow 158 fontsize=8] node [shape=ellipse style=filled fontsize=10 width=1 height=1 fixedsize=true] edge [len=16]
aaelenes -gt Printing Resume abbe -gt Information Encryption aanna -gt Patent Access aatharuv -gt Ping
aaelenesPrinting ResumeabbeInformation Encrytion
aannaPatent AccessaatharuyPing
Parser Grapher
AfterGlow 1x
CSV File
AfterGlowGraph
LanguageFile
digraph structs graph [label=AfterGlow 158 fontsize=8] node [shape=ellipse style=filled fontsize=10 width=1 height=1 fixedsize=true] edge [len=16]
aaelenes -gt Printing Resume abbe -gt Information Encryption aanna -gt Patent Access aatharuv -gt Ping
aaelenesPrinting ResumeabbeInformation Encrytion
aannaPatent AccessaatharuyPing
Parser Grapher
An Example Analysis
Worms in Mobile Networksbull Problem Find worms in mobile networks
bull Data Call Detail Records (CDR)
20051117225657 GMT 20051117225657 GMT 4179543xxxx 4176448xxxx 0 63517 20051117225657 GMT 19700101000000 GMT imagejpeg CHEC1_MMSC1 MM4Rrecord 0 1 MM1 22801351822xxxx 22802071035xxxx 2 1132 26821763098xxxx
bull Process
cat mmscdr | awk -o VFS= lsquoprint $5 $6rsquo
bull Visual Transformation
Multimedia Message Service
21
Multimedia Message Service
21
Service Numbers
Multimedia Message Service
22
Multimedia Message Service
22
Long Chains
Hands-on Analysis
Letrsquos Gobull Captures are in rootdavix_workshop_capturespcap
bull Find something interesting Come show
bull Hints
bull tcpdump -nlr rootdavix_workshop_capturespcap
bull tcpdump2csvpl
bull afterglowpl -h
bull barpl -h
AfterGlow Variable and Color
variable=violation=(Backdoor Access HackerTool Downloadrdquo)colortarget=orange if (grep($fields[1]violation))colortarget=palegreen
Node Size and Threshold
maxnodesize=1sizesource=$fields[2] size=05sumtarget=0thresholdsource=14
Color and Clustercolorsource=palegreen if ($fields[0] =~ ^111)colorsource=redcolortarget=palegreenclustersource=regex_replace((d+)d+)8
Thank You
davix secviz org
S
E
C I
V
Z
secviz org
User Interface - Menu Organizationbull Menu organized around the information visualization process
bull Tools often cover more than one category
- Afterglow Process Visualize
bull Additional toolsservices
- Apache MySQL NTP
Capture Process Visualize
ToolsCapture
- Network tools
Argus
Snort
Wireshark
- Logging
syslog-ng
- Fetching data
wget
ftp
scp
Processing
- Shell tools
awk grep sed
- Graphic preprocessing
Afterglow
LGL
- Date enrichment
geoiplookup
whoisgwhois
Visualization
- Network Traffic
EtherApe
InetVis
tnv
- Generic
Afterglow
LGL Viewer
Mondrian
R Project
Non-concluding list of tools
PDF User Manualbull Quick start guide
bull Network setup information
bull Tool usage examples
bull Links to online resource Tool home pages manuals tutorials
bull Customizing DAVIX
- Customizing ISO image
- Creating new modules
- Installation on USB stick or hard drive
User Manual in the Menubull The manual is browsable by
chapter hellip
bull hellip or individual tool chapters
The Manual Is Notbull Not an introduction to security analysis methodologies
bull Not a collection of security analysis use-cases
bull Not covering exhaustive examples
- The usage examples are not security related
- It is a quick usage guide for the tools
bull Look at Raffaelrsquos book to get these details
Customizationsbull The DAVIX and SLAX can be modified in two ways
- LZM modules
Adding or removing modules in the directory slaxmodules
Modules are highly compressed software packages
- rootcopy
Overwrite or add individual files of LZM modules by copyingmodified files to the directory slaxrootcopy
bull LZM modules can be generated out of standard Slackware or dropline GNOME packages using tgz2lzm
Visualization
Information Visualization Process
16
Capture Process Visualize
Data Formatsbull CSV TSV
100028023212failed
100028023215success
bull TM3
Source Port Destination Action
STRING INTEGER STRING STRING
10002 80 23212 failed
bull GML
17
bull DOT
digraph structs
graph [label=rdquoMy Graphrdquo]
node [shape=ellipse]
edge [len=1]
ldquoramrdquo -gt ldquoactivity 1rdquo
ldquoramrdquo [fillcolor=white]
bull
AfterGlow 1x
CSV File
AfterGlowGraph
LanguageFile
digraph structs graph [label=AfterGlow 158 fontsize=8] node [shape=ellipse style=filled fontsize=10 width=1 height=1 fixedsize=true] edge [len=16]
aaelenes -gt Printing Resume abbe -gt Information Encryption aanna -gt Patent Access aatharuv -gt Ping
aaelenesPrinting ResumeabbeInformation Encrytion
aannaPatent AccessaatharuyPing
Parser Grapher
AfterGlow 1x
CSV File
AfterGlowGraph
LanguageFile
digraph structs graph [label=AfterGlow 158 fontsize=8] node [shape=ellipse style=filled fontsize=10 width=1 height=1 fixedsize=true] edge [len=16]
aaelenes -gt Printing Resume abbe -gt Information Encryption aanna -gt Patent Access aatharuv -gt Ping
aaelenesPrinting ResumeabbeInformation Encrytion
aannaPatent AccessaatharuyPing
Parser Grapher
An Example Analysis
Worms in Mobile Networksbull Problem Find worms in mobile networks
bull Data Call Detail Records (CDR)
20051117225657 GMT 20051117225657 GMT 4179543xxxx 4176448xxxx 0 63517 20051117225657 GMT 19700101000000 GMT imagejpeg CHEC1_MMSC1 MM4Rrecord 0 1 MM1 22801351822xxxx 22802071035xxxx 2 1132 26821763098xxxx
bull Process
cat mmscdr | awk -o VFS= lsquoprint $5 $6rsquo
bull Visual Transformation
Multimedia Message Service
21
Multimedia Message Service
21
Service Numbers
Multimedia Message Service
22
Multimedia Message Service
22
Long Chains
Hands-on Analysis
Letrsquos Gobull Captures are in rootdavix_workshop_capturespcap
bull Find something interesting Come show
bull Hints
bull tcpdump -nlr rootdavix_workshop_capturespcap
bull tcpdump2csvpl
bull afterglowpl -h
bull barpl -h
AfterGlow Variable and Color
variable=violation=(Backdoor Access HackerTool Downloadrdquo)colortarget=orange if (grep($fields[1]violation))colortarget=palegreen
Node Size and Threshold
maxnodesize=1sizesource=$fields[2] size=05sumtarget=0thresholdsource=14
Color and Clustercolorsource=palegreen if ($fields[0] =~ ^111)colorsource=redcolortarget=palegreenclustersource=regex_replace((d+)d+)8
Thank You
davix secviz org
S
E
C I
V
Z
secviz org
ToolsCapture
- Network tools
Argus
Snort
Wireshark
- Logging
syslog-ng
- Fetching data
wget
ftp
scp
Processing
- Shell tools
awk grep sed
- Graphic preprocessing
Afterglow
LGL
- Date enrichment
geoiplookup
whoisgwhois
Visualization
- Network Traffic
EtherApe
InetVis
tnv
- Generic
Afterglow
LGL Viewer
Mondrian
R Project
Non-concluding list of tools
PDF User Manualbull Quick start guide
bull Network setup information
bull Tool usage examples
bull Links to online resource Tool home pages manuals tutorials
bull Customizing DAVIX
- Customizing ISO image
- Creating new modules
- Installation on USB stick or hard drive
User Manual in the Menubull The manual is browsable by
chapter hellip
bull hellip or individual tool chapters
The Manual Is Notbull Not an introduction to security analysis methodologies
bull Not a collection of security analysis use-cases
bull Not covering exhaustive examples
- The usage examples are not security related
- It is a quick usage guide for the tools
bull Look at Raffaelrsquos book to get these details
Customizationsbull The DAVIX and SLAX can be modified in two ways
- LZM modules
Adding or removing modules in the directory slaxmodules
Modules are highly compressed software packages
- rootcopy
Overwrite or add individual files of LZM modules by copyingmodified files to the directory slaxrootcopy
bull LZM modules can be generated out of standard Slackware or dropline GNOME packages using tgz2lzm
Visualization
Information Visualization Process
16
Capture Process Visualize
Data Formatsbull CSV TSV
100028023212failed
100028023215success
bull TM3
Source Port Destination Action
STRING INTEGER STRING STRING
10002 80 23212 failed
bull GML
17
bull DOT
digraph structs
graph [label=rdquoMy Graphrdquo]
node [shape=ellipse]
edge [len=1]
ldquoramrdquo -gt ldquoactivity 1rdquo
ldquoramrdquo [fillcolor=white]
bull
AfterGlow 1x
CSV File
AfterGlowGraph
LanguageFile
digraph structs graph [label=AfterGlow 158 fontsize=8] node [shape=ellipse style=filled fontsize=10 width=1 height=1 fixedsize=true] edge [len=16]
aaelenes -gt Printing Resume abbe -gt Information Encryption aanna -gt Patent Access aatharuv -gt Ping
aaelenesPrinting ResumeabbeInformation Encrytion
aannaPatent AccessaatharuyPing
Parser Grapher
AfterGlow 1x
CSV File
AfterGlowGraph
LanguageFile
digraph structs graph [label=AfterGlow 158 fontsize=8] node [shape=ellipse style=filled fontsize=10 width=1 height=1 fixedsize=true] edge [len=16]
aaelenes -gt Printing Resume abbe -gt Information Encryption aanna -gt Patent Access aatharuv -gt Ping
aaelenesPrinting ResumeabbeInformation Encrytion
aannaPatent AccessaatharuyPing
Parser Grapher
An Example Analysis
Worms in Mobile Networksbull Problem Find worms in mobile networks
bull Data Call Detail Records (CDR)
20051117225657 GMT 20051117225657 GMT 4179543xxxx 4176448xxxx 0 63517 20051117225657 GMT 19700101000000 GMT imagejpeg CHEC1_MMSC1 MM4Rrecord 0 1 MM1 22801351822xxxx 22802071035xxxx 2 1132 26821763098xxxx
bull Process
cat mmscdr | awk -o VFS= lsquoprint $5 $6rsquo
bull Visual Transformation
Multimedia Message Service
21
Multimedia Message Service
21
Service Numbers
Multimedia Message Service
22
Multimedia Message Service
22
Long Chains
Hands-on Analysis
Letrsquos Gobull Captures are in rootdavix_workshop_capturespcap
bull Find something interesting Come show
bull Hints
bull tcpdump -nlr rootdavix_workshop_capturespcap
bull tcpdump2csvpl
bull afterglowpl -h
bull barpl -h
AfterGlow Variable and Color
variable=violation=(Backdoor Access HackerTool Downloadrdquo)colortarget=orange if (grep($fields[1]violation))colortarget=palegreen
Node Size and Threshold
maxnodesize=1sizesource=$fields[2] size=05sumtarget=0thresholdsource=14
Color and Clustercolorsource=palegreen if ($fields[0] =~ ^111)colorsource=redcolortarget=palegreenclustersource=regex_replace((d+)d+)8
Thank You
davix secviz org
S
E
C I
V
Z
secviz org
PDF User Manualbull Quick start guide
bull Network setup information
bull Tool usage examples
bull Links to online resource Tool home pages manuals tutorials
bull Customizing DAVIX
- Customizing ISO image
- Creating new modules
- Installation on USB stick or hard drive
User Manual in the Menubull The manual is browsable by
chapter hellip
bull hellip or individual tool chapters
The Manual Is Notbull Not an introduction to security analysis methodologies
bull Not a collection of security analysis use-cases
bull Not covering exhaustive examples
- The usage examples are not security related
- It is a quick usage guide for the tools
bull Look at Raffaelrsquos book to get these details
Customizationsbull The DAVIX and SLAX can be modified in two ways
- LZM modules
Adding or removing modules in the directory slaxmodules
Modules are highly compressed software packages
- rootcopy
Overwrite or add individual files of LZM modules by copyingmodified files to the directory slaxrootcopy
bull LZM modules can be generated out of standard Slackware or dropline GNOME packages using tgz2lzm
Visualization
Information Visualization Process
16
Capture Process Visualize
Data Formatsbull CSV TSV
100028023212failed
100028023215success
bull TM3
Source Port Destination Action
STRING INTEGER STRING STRING
10002 80 23212 failed
bull GML
17
bull DOT
digraph structs
graph [label=rdquoMy Graphrdquo]
node [shape=ellipse]
edge [len=1]
ldquoramrdquo -gt ldquoactivity 1rdquo
ldquoramrdquo [fillcolor=white]
bull
AfterGlow 1x
CSV File
AfterGlowGraph
LanguageFile
digraph structs graph [label=AfterGlow 158 fontsize=8] node [shape=ellipse style=filled fontsize=10 width=1 height=1 fixedsize=true] edge [len=16]
aaelenes -gt Printing Resume abbe -gt Information Encryption aanna -gt Patent Access aatharuv -gt Ping
aaelenesPrinting ResumeabbeInformation Encrytion
aannaPatent AccessaatharuyPing
Parser Grapher
AfterGlow 1x
CSV File
AfterGlowGraph
LanguageFile
digraph structs graph [label=AfterGlow 158 fontsize=8] node [shape=ellipse style=filled fontsize=10 width=1 height=1 fixedsize=true] edge [len=16]
aaelenes -gt Printing Resume abbe -gt Information Encryption aanna -gt Patent Access aatharuv -gt Ping
aaelenesPrinting ResumeabbeInformation Encrytion
aannaPatent AccessaatharuyPing
Parser Grapher
An Example Analysis
Worms in Mobile Networksbull Problem Find worms in mobile networks
bull Data Call Detail Records (CDR)
20051117225657 GMT 20051117225657 GMT 4179543xxxx 4176448xxxx 0 63517 20051117225657 GMT 19700101000000 GMT imagejpeg CHEC1_MMSC1 MM4Rrecord 0 1 MM1 22801351822xxxx 22802071035xxxx 2 1132 26821763098xxxx
bull Process
cat mmscdr | awk -o VFS= lsquoprint $5 $6rsquo
bull Visual Transformation
Multimedia Message Service
21
Multimedia Message Service
21
Service Numbers
Multimedia Message Service
22
Multimedia Message Service
22
Long Chains
Hands-on Analysis
Letrsquos Gobull Captures are in rootdavix_workshop_capturespcap
bull Find something interesting Come show
bull Hints
bull tcpdump -nlr rootdavix_workshop_capturespcap
bull tcpdump2csvpl
bull afterglowpl -h
bull barpl -h
AfterGlow Variable and Color
variable=violation=(Backdoor Access HackerTool Downloadrdquo)colortarget=orange if (grep($fields[1]violation))colortarget=palegreen
Node Size and Threshold
maxnodesize=1sizesource=$fields[2] size=05sumtarget=0thresholdsource=14
Color and Clustercolorsource=palegreen if ($fields[0] =~ ^111)colorsource=redcolortarget=palegreenclustersource=regex_replace((d+)d+)8
Thank You
davix secviz org
S
E
C I
V
Z
secviz org
User Manual in the Menubull The manual is browsable by
chapter hellip
bull hellip or individual tool chapters
The Manual Is Notbull Not an introduction to security analysis methodologies
bull Not a collection of security analysis use-cases
bull Not covering exhaustive examples
- The usage examples are not security related
- It is a quick usage guide for the tools
bull Look at Raffaelrsquos book to get these details
Customizationsbull The DAVIX and SLAX can be modified in two ways
- LZM modules
Adding or removing modules in the directory slaxmodules
Modules are highly compressed software packages
- rootcopy
Overwrite or add individual files of LZM modules by copyingmodified files to the directory slaxrootcopy
bull LZM modules can be generated out of standard Slackware or dropline GNOME packages using tgz2lzm
Visualization
Information Visualization Process
16
Capture Process Visualize
Data Formatsbull CSV TSV
100028023212failed
100028023215success
bull TM3
Source Port Destination Action
STRING INTEGER STRING STRING
10002 80 23212 failed
bull GML
17
bull DOT
digraph structs
graph [label=rdquoMy Graphrdquo]
node [shape=ellipse]
edge [len=1]
ldquoramrdquo -gt ldquoactivity 1rdquo
ldquoramrdquo [fillcolor=white]
bull
AfterGlow 1x
CSV File
AfterGlowGraph
LanguageFile
digraph structs graph [label=AfterGlow 158 fontsize=8] node [shape=ellipse style=filled fontsize=10 width=1 height=1 fixedsize=true] edge [len=16]
aaelenes -gt Printing Resume abbe -gt Information Encryption aanna -gt Patent Access aatharuv -gt Ping
aaelenesPrinting ResumeabbeInformation Encrytion
aannaPatent AccessaatharuyPing
Parser Grapher
AfterGlow 1x
CSV File
AfterGlowGraph
LanguageFile
digraph structs graph [label=AfterGlow 158 fontsize=8] node [shape=ellipse style=filled fontsize=10 width=1 height=1 fixedsize=true] edge [len=16]
aaelenes -gt Printing Resume abbe -gt Information Encryption aanna -gt Patent Access aatharuv -gt Ping
aaelenesPrinting ResumeabbeInformation Encrytion
aannaPatent AccessaatharuyPing
Parser Grapher
An Example Analysis
Worms in Mobile Networksbull Problem Find worms in mobile networks
bull Data Call Detail Records (CDR)
20051117225657 GMT 20051117225657 GMT 4179543xxxx 4176448xxxx 0 63517 20051117225657 GMT 19700101000000 GMT imagejpeg CHEC1_MMSC1 MM4Rrecord 0 1 MM1 22801351822xxxx 22802071035xxxx 2 1132 26821763098xxxx
bull Process
cat mmscdr | awk -o VFS= lsquoprint $5 $6rsquo
bull Visual Transformation
Multimedia Message Service
21
Multimedia Message Service
21
Service Numbers
Multimedia Message Service
22
Multimedia Message Service
22
Long Chains
Hands-on Analysis
Letrsquos Gobull Captures are in rootdavix_workshop_capturespcap
bull Find something interesting Come show
bull Hints
bull tcpdump -nlr rootdavix_workshop_capturespcap
bull tcpdump2csvpl
bull afterglowpl -h
bull barpl -h
AfterGlow Variable and Color
variable=violation=(Backdoor Access HackerTool Downloadrdquo)colortarget=orange if (grep($fields[1]violation))colortarget=palegreen
Node Size and Threshold
maxnodesize=1sizesource=$fields[2] size=05sumtarget=0thresholdsource=14
Color and Clustercolorsource=palegreen if ($fields[0] =~ ^111)colorsource=redcolortarget=palegreenclustersource=regex_replace((d+)d+)8
Thank You
davix secviz org
S
E
C I
V
Z
secviz org
The Manual Is Notbull Not an introduction to security analysis methodologies
bull Not a collection of security analysis use-cases
bull Not covering exhaustive examples
- The usage examples are not security related
- It is a quick usage guide for the tools
bull Look at Raffaelrsquos book to get these details
Customizationsbull The DAVIX and SLAX can be modified in two ways
- LZM modules
Adding or removing modules in the directory slaxmodules
Modules are highly compressed software packages
- rootcopy
Overwrite or add individual files of LZM modules by copyingmodified files to the directory slaxrootcopy
bull LZM modules can be generated out of standard Slackware or dropline GNOME packages using tgz2lzm
Visualization
Information Visualization Process
16
Capture Process Visualize
Data Formatsbull CSV TSV
100028023212failed
100028023215success
bull TM3
Source Port Destination Action
STRING INTEGER STRING STRING
10002 80 23212 failed
bull GML
17
bull DOT
digraph structs
graph [label=rdquoMy Graphrdquo]
node [shape=ellipse]
edge [len=1]
ldquoramrdquo -gt ldquoactivity 1rdquo
ldquoramrdquo [fillcolor=white]
bull
AfterGlow 1x
CSV File
AfterGlowGraph
LanguageFile
digraph structs graph [label=AfterGlow 158 fontsize=8] node [shape=ellipse style=filled fontsize=10 width=1 height=1 fixedsize=true] edge [len=16]
aaelenes -gt Printing Resume abbe -gt Information Encryption aanna -gt Patent Access aatharuv -gt Ping
aaelenesPrinting ResumeabbeInformation Encrytion
aannaPatent AccessaatharuyPing
Parser Grapher
AfterGlow 1x
CSV File
AfterGlowGraph
LanguageFile
digraph structs graph [label=AfterGlow 158 fontsize=8] node [shape=ellipse style=filled fontsize=10 width=1 height=1 fixedsize=true] edge [len=16]
aaelenes -gt Printing Resume abbe -gt Information Encryption aanna -gt Patent Access aatharuv -gt Ping
aaelenesPrinting ResumeabbeInformation Encrytion
aannaPatent AccessaatharuyPing
Parser Grapher
An Example Analysis
Worms in Mobile Networksbull Problem Find worms in mobile networks
bull Data Call Detail Records (CDR)
20051117225657 GMT 20051117225657 GMT 4179543xxxx 4176448xxxx 0 63517 20051117225657 GMT 19700101000000 GMT imagejpeg CHEC1_MMSC1 MM4Rrecord 0 1 MM1 22801351822xxxx 22802071035xxxx 2 1132 26821763098xxxx
bull Process
cat mmscdr | awk -o VFS= lsquoprint $5 $6rsquo
bull Visual Transformation
Multimedia Message Service
21
Multimedia Message Service
21
Service Numbers
Multimedia Message Service
22
Multimedia Message Service
22
Long Chains
Hands-on Analysis
Letrsquos Gobull Captures are in rootdavix_workshop_capturespcap
bull Find something interesting Come show
bull Hints
bull tcpdump -nlr rootdavix_workshop_capturespcap
bull tcpdump2csvpl
bull afterglowpl -h
bull barpl -h
AfterGlow Variable and Color
variable=violation=(Backdoor Access HackerTool Downloadrdquo)colortarget=orange if (grep($fields[1]violation))colortarget=palegreen
Node Size and Threshold
maxnodesize=1sizesource=$fields[2] size=05sumtarget=0thresholdsource=14
Color and Clustercolorsource=palegreen if ($fields[0] =~ ^111)colorsource=redcolortarget=palegreenclustersource=regex_replace((d+)d+)8
Thank You
davix secviz org
S
E
C I
V
Z
secviz org
Customizationsbull The DAVIX and SLAX can be modified in two ways
- LZM modules
Adding or removing modules in the directory slaxmodules
Modules are highly compressed software packages
- rootcopy
Overwrite or add individual files of LZM modules by copyingmodified files to the directory slaxrootcopy
bull LZM modules can be generated out of standard Slackware or dropline GNOME packages using tgz2lzm
Visualization
Information Visualization Process
16
Capture Process Visualize
Data Formatsbull CSV TSV
100028023212failed
100028023215success
bull TM3
Source Port Destination Action
STRING INTEGER STRING STRING
10002 80 23212 failed
bull GML
17
bull DOT
digraph structs
graph [label=rdquoMy Graphrdquo]
node [shape=ellipse]
edge [len=1]
ldquoramrdquo -gt ldquoactivity 1rdquo
ldquoramrdquo [fillcolor=white]
bull
AfterGlow 1x
CSV File
AfterGlowGraph
LanguageFile
digraph structs graph [label=AfterGlow 158 fontsize=8] node [shape=ellipse style=filled fontsize=10 width=1 height=1 fixedsize=true] edge [len=16]
aaelenes -gt Printing Resume abbe -gt Information Encryption aanna -gt Patent Access aatharuv -gt Ping
aaelenesPrinting ResumeabbeInformation Encrytion
aannaPatent AccessaatharuyPing
Parser Grapher
AfterGlow 1x
CSV File
AfterGlowGraph
LanguageFile
digraph structs graph [label=AfterGlow 158 fontsize=8] node [shape=ellipse style=filled fontsize=10 width=1 height=1 fixedsize=true] edge [len=16]
aaelenes -gt Printing Resume abbe -gt Information Encryption aanna -gt Patent Access aatharuv -gt Ping
aaelenesPrinting ResumeabbeInformation Encrytion
aannaPatent AccessaatharuyPing
Parser Grapher
An Example Analysis
Worms in Mobile Networksbull Problem Find worms in mobile networks
bull Data Call Detail Records (CDR)
20051117225657 GMT 20051117225657 GMT 4179543xxxx 4176448xxxx 0 63517 20051117225657 GMT 19700101000000 GMT imagejpeg CHEC1_MMSC1 MM4Rrecord 0 1 MM1 22801351822xxxx 22802071035xxxx 2 1132 26821763098xxxx
bull Process
cat mmscdr | awk -o VFS= lsquoprint $5 $6rsquo
bull Visual Transformation
Multimedia Message Service
21
Multimedia Message Service
21
Service Numbers
Multimedia Message Service
22
Multimedia Message Service
22
Long Chains
Hands-on Analysis
Letrsquos Gobull Captures are in rootdavix_workshop_capturespcap
bull Find something interesting Come show
bull Hints
bull tcpdump -nlr rootdavix_workshop_capturespcap
bull tcpdump2csvpl
bull afterglowpl -h
bull barpl -h
AfterGlow Variable and Color
variable=violation=(Backdoor Access HackerTool Downloadrdquo)colortarget=orange if (grep($fields[1]violation))colortarget=palegreen
Node Size and Threshold
maxnodesize=1sizesource=$fields[2] size=05sumtarget=0thresholdsource=14
Color and Clustercolorsource=palegreen if ($fields[0] =~ ^111)colorsource=redcolortarget=palegreenclustersource=regex_replace((d+)d+)8
Thank You
davix secviz org
S
E
C I
V
Z
secviz org
Visualization
Information Visualization Process
16
Capture Process Visualize
Data Formatsbull CSV TSV
100028023212failed
100028023215success
bull TM3
Source Port Destination Action
STRING INTEGER STRING STRING
10002 80 23212 failed
bull GML
17
bull DOT
digraph structs
graph [label=rdquoMy Graphrdquo]
node [shape=ellipse]
edge [len=1]
ldquoramrdquo -gt ldquoactivity 1rdquo
ldquoramrdquo [fillcolor=white]
bull
AfterGlow 1x
CSV File
AfterGlowGraph
LanguageFile
digraph structs graph [label=AfterGlow 158 fontsize=8] node [shape=ellipse style=filled fontsize=10 width=1 height=1 fixedsize=true] edge [len=16]
aaelenes -gt Printing Resume abbe -gt Information Encryption aanna -gt Patent Access aatharuv -gt Ping
aaelenesPrinting ResumeabbeInformation Encrytion
aannaPatent AccessaatharuyPing
Parser Grapher
AfterGlow 1x
CSV File
AfterGlowGraph
LanguageFile
digraph structs graph [label=AfterGlow 158 fontsize=8] node [shape=ellipse style=filled fontsize=10 width=1 height=1 fixedsize=true] edge [len=16]
aaelenes -gt Printing Resume abbe -gt Information Encryption aanna -gt Patent Access aatharuv -gt Ping
aaelenesPrinting ResumeabbeInformation Encrytion
aannaPatent AccessaatharuyPing
Parser Grapher
An Example Analysis
Worms in Mobile Networksbull Problem Find worms in mobile networks
bull Data Call Detail Records (CDR)
20051117225657 GMT 20051117225657 GMT 4179543xxxx 4176448xxxx 0 63517 20051117225657 GMT 19700101000000 GMT imagejpeg CHEC1_MMSC1 MM4Rrecord 0 1 MM1 22801351822xxxx 22802071035xxxx 2 1132 26821763098xxxx
bull Process
cat mmscdr | awk -o VFS= lsquoprint $5 $6rsquo
bull Visual Transformation
Multimedia Message Service
21
Multimedia Message Service
21
Service Numbers
Multimedia Message Service
22
Multimedia Message Service
22
Long Chains
Hands-on Analysis
Letrsquos Gobull Captures are in rootdavix_workshop_capturespcap
bull Find something interesting Come show
bull Hints
bull tcpdump -nlr rootdavix_workshop_capturespcap
bull tcpdump2csvpl
bull afterglowpl -h
bull barpl -h
AfterGlow Variable and Color
variable=violation=(Backdoor Access HackerTool Downloadrdquo)colortarget=orange if (grep($fields[1]violation))colortarget=palegreen
Node Size and Threshold
maxnodesize=1sizesource=$fields[2] size=05sumtarget=0thresholdsource=14
Color and Clustercolorsource=palegreen if ($fields[0] =~ ^111)colorsource=redcolortarget=palegreenclustersource=regex_replace((d+)d+)8
Thank You
davix secviz org
S
E
C I
V
Z
secviz org
Information Visualization Process
16
Capture Process Visualize
Data Formatsbull CSV TSV
100028023212failed
100028023215success
bull TM3
Source Port Destination Action
STRING INTEGER STRING STRING
10002 80 23212 failed
bull GML
17
bull DOT
digraph structs
graph [label=rdquoMy Graphrdquo]
node [shape=ellipse]
edge [len=1]
ldquoramrdquo -gt ldquoactivity 1rdquo
ldquoramrdquo [fillcolor=white]
bull
AfterGlow 1x
CSV File
AfterGlowGraph
LanguageFile
digraph structs graph [label=AfterGlow 158 fontsize=8] node [shape=ellipse style=filled fontsize=10 width=1 height=1 fixedsize=true] edge [len=16]
aaelenes -gt Printing Resume abbe -gt Information Encryption aanna -gt Patent Access aatharuv -gt Ping
aaelenesPrinting ResumeabbeInformation Encrytion
aannaPatent AccessaatharuyPing
Parser Grapher
AfterGlow 1x
CSV File
AfterGlowGraph
LanguageFile
digraph structs graph [label=AfterGlow 158 fontsize=8] node [shape=ellipse style=filled fontsize=10 width=1 height=1 fixedsize=true] edge [len=16]
aaelenes -gt Printing Resume abbe -gt Information Encryption aanna -gt Patent Access aatharuv -gt Ping
aaelenesPrinting ResumeabbeInformation Encrytion
aannaPatent AccessaatharuyPing
Parser Grapher
An Example Analysis
Worms in Mobile Networksbull Problem Find worms in mobile networks
bull Data Call Detail Records (CDR)
20051117225657 GMT 20051117225657 GMT 4179543xxxx 4176448xxxx 0 63517 20051117225657 GMT 19700101000000 GMT imagejpeg CHEC1_MMSC1 MM4Rrecord 0 1 MM1 22801351822xxxx 22802071035xxxx 2 1132 26821763098xxxx
bull Process
cat mmscdr | awk -o VFS= lsquoprint $5 $6rsquo
bull Visual Transformation
Multimedia Message Service
21
Multimedia Message Service
21
Service Numbers
Multimedia Message Service
22
Multimedia Message Service
22
Long Chains
Hands-on Analysis
Letrsquos Gobull Captures are in rootdavix_workshop_capturespcap
bull Find something interesting Come show
bull Hints
bull tcpdump -nlr rootdavix_workshop_capturespcap
bull tcpdump2csvpl
bull afterglowpl -h
bull barpl -h
AfterGlow Variable and Color
variable=violation=(Backdoor Access HackerTool Downloadrdquo)colortarget=orange if (grep($fields[1]violation))colortarget=palegreen
Node Size and Threshold
maxnodesize=1sizesource=$fields[2] size=05sumtarget=0thresholdsource=14
Color and Clustercolorsource=palegreen if ($fields[0] =~ ^111)colorsource=redcolortarget=palegreenclustersource=regex_replace((d+)d+)8
Thank You
davix secviz org
S
E
C I
V
Z
secviz org
Data Formatsbull CSV TSV
100028023212failed
100028023215success
bull TM3
Source Port Destination Action
STRING INTEGER STRING STRING
10002 80 23212 failed
bull GML
17
bull DOT
digraph structs
graph [label=rdquoMy Graphrdquo]
node [shape=ellipse]
edge [len=1]
ldquoramrdquo -gt ldquoactivity 1rdquo
ldquoramrdquo [fillcolor=white]
bull
AfterGlow 1x
CSV File
AfterGlowGraph
LanguageFile
digraph structs graph [label=AfterGlow 158 fontsize=8] node [shape=ellipse style=filled fontsize=10 width=1 height=1 fixedsize=true] edge [len=16]
aaelenes -gt Printing Resume abbe -gt Information Encryption aanna -gt Patent Access aatharuv -gt Ping
aaelenesPrinting ResumeabbeInformation Encrytion
aannaPatent AccessaatharuyPing
Parser Grapher
AfterGlow 1x
CSV File
AfterGlowGraph
LanguageFile
digraph structs graph [label=AfterGlow 158 fontsize=8] node [shape=ellipse style=filled fontsize=10 width=1 height=1 fixedsize=true] edge [len=16]
aaelenes -gt Printing Resume abbe -gt Information Encryption aanna -gt Patent Access aatharuv -gt Ping
aaelenesPrinting ResumeabbeInformation Encrytion
aannaPatent AccessaatharuyPing
Parser Grapher
An Example Analysis
Worms in Mobile Networksbull Problem Find worms in mobile networks
bull Data Call Detail Records (CDR)
20051117225657 GMT 20051117225657 GMT 4179543xxxx 4176448xxxx 0 63517 20051117225657 GMT 19700101000000 GMT imagejpeg CHEC1_MMSC1 MM4Rrecord 0 1 MM1 22801351822xxxx 22802071035xxxx 2 1132 26821763098xxxx
bull Process
cat mmscdr | awk -o VFS= lsquoprint $5 $6rsquo
bull Visual Transformation
Multimedia Message Service
21
Multimedia Message Service
21
Service Numbers
Multimedia Message Service
22
Multimedia Message Service
22
Long Chains
Hands-on Analysis
Letrsquos Gobull Captures are in rootdavix_workshop_capturespcap
bull Find something interesting Come show
bull Hints
bull tcpdump -nlr rootdavix_workshop_capturespcap
bull tcpdump2csvpl
bull afterglowpl -h
bull barpl -h
AfterGlow Variable and Color
variable=violation=(Backdoor Access HackerTool Downloadrdquo)colortarget=orange if (grep($fields[1]violation))colortarget=palegreen
Node Size and Threshold
maxnodesize=1sizesource=$fields[2] size=05sumtarget=0thresholdsource=14
Color and Clustercolorsource=palegreen if ($fields[0] =~ ^111)colorsource=redcolortarget=palegreenclustersource=regex_replace((d+)d+)8
Thank You
davix secviz org
S
E
C I
V
Z
secviz org
AfterGlow 1x
CSV File
AfterGlowGraph
LanguageFile
digraph structs graph [label=AfterGlow 158 fontsize=8] node [shape=ellipse style=filled fontsize=10 width=1 height=1 fixedsize=true] edge [len=16]
aaelenes -gt Printing Resume abbe -gt Information Encryption aanna -gt Patent Access aatharuv -gt Ping
aaelenesPrinting ResumeabbeInformation Encrytion
aannaPatent AccessaatharuyPing
Parser Grapher
AfterGlow 1x
CSV File
AfterGlowGraph
LanguageFile
digraph structs graph [label=AfterGlow 158 fontsize=8] node [shape=ellipse style=filled fontsize=10 width=1 height=1 fixedsize=true] edge [len=16]
aaelenes -gt Printing Resume abbe -gt Information Encryption aanna -gt Patent Access aatharuv -gt Ping
aaelenesPrinting ResumeabbeInformation Encrytion
aannaPatent AccessaatharuyPing
Parser Grapher
An Example Analysis
Worms in Mobile Networksbull Problem Find worms in mobile networks
bull Data Call Detail Records (CDR)
20051117225657 GMT 20051117225657 GMT 4179543xxxx 4176448xxxx 0 63517 20051117225657 GMT 19700101000000 GMT imagejpeg CHEC1_MMSC1 MM4Rrecord 0 1 MM1 22801351822xxxx 22802071035xxxx 2 1132 26821763098xxxx
bull Process
cat mmscdr | awk -o VFS= lsquoprint $5 $6rsquo
bull Visual Transformation
Multimedia Message Service
21
Multimedia Message Service
21
Service Numbers
Multimedia Message Service
22
Multimedia Message Service
22
Long Chains
Hands-on Analysis
Letrsquos Gobull Captures are in rootdavix_workshop_capturespcap
bull Find something interesting Come show
bull Hints
bull tcpdump -nlr rootdavix_workshop_capturespcap
bull tcpdump2csvpl
bull afterglowpl -h
bull barpl -h
AfterGlow Variable and Color
variable=violation=(Backdoor Access HackerTool Downloadrdquo)colortarget=orange if (grep($fields[1]violation))colortarget=palegreen
Node Size and Threshold
maxnodesize=1sizesource=$fields[2] size=05sumtarget=0thresholdsource=14
Color and Clustercolorsource=palegreen if ($fields[0] =~ ^111)colorsource=redcolortarget=palegreenclustersource=regex_replace((d+)d+)8
Thank You
davix secviz org
S
E
C I
V
Z
secviz org
AfterGlow 1x
CSV File
AfterGlowGraph
LanguageFile
digraph structs graph [label=AfterGlow 158 fontsize=8] node [shape=ellipse style=filled fontsize=10 width=1 height=1 fixedsize=true] edge [len=16]
aaelenes -gt Printing Resume abbe -gt Information Encryption aanna -gt Patent Access aatharuv -gt Ping
aaelenesPrinting ResumeabbeInformation Encrytion
aannaPatent AccessaatharuyPing
Parser Grapher
An Example Analysis
Worms in Mobile Networksbull Problem Find worms in mobile networks
bull Data Call Detail Records (CDR)
20051117225657 GMT 20051117225657 GMT 4179543xxxx 4176448xxxx 0 63517 20051117225657 GMT 19700101000000 GMT imagejpeg CHEC1_MMSC1 MM4Rrecord 0 1 MM1 22801351822xxxx 22802071035xxxx 2 1132 26821763098xxxx
bull Process
cat mmscdr | awk -o VFS= lsquoprint $5 $6rsquo
bull Visual Transformation
Multimedia Message Service
21
Multimedia Message Service
21
Service Numbers
Multimedia Message Service
22
Multimedia Message Service
22
Long Chains
Hands-on Analysis
Letrsquos Gobull Captures are in rootdavix_workshop_capturespcap
bull Find something interesting Come show
bull Hints
bull tcpdump -nlr rootdavix_workshop_capturespcap
bull tcpdump2csvpl
bull afterglowpl -h
bull barpl -h
AfterGlow Variable and Color
variable=violation=(Backdoor Access HackerTool Downloadrdquo)colortarget=orange if (grep($fields[1]violation))colortarget=palegreen
Node Size and Threshold
maxnodesize=1sizesource=$fields[2] size=05sumtarget=0thresholdsource=14
Color and Clustercolorsource=palegreen if ($fields[0] =~ ^111)colorsource=redcolortarget=palegreenclustersource=regex_replace((d+)d+)8
Thank You
davix secviz org
S
E
C I
V
Z
secviz org
An Example Analysis
Worms in Mobile Networksbull Problem Find worms in mobile networks
bull Data Call Detail Records (CDR)
20051117225657 GMT 20051117225657 GMT 4179543xxxx 4176448xxxx 0 63517 20051117225657 GMT 19700101000000 GMT imagejpeg CHEC1_MMSC1 MM4Rrecord 0 1 MM1 22801351822xxxx 22802071035xxxx 2 1132 26821763098xxxx
bull Process
cat mmscdr | awk -o VFS= lsquoprint $5 $6rsquo
bull Visual Transformation
Multimedia Message Service
21
Multimedia Message Service
21
Service Numbers
Multimedia Message Service
22
Multimedia Message Service
22
Long Chains
Hands-on Analysis
Letrsquos Gobull Captures are in rootdavix_workshop_capturespcap
bull Find something interesting Come show
bull Hints
bull tcpdump -nlr rootdavix_workshop_capturespcap
bull tcpdump2csvpl
bull afterglowpl -h
bull barpl -h
AfterGlow Variable and Color
variable=violation=(Backdoor Access HackerTool Downloadrdquo)colortarget=orange if (grep($fields[1]violation))colortarget=palegreen
Node Size and Threshold
maxnodesize=1sizesource=$fields[2] size=05sumtarget=0thresholdsource=14
Color and Clustercolorsource=palegreen if ($fields[0] =~ ^111)colorsource=redcolortarget=palegreenclustersource=regex_replace((d+)d+)8
Thank You
davix secviz org
S
E
C I
V
Z
secviz org
Worms in Mobile Networksbull Problem Find worms in mobile networks
bull Data Call Detail Records (CDR)
20051117225657 GMT 20051117225657 GMT 4179543xxxx 4176448xxxx 0 63517 20051117225657 GMT 19700101000000 GMT imagejpeg CHEC1_MMSC1 MM4Rrecord 0 1 MM1 22801351822xxxx 22802071035xxxx 2 1132 26821763098xxxx
bull Process
cat mmscdr | awk -o VFS= lsquoprint $5 $6rsquo
bull Visual Transformation
Multimedia Message Service
21
Multimedia Message Service
21
Service Numbers
Multimedia Message Service
22
Multimedia Message Service
22
Long Chains
Hands-on Analysis
Letrsquos Gobull Captures are in rootdavix_workshop_capturespcap
bull Find something interesting Come show
bull Hints
bull tcpdump -nlr rootdavix_workshop_capturespcap
bull tcpdump2csvpl
bull afterglowpl -h
bull barpl -h
AfterGlow Variable and Color
variable=violation=(Backdoor Access HackerTool Downloadrdquo)colortarget=orange if (grep($fields[1]violation))colortarget=palegreen
Node Size and Threshold
maxnodesize=1sizesource=$fields[2] size=05sumtarget=0thresholdsource=14
Color and Clustercolorsource=palegreen if ($fields[0] =~ ^111)colorsource=redcolortarget=palegreenclustersource=regex_replace((d+)d+)8
Thank You
davix secviz org
S
E
C I
V
Z
secviz org
Multimedia Message Service
21
Multimedia Message Service
21
Service Numbers
Multimedia Message Service
22
Multimedia Message Service
22
Long Chains
Hands-on Analysis
Letrsquos Gobull Captures are in rootdavix_workshop_capturespcap
bull Find something interesting Come show
bull Hints
bull tcpdump -nlr rootdavix_workshop_capturespcap
bull tcpdump2csvpl
bull afterglowpl -h
bull barpl -h
AfterGlow Variable and Color
variable=violation=(Backdoor Access HackerTool Downloadrdquo)colortarget=orange if (grep($fields[1]violation))colortarget=palegreen
Node Size and Threshold
maxnodesize=1sizesource=$fields[2] size=05sumtarget=0thresholdsource=14
Color and Clustercolorsource=palegreen if ($fields[0] =~ ^111)colorsource=redcolortarget=palegreenclustersource=regex_replace((d+)d+)8
Thank You
davix secviz org
S
E
C I
V
Z
secviz org
Multimedia Message Service
21
Service Numbers
Multimedia Message Service
22
Multimedia Message Service
22
Long Chains
Hands-on Analysis
Letrsquos Gobull Captures are in rootdavix_workshop_capturespcap
bull Find something interesting Come show
bull Hints
bull tcpdump -nlr rootdavix_workshop_capturespcap
bull tcpdump2csvpl
bull afterglowpl -h
bull barpl -h
AfterGlow Variable and Color
variable=violation=(Backdoor Access HackerTool Downloadrdquo)colortarget=orange if (grep($fields[1]violation))colortarget=palegreen
Node Size and Threshold
maxnodesize=1sizesource=$fields[2] size=05sumtarget=0thresholdsource=14
Color and Clustercolorsource=palegreen if ($fields[0] =~ ^111)colorsource=redcolortarget=palegreenclustersource=regex_replace((d+)d+)8
Thank You
davix secviz org
S
E
C I
V
Z
secviz org
Multimedia Message Service
22
Multimedia Message Service
22
Long Chains
Hands-on Analysis
Letrsquos Gobull Captures are in rootdavix_workshop_capturespcap
bull Find something interesting Come show
bull Hints
bull tcpdump -nlr rootdavix_workshop_capturespcap
bull tcpdump2csvpl
bull afterglowpl -h
bull barpl -h
AfterGlow Variable and Color
variable=violation=(Backdoor Access HackerTool Downloadrdquo)colortarget=orange if (grep($fields[1]violation))colortarget=palegreen
Node Size and Threshold
maxnodesize=1sizesource=$fields[2] size=05sumtarget=0thresholdsource=14
Color and Clustercolorsource=palegreen if ($fields[0] =~ ^111)colorsource=redcolortarget=palegreenclustersource=regex_replace((d+)d+)8
Thank You
davix secviz org
S
E
C I
V
Z
secviz org
Multimedia Message Service
22
Long Chains
Hands-on Analysis
Letrsquos Gobull Captures are in rootdavix_workshop_capturespcap
bull Find something interesting Come show
bull Hints
bull tcpdump -nlr rootdavix_workshop_capturespcap
bull tcpdump2csvpl
bull afterglowpl -h
bull barpl -h
AfterGlow Variable and Color
variable=violation=(Backdoor Access HackerTool Downloadrdquo)colortarget=orange if (grep($fields[1]violation))colortarget=palegreen
Node Size and Threshold
maxnodesize=1sizesource=$fields[2] size=05sumtarget=0thresholdsource=14
Color and Clustercolorsource=palegreen if ($fields[0] =~ ^111)colorsource=redcolortarget=palegreenclustersource=regex_replace((d+)d+)8
Thank You
davix secviz org
S
E
C I
V
Z
secviz org
Hands-on Analysis
Letrsquos Gobull Captures are in rootdavix_workshop_capturespcap
bull Find something interesting Come show
bull Hints
bull tcpdump -nlr rootdavix_workshop_capturespcap
bull tcpdump2csvpl
bull afterglowpl -h
bull barpl -h
AfterGlow Variable and Color
variable=violation=(Backdoor Access HackerTool Downloadrdquo)colortarget=orange if (grep($fields[1]violation))colortarget=palegreen
Node Size and Threshold
maxnodesize=1sizesource=$fields[2] size=05sumtarget=0thresholdsource=14
Color and Clustercolorsource=palegreen if ($fields[0] =~ ^111)colorsource=redcolortarget=palegreenclustersource=regex_replace((d+)d+)8
Thank You
davix secviz org
S
E
C I
V
Z
secviz org
Letrsquos Gobull Captures are in rootdavix_workshop_capturespcap
bull Find something interesting Come show
bull Hints
bull tcpdump -nlr rootdavix_workshop_capturespcap
bull tcpdump2csvpl
bull afterglowpl -h
bull barpl -h
AfterGlow Variable and Color
variable=violation=(Backdoor Access HackerTool Downloadrdquo)colortarget=orange if (grep($fields[1]violation))colortarget=palegreen
Node Size and Threshold
maxnodesize=1sizesource=$fields[2] size=05sumtarget=0thresholdsource=14
Color and Clustercolorsource=palegreen if ($fields[0] =~ ^111)colorsource=redcolortarget=palegreenclustersource=regex_replace((d+)d+)8
Thank You
davix secviz org
S
E
C I
V
Z
secviz org
AfterGlow Variable and Color
variable=violation=(Backdoor Access HackerTool Downloadrdquo)colortarget=orange if (grep($fields[1]violation))colortarget=palegreen
Node Size and Threshold
maxnodesize=1sizesource=$fields[2] size=05sumtarget=0thresholdsource=14
Color and Clustercolorsource=palegreen if ($fields[0] =~ ^111)colorsource=redcolortarget=palegreenclustersource=regex_replace((d+)d+)8
Thank You
davix secviz org
S
E
C I
V
Z
secviz org
Thank You
davix secviz org
S
E
C I
V
Z
secviz org