visualizing analyzing and filtering zeek events
play

Visualizing, Analyzing and Filtering Zeek Events using a graphical - PowerPoint PPT Presentation

Feb 20, 2024 •263 likes •505 views

Visualizing, Analyzing and Filtering Zeek Events using a graphical frontend and OpenGL Nick Skelsey ZeekWeek 2019 Seattle, WA 11 October, 2019 AGENDA Motivation 1. State of the art 2. Monopticon 3. Related research 4. 2 CONNECTIVITY

  1. Visualizing, Analyzing and Filtering Zeek Events using a graphical frontend and OpenGL Nick Skelsey ZeekWeek 2019 Seattle, WA 11 October, 2019

  2. AGENDA Motivation 1. State of the art 2. Monopticon 3. Related research 4. 2

  3. CONNECTIVITY ISSUES: do not suffer in silence > ping google.com > ping 8.8.8.8 > ip a > ping 192.168.1.0 > dhcp -4 iface_name *check cable* *check unpaid bills* *check news for regional disaster* 3

  4. MOTIVATION Graphics can have high information density. 1. No certifications required. 2. 3 . Develop intuition. 4

  5. IVRE Lalet, Pierre, Florent Monjalet, and Camille Mougey. "IVRE, a network recon framework." ivre.rocks (2017). 5

  6. ZENMAP & RADIALNET RadialNet: An Interactive Network Topology Visualization Tool with Visual Auditing Support, CRITIS 2008 João P. S. Medeiros, Selan R. dos Santos at Federal University of Rio Grande do Norte – UFRN 6

  7. MONOPTICON A GPLv3 application built with C++, zeek and Mangum for POSIX systems. 7

  8. minicps WATER TREATMENT > ip link add name feth1 type dummy > ip link set dev feth1 up > tcpreplay -v -i feth1 SWaT_plc_test.pcapng Antonioli, Daniele, and Nils Ole Tippenhauer. "MiniCPS: A toolkit for security research on CPS networks." Proceedings of the First ACM workshop on cyber-physical systems-security and/or privacy. ACM, 2015. 8

  9. Bettercap ARP Spoofing > set arp.spoof.internal true; > set arp.spoof.targets 192.168.1.20,192.168.1.30; > set arp.spoof.full_duplex on; > arp.spoof on; 9

  10. OBSERVATIONS Limit scope: Ethernet and IPv4 1. Must be modular: Represent the OSI stack as a stack 2. Must be passive: offline packet analysis 3. Must be quick: native or web assembly 4. Should be extensible: zeek and bash scripts 5 . 10 10

  11. DESIGN 11 11

  12. MODELING DEVICES IN A BROADCAST DOMAIN IEEE 802.1* defines ethernet 38:30:f9:61:97:6f 12

  13. MAGNUM.GRAPHICS 13

  14. THE GRAPHICS PIPELINE 14 14

  15. OBJECT SELECTION 3 1 2 15

  16. OBJECT LAYOUT 16 16

  17. LIMITATIONS 17

  18. 802.1 BROADCAST DOMAINS All devices addressable by their MAC. Frames traverse switches based on: - Destination address - The type of address - The switches (routing) tables - Structure of the spanning tree - Optimizations like 802.1aq Fedyk, D., et al. "IS-IS extensions supporting IEEE 802.1 aq shortest path bridging." Internet Engineering Task Force (IETF), RFC 6329 (2012): 2070-1721. 18

  19. AAALM zeek package that passively infers the structure of an IPv4 network over Ethernet 19

  20. INFERRING NETWORK STRUCTURE 20

  21. DRAWING A BROADCAST DOMAIN 21

  22. Port knocking 22

  23. FUTURE WORK Extensible event monitoring 1. Sane packaging 2. L2 & L3 model to identify network security 3. policy violations. 23

  24. THANK YOU Check out: Monopticon on github or in the AUR aaalm zeek package Bibliography: nskelsey.com/zweek bvtech.it securenetwork.it 24

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Zeek 3.0.0 and beyond Robin Sommer robin@corelight.com Just released: Zeek 3.0.0 bro ->

Zeek 3.0.0 and beyond Robin Sommer robin@corelight.com Just released: Zeek 3.0.0 bro ->

Zeek 3.0.0 and beyond Robin Sommer robin@corelight.com Just released: Zeek 3.0.0 bro -> zeek broctl -> zeekctl bro-cut -> zeek-cut bro-pkg -> zkg /usr/local/bro -> /usr/local/zeek *.bro -> *.zeek bro_{init,done} ->

907 views • 13 slides
CHARGE DEPOSITIONS IN THE APA GAPS FILTERING GAP CROSSING EVENTS FILTERING STOPPING EVENTS USING

CHARGE DEPOSITIONS IN THE APA GAPS FILTERING GAP CROSSING EVENTS FILTERING STOPPING EVENTS USING

CHARGE DEPOSITIONS IN THE APA GAPS FILTERING GAP CROSSING EVENTS FILTERING STOPPING EVENTS USING GAPS CALIBRATION FOR GAP WIDTHS TRISTAN BLACKBURN - SUSSEX ! It is currently unknown how charge deposited in the APA gaps will behave in actuality.

239 views • 20 slides
Where Do Tourists Go? Visualizing and Analyzing the Spatial Distribution of Geotagged

Where Do Tourists Go? Visualizing and Analyzing the Spatial Distribution of Geotagged

Where Do Tourists Go? Visualizing and Analyzing the Spatial Distribution of Geotagged Photography Blint KDR, Mtys GEDE Department of Urban Planning and Design Budapest University of Technology and Economics Department of Cartography

396 views • 15 slides
Automatically Extracting, Analyzing, and Visualizing Information on Music Artists from the Web

Automatically Extracting, Analyzing, and Visualizing Information on Music Artists from the Web

Automatically Extracting, Analyzing, and Visualizing Information on Music Artists from the Web Workshop on Learning the Semantics of Audio Signals (LSAS) 21 st June 2008, Paris, France Markus Schedl, Peter Knees Department of Computational

691 views • 26 slides
Computational Tools for Modeling, Visualizing and Analyzing Historic and Archaeological Sites

Computational Tools for Modeling, Visualizing and Analyzing Historic and Archaeological Sites

Computational Tools for Modeling, Visualizing and Analyzing Historic and Archaeological Sites Peter K. Allen Department of Computer Science Columbia University Interdisciplinary project with overall goal of bringing new digital technologies

697 views • 44 slides
Data Analysis Analyzing and Visualizing 15-110 Wednesday 4/15 Learning Goals Perform

Data Analysis Analyzing and Visualizing 15-110 Wednesday 4/15 Learning Goals Perform

Data Analysis Analyzing and Visualizing 15-110 Wednesday 4/15 Learning Goals Perform basic analyses on data to answer simple questions Identify which visualization is appropriate based on the type of data Use matplotlib to

449 views • 44 slides
How FAST can Zeek RUN? ZeekWeek 2019 Jim Mellander Seattle WA Cybersecurity Engineer October

How FAST can Zeek RUN? ZeekWeek 2019 Jim Mellander Seattle WA Cybersecurity Engineer October

Run, Zeek, RUN! How FAST can Zeek RUN? ZeekWeek 2019 Jim Mellander Seattle WA Cybersecurity Engineer October 11, 2019 ESNet Goals for this presentation The Quest for Efficiency started Long Ago Can Zeek run faster without code

791 views • 25 slides
Visualizing Heart Data Visualizing Heart Data of a living entity by analyzing time- -series data

Visualizing Heart Data Visualizing Heart Data of a living entity by analyzing time- -series data

What do researchers seek? What do researchers seek? To achieve a better understanding of the state To achieve a better understanding of the state Visualizing Heart Data Visualizing Heart Data of a living entity by analyzing time-

59 views • 3 slides
Explore VisIt:: an open source, end user tool for visualizing and analyzing very large data M04:

Explore VisIt:: an open source, end user tool for visualizing and analyzing very large data M04:

at Explore VisIt:: an open source, end user tool for visualizing and analyzing very large data M04: Introduction to VisIt: : 8:30-12:00 M14: Advanced VisIt usage: 1:30-5:00 Monday, November 15 th in Rm 388 Introduction to Tutorial M04 8:30

885 views • 63 slides
1 An Filtering System that Monitors Document Search Engines Can Help, But Not Enough!

1 An Filtering System that Monitors Document Search Engines Can Help, But Not Enough!

Filtering May be Your Work Adaptive Information Filtering Using Bayesian Graphical Models Yi Zhang Baskin School of Engineering University of California Santa Cruz yiz@soe.ucsc.edu 1 2 Filtering May be Your Work Filtering May be Your Work

415 views • 8 slides
Outline - Tasks - Map projections - Visualizing area data - Visualizing point data -

Outline - Tasks - Map projections - Visualizing area data - Visualizing point data -

Outline - Tasks - Map projections - Visualizing area data - Visualizing point data - Visualizing trajectories - Visualizing time Tasks Locations (0D, Points) Areas (2D) Distribution Comparison Sensity Max/min values

961 views • 48 slides
Realtime Communication of MISP , Zeek, and SIEMs Matthias Vallentin Liviu Vlsan Tenzir

Realtime Communication of MISP , Zeek, and SIEMs Matthias Vallentin Liviu Vlsan Tenzir

Realtime Communication of MISP , Zeek, and SIEMs Matthias Vallentin Liviu Vlsan Tenzir CERN Intelligence in Zeek Architecture Intel::Item represents intelligence Intel::Type one of ADDR, SUBNET, URL, SOFTWARE, EMAIL, DOMAIN,

520 views • 20 slides
Thank you to our Sponsors Zeek Package Contest Winners First Prize EternalSafety Package - Lexi

Thank you to our Sponsors Zeek Package Contest Winners First Prize EternalSafety Package - Lexi

Thank you to our Sponsors Zeek Package Contest Winners First Prize EternalSafety Package - Lexi Brent Second Prize Intel-Limiter Package - Jan GrasHoefer Third Prize zeek-sniffpass Package - Andrew Klaus Fourth Prize Known-hosts-with-dns -

177 views • 7 slides
Traffic Control Mechanisms Filtering Source address filtering Other forms of filtering

Traffic Control Mechanisms Filtering Source address filtering Other forms of filtering

Traffic Control Mechanisms Filtering Source address filtering Other forms of filtering Rate limits Protection against traffic analysis Padding Routing control Lecture 9 Page 1 CS 236 Online Source Address Filtering

366 views • 11 slides
Abstracting and Visualizing Host Behaviour Abstracting and Visualizing Host Behaviour through

Abstracting and Visualizing Host Behaviour Abstracting and Visualizing Host Behaviour through

Abstracting and Visualizing Host Behaviour Abstracting and Visualizing Host Behaviour through Graphs Eduard Glatz Computer Engineering and Networks Laboratory ETH Zurich (Switzerland) eglatz@tik.ee.ethz.ch 20. Dec. 2009 Motivation

466 views • 27 slides
CS490W: What is Collaborative Filtering? Collaborative Filtering (CF): Making recommendation

CS490W: What is Collaborative Filtering? Collaborative Filtering (CF): Making recommendation

CS490W: What is Collaborative Filtering? Collaborative Filtering (CF): Making recommendation decisions for a specific CS-490W user based on the judgments of users with similar tastes Collaborative Filtering Luo Si Train_User 1 1 5 3 3 4

628 views • 6 slides
Investiture Ceremony cum CCA Fair 06 January 2018 Gree eendale ndale Secondary condary School

Investiture Ceremony cum CCA Fair 06 January 2018 Gree eendale ndale Secondary condary School

Investiture Ceremony cum CCA Fair 06 January 2018 Gree eendale ndale Secondary condary School ol nurturing TALENTS developing CHARACTER inspiring LIVES Nurturing Talents, Developing Character, Inspiring Lives Programme for the Day

1.4k views • 59 slides
POEx: A Beyond-Birthday-Bound-Secure On-Line Cipher ArcticCrypt 2016 Christian Forler 1 Eik List

POEx: A Beyond-Birthday-Bound-Secure On-Line Cipher ArcticCrypt 2016 Christian Forler 1 Eik List

POEx: A Beyond-Birthday-Bound-Secure On-Line Cipher ArcticCrypt 2016 Christian Forler 1 Eik List 2 Stefan Lucks 2 Jakob Wenzel 2 1 Hochschule Schmalkalden, 2 Bauhaus-Universitt Weimar eik.list (at) uni-weimar.de 18 July 2016 18 July 2016

561 views • 53 slides
C a e l q p c e u u a r r i l m v a e P R e n h a E d M d P c C

C a e l q p c e u u a r r i l m v a e P R e n h a E d M d P c C

Advancesi W R e V 2 a N s 5 p o 2 ? u o 1 5 r - 3 c e 0 o E S l L c s i e ~ 1 9 A r r P e i i G s r B g e l i r r r h n P I I : S 0 3 0 9 - 1 7 0 8 ( 9 6 ) O O 0 5 0 - 4

643 views • 26 slides
Using the Semantic Web Mathieu dAquin q What is there to use on the Semantic Web? Web?

Using the Semantic Web Mathieu dAquin q What is there to use on the Semantic Web? Web?

Using the Semantic Web Mathieu dAquin q What is there to use on the Semantic Web? Web? Technologies Systems Systems Services Infrastructures I f t t Knowledge, information, data A lot of that Introduction to the

559 views • 29 slides
Assisted Discovery of On-Chip Debug Interfaces Joe Grand (@joegrand) Introduction On-chip

Assisted Discovery of On-Chip Debug Interfaces Joe Grand (@joegrand) Introduction On-chip

Assisted Discovery of On-Chip Debug Interfaces Joe Grand (@joegrand) Introduction On-chip debug interfaces are a well-known attack vector - Used as a stepping stone to further an attack - Can provide chip-level control of a target

766 views • 35 slides
sts st r r

sts st r r

sts st r sts st r r Pt tr

768 views • 61 slides
Todays Agenda Syllabus Overview of Organizational Psychology Introductions 1

Todays Agenda Syllabus Overview of Organizational Psychology Introductions 1

PSY 5708 Organizational Psychology Instructor: Aaron M. Schmidt, Ph.D. Todays Agenda Syllabus Overview of Organizational Psychology Introductions 1 Syllabus Overview please refer to syllabus I will email a PDF copy

295 views • 4 slides
15-381: AI Classical Deterministic Planning Representation and Search Fall 2009 Manuela

15-381: AI Classical Deterministic Planning Representation and Search Fall 2009 Manuela

15-381: AI Classical Deterministic Planning Representation and Search Fall 2009 Manuela Veloso (Thanks to Reid Simmons for the blocksworld example run.) Carnegie Mellon Outline Planning Actions, states, goals Linear

560 views • 17 slides

More recommend