Visualizing, Analyzing and Filtering Zeek Events using a graphical - - PowerPoint PPT Presentation

visualizing analyzing and filtering zeek events
SMART_READER_LITE
LIVE PREVIEW

Visualizing, Analyzing and Filtering Zeek Events using a graphical - - PowerPoint PPT Presentation

Feb 20, 2024 263 likes •508 views

Visualizing, Analyzing and Filtering Zeek Events using a graphical frontend and OpenGL Nick Skelsey ZeekWeek 2019 Seattle, WA 11 October, 2019 AGENDA Motivation 1. State of the art 2. Monopticon 3. Related research 4. 2 CONNECTIVITY

slide-1
SLIDE 1

Visualizing, Analyzing and Filtering Zeek Events

using a graphical frontend and OpenGL

Nick Skelsey ZeekWeek 2019 Seattle, WA 11 October, 2019

slide-2
SLIDE 2

AGENDA

Motivation State of the art Monopticon Related research

2

1. 2. 3. 4.

slide-3
SLIDE 3

3

> ping google.com > ping 8.8.8.8 > ip a > ping 192.168.1.0 > dhcp -4 iface_name *check cable* *check unpaid bills* *check news for regional disaster*

CONNECTIVITY ISSUES: do not suffer in silence

slide-4
SLIDE 4

Graphics can have high information density. No certifications required. Develop intuition.

4

MOTIVATION

1. 2. 3.

slide-5
SLIDE 5

5

IVRE

Lalet, Pierre, Florent Monjalet, and Camille Mougey. "IVRE, a network recon framework." ivre.rocks (2017).

slide-6
SLIDE 6

RadialNet: An Interactive Network Topology Visualization Tool with Visual Auditing Support, CRITIS 2008 João P. S. Medeiros, Selan R. dos Santos at Federal University of Rio Grande do Norte – UFRN

6

ZENMAP & RADIALNET

slide-7
SLIDE 7

A GPLv3 application built with C++, zeek and Mangum for POSIX systems.

7

MONOPTICON

slide-8
SLIDE 8

8

minicps WATER TREATMENT

> ip link add name feth1 type dummy > ip link set dev feth1 up > tcpreplay -v -i feth1 SWaT_plc_test.pcapng

Antonioli, Daniele, and Nils Ole Tippenhauer. "MiniCPS: A toolkit for security research on CPS networks." Proceedings of the First ACM workshop on cyber-physical systems-security and/or privacy. ACM, 2015.

slide-9
SLIDE 9

9

Bettercap ARP Spoofing

> set arp.spoof.internal true; > set arp.spoof.targets 192.168.1.20,192.168.1.30; > set arp.spoof.full_duplex on; > arp.spoof on;

slide-10
SLIDE 10

10

OBSERVATIONS

Limit scope: Ethernet and IPv4 Must be modular: Represent the OSI stack as a stack Must be passive: offline packet analysis Must be quick: native or web assembly Should be extensible: zeek and bash scripts

10

1. 2. 3. 4. 5.

slide-11
SLIDE 11

11

DESIGN

11

slide-12
SLIDE 12

IEEE 802.1* defines ethernet

38:30:f9:61:97:6f

12

MODELING DEVICES IN A BROADCAST DOMAIN

slide-13
SLIDE 13

13

MAGNUM.GRAPHICS

slide-14
SLIDE 14

14

THE GRAPHICS PIPELINE

14

slide-15
SLIDE 15

15

OBJECT SELECTION

1 2 3

slide-16
SLIDE 16

16

OBJECT LAYOUT

16

slide-17
SLIDE 17

17

LIMITATIONS

slide-18
SLIDE 18

All devices addressable by their MAC. Frames traverse switches based on:

  • Destination address
  • The type of address
  • The switches (routing) tables
  • Structure of the spanning tree
  • Optimizations like 802.1aq

18

802.1 BROADCAST DOMAINS

Fedyk, D., et al. "IS-IS extensions supporting IEEE 802.1 aq shortest path bridging." Internet Engineering Task Force (IETF), RFC 6329 (2012): 2070-1721.

slide-19
SLIDE 19

zeek package that passively infers the structure of an IPv4 network over Ethernet

19

AAALM

slide-20
SLIDE 20

20

INFERRING NETWORK STRUCTURE

slide-21
SLIDE 21

21

DRAWING A BROADCAST DOMAIN

slide-22
SLIDE 22

22

Port knocking

slide-23
SLIDE 23

23

FUTURE WORK

Extensible event monitoring Sane packaging L2 & L3 model to identify network security policy violations. 1. 2. 3.

slide-24
SLIDE 24

Check out: Monopticon on github or in the AUR aaalm zeek package

24

THANK YOU

Bibliography: nskelsey.com/zweek securenetwork.it bvtech.it