visualizing analyzing and filtering zeek events
play

Visualizing, Analyzing and Filtering Zeek Events using a graphical - PowerPoint PPT Presentation

Feb 20, 2024 •263 likes •506 views

Visualizing, Analyzing and Filtering Zeek Events using a graphical frontend and OpenGL Nick Skelsey ZeekWeek 2019 Seattle, WA 11 October, 2019 AGENDA Motivation 1. State of the art 2. Monopticon 3. Related research 4. 2 CONNECTIVITY

  1. Visualizing, Analyzing and Filtering Zeek Events using a graphical frontend and OpenGL Nick Skelsey ZeekWeek 2019 Seattle, WA 11 October, 2019

  2. AGENDA Motivation 1. State of the art 2. Monopticon 3. Related research 4. 2

  3. CONNECTIVITY ISSUES: do not suffer in silence > ping google.com > ping 8.8.8.8 > ip a > ping 192.168.1.0 > dhcp -4 iface_name *check cable* *check unpaid bills* *check news for regional disaster* 3

  4. MOTIVATION Graphics can have high information density. 1. No certifications required. 2. 3 . Develop intuition. 4

  5. IVRE Lalet, Pierre, Florent Monjalet, and Camille Mougey. "IVRE, a network recon framework." ivre.rocks (2017). 5

  6. ZENMAP & RADIALNET RadialNet: An Interactive Network Topology Visualization Tool with Visual Auditing Support, CRITIS 2008 João P. S. Medeiros, Selan R. dos Santos at Federal University of Rio Grande do Norte – UFRN 6

  7. MONOPTICON A GPLv3 application built with C++, zeek and Mangum for POSIX systems. 7

  8. minicps WATER TREATMENT > ip link add name feth1 type dummy > ip link set dev feth1 up > tcpreplay -v -i feth1 SWaT_plc_test.pcapng Antonioli, Daniele, and Nils Ole Tippenhauer. "MiniCPS: A toolkit for security research on CPS networks." Proceedings of the First ACM workshop on cyber-physical systems-security and/or privacy. ACM, 2015. 8

  9. Bettercap ARP Spoofing > set arp.spoof.internal true; > set arp.spoof.targets 192.168.1.20,192.168.1.30; > set arp.spoof.full_duplex on; > arp.spoof on; 9

  10. OBSERVATIONS Limit scope: Ethernet and IPv4 1. Must be modular: Represent the OSI stack as a stack 2. Must be passive: offline packet analysis 3. Must be quick: native or web assembly 4. Should be extensible: zeek and bash scripts 5 . 10 10

  11. DESIGN 11 11

  12. MODELING DEVICES IN A BROADCAST DOMAIN IEEE 802.1* defines ethernet 38:30:f9:61:97:6f 12

  13. MAGNUM.GRAPHICS 13

  14. THE GRAPHICS PIPELINE 14 14

  15. OBJECT SELECTION 3 1 2 15

  16. OBJECT LAYOUT 16 16

  17. LIMITATIONS 17

  18. 802.1 BROADCAST DOMAINS All devices addressable by their MAC. Frames traverse switches based on: - Destination address - The type of address - The switches (routing) tables - Structure of the spanning tree - Optimizations like 802.1aq Fedyk, D., et al. "IS-IS extensions supporting IEEE 802.1 aq shortest path bridging." Internet Engineering Task Force (IETF), RFC 6329 (2012): 2070-1721. 18

  19. AAALM zeek package that passively infers the structure of an IPv4 network over Ethernet 19

  20. INFERRING NETWORK STRUCTURE 20

  21. DRAWING A BROADCAST DOMAIN 21

  22. Port knocking 22

  23. FUTURE WORK Extensible event monitoring 1. Sane packaging 2. L2 & L3 model to identify network security 3. policy violations. 23

  24. THANK YOU Check out: Monopticon on github or in the AUR aaalm zeek package Bibliography: nskelsey.com/zweek bvtech.it securenetwork.it 24

Recommend

Zeek 3.0.0 and beyond Robin Sommer robin@corelight.com Just released: Zeek 3.0.0 bro ->

Zeek 3.0.0 and beyond Robin Sommer robin@corelight.com Just released: Zeek 3.0.0 bro ->

Zeek 3.0.0 and beyond Robin Sommer robin@corelight.com Just released: Zeek 3.0.0 bro -> zeek broctl -> zeekctl bro-cut -> zeek-cut bro-pkg -> zkg /usr/local/bro -> /usr/local/zeek *.bro -> *.zeek bro_{init,done} ->

907 views • 13 slides
CHARGE DEPOSITIONS IN THE APA GAPS FILTERING GAP CROSSING EVENTS FILTERING STOPPING EVENTS USING

CHARGE DEPOSITIONS IN THE APA GAPS FILTERING GAP CROSSING EVENTS FILTERING STOPPING EVENTS USING

CHARGE DEPOSITIONS IN THE APA GAPS FILTERING GAP CROSSING EVENTS FILTERING STOPPING EVENTS USING GAPS CALIBRATION FOR GAP WIDTHS TRISTAN BLACKBURN - SUSSEX ! It is currently unknown how charge deposited in the APA gaps will behave in actuality.

239 views • 20 slides
Where Do Tourists Go? Visualizing and Analyzing the Spatial Distribution of Geotagged

Where Do Tourists Go? Visualizing and Analyzing the Spatial Distribution of Geotagged

Where Do Tourists Go? Visualizing and Analyzing the Spatial Distribution of Geotagged Photography Blint KDR, Mtys GEDE Department of Urban Planning and Design Budapest University of Technology and Economics Department of Cartography

396 views • 15 slides
Automatically Extracting, Analyzing, and Visualizing Information on Music Artists from the Web

Automatically Extracting, Analyzing, and Visualizing Information on Music Artists from the Web

Automatically Extracting, Analyzing, and Visualizing Information on Music Artists from the Web Workshop on Learning the Semantics of Audio Signals (LSAS) 21 st June 2008, Paris, France Markus Schedl, Peter Knees Department of Computational

691 views • 26 slides
Computational Tools for Modeling, Visualizing and Analyzing Historic and Archaeological Sites

Computational Tools for Modeling, Visualizing and Analyzing Historic and Archaeological Sites

Computational Tools for Modeling, Visualizing and Analyzing Historic and Archaeological Sites Peter K. Allen Department of Computer Science Columbia University Interdisciplinary project with overall goal of bringing new digital technologies

697 views • 44 slides
Data Analysis Analyzing and Visualizing 15-110 Wednesday 4/15 Learning Goals Perform

Data Analysis Analyzing and Visualizing 15-110 Wednesday 4/15 Learning Goals Perform

Data Analysis Analyzing and Visualizing 15-110 Wednesday 4/15 Learning Goals Perform basic analyses on data to answer simple questions Identify which visualization is appropriate based on the type of data Use matplotlib to

449 views • 44 slides
How FAST can Zeek RUN? ZeekWeek 2019 Jim Mellander Seattle WA Cybersecurity Engineer October

How FAST can Zeek RUN? ZeekWeek 2019 Jim Mellander Seattle WA Cybersecurity Engineer October

Run, Zeek, RUN! How FAST can Zeek RUN? ZeekWeek 2019 Jim Mellander Seattle WA Cybersecurity Engineer October 11, 2019 ESNet Goals for this presentation The Quest for Efficiency started Long Ago Can Zeek run faster without code

791 views • 25 slides
Visualizing Heart Data Visualizing Heart Data of a living entity by analyzing time- -series data

Visualizing Heart Data Visualizing Heart Data of a living entity by analyzing time- -series data

What do researchers seek? What do researchers seek? To achieve a better understanding of the state To achieve a better understanding of the state Visualizing Heart Data Visualizing Heart Data of a living entity by analyzing time-

59 views • 3 slides
Explore VisIt:: an open source, end user tool for visualizing and analyzing very large data M04:

Explore VisIt:: an open source, end user tool for visualizing and analyzing very large data M04:

at Explore VisIt:: an open source, end user tool for visualizing and analyzing very large data M04: Introduction to VisIt: : 8:30-12:00 M14: Advanced VisIt usage: 1:30-5:00 Monday, November 15 th in Rm 388 Introduction to Tutorial M04 8:30

885 views • 63 slides
1 An Filtering System that Monitors Document Search Engines Can Help, But Not Enough!

1 An Filtering System that Monitors Document Search Engines Can Help, But Not Enough!

Filtering May be Your Work Adaptive Information Filtering Using Bayesian Graphical Models Yi Zhang Baskin School of Engineering University of California Santa Cruz yiz@soe.ucsc.edu 1 2 Filtering May be Your Work Filtering May be Your Work

415 views • 8 slides
Outline - Tasks - Map projections - Visualizing area data - Visualizing point data -

Outline - Tasks - Map projections - Visualizing area data - Visualizing point data -

Outline - Tasks - Map projections - Visualizing area data - Visualizing point data - Visualizing trajectories - Visualizing time Tasks Locations (0D, Points) Areas (2D) Distribution Comparison Sensity Max/min values

961 views • 48 slides
Realtime Communication of MISP , Zeek, and SIEMs Matthias Vallentin Liviu Vlsan Tenzir

Realtime Communication of MISP , Zeek, and SIEMs Matthias Vallentin Liviu Vlsan Tenzir

Realtime Communication of MISP , Zeek, and SIEMs Matthias Vallentin Liviu Vlsan Tenzir CERN Intelligence in Zeek Architecture Intel::Item represents intelligence Intel::Type one of ADDR, SUBNET, URL, SOFTWARE, EMAIL, DOMAIN,

520 views • 20 slides
Thank you to our Sponsors Zeek Package Contest Winners First Prize EternalSafety Package - Lexi

Thank you to our Sponsors Zeek Package Contest Winners First Prize EternalSafety Package - Lexi

Thank you to our Sponsors Zeek Package Contest Winners First Prize EternalSafety Package - Lexi Brent Second Prize Intel-Limiter Package - Jan GrasHoefer Third Prize zeek-sniffpass Package - Andrew Klaus Fourth Prize Known-hosts-with-dns -

177 views • 7 slides
Traffic Control Mechanisms Filtering Source address filtering Other forms of filtering

Traffic Control Mechanisms Filtering Source address filtering Other forms of filtering

Traffic Control Mechanisms Filtering Source address filtering Other forms of filtering Rate limits Protection against traffic analysis Padding Routing control Lecture 9 Page 1 CS 236 Online Source Address Filtering

366 views • 11 slides
Abstracting and Visualizing Host Behaviour Abstracting and Visualizing Host Behaviour through

Abstracting and Visualizing Host Behaviour Abstracting and Visualizing Host Behaviour through

Abstracting and Visualizing Host Behaviour Abstracting and Visualizing Host Behaviour through Graphs Eduard Glatz Computer Engineering and Networks Laboratory ETH Zurich (Switzerland) eglatz@tik.ee.ethz.ch 20. Dec. 2009 Motivation

466 views • 27 slides
CS490W: What is Collaborative Filtering? Collaborative Filtering (CF): Making recommendation

CS490W: What is Collaborative Filtering? Collaborative Filtering (CF): Making recommendation

CS490W: What is Collaborative Filtering? Collaborative Filtering (CF): Making recommendation decisions for a specific CS-490W user based on the judgments of users with similar tastes Collaborative Filtering Luo Si Train_User 1 1 5 3 3 4

628 views • 6 slides
Contributing to Zeek Tim Wojtulewicz, Corelight PROPRIETARY AND CONFIDENTIAL Thats

Contributing to Zeek Tim Wojtulewicz, Corelight PROPRIETARY AND CONFIDENTIAL Thats

Contributing to Zeek Tim Wojtulewicz, Corelight PROPRIETARY AND CONFIDENTIAL Thats Woah-2-la-wits If you were confused by all of the consonants jammed together PROPRIETARY AND CONFIDENTIAL Talking today about how to open pull requests

574 views • 18 slides
VISUALIZING UNCERTAINTY Fall 2017 Mac Hill VISUALIZING UNCERTAINTY 2 DEVELOPING A VISUAL

VISUALIZING UNCERTAINTY Fall 2017 Mac Hill VISUALIZING UNCERTAINTY 2 DEVELOPING A VISUAL

Thesis Proposal VISUALIZING UNCERTAINTY Fall 2017 Mac Hill VISUALIZING UNCERTAINTY 2 DEVELOPING A VISUAL VOCABULARY FOR UNCERTAINTY How can the design of information visualizations commonly found in news media coverage incorporate

591 views • 20 slides
FILTERING MACROECONOMIC DATA WienerKolmogorov Filtering of Stationary Sequences The classical

FILTERING MACROECONOMIC DATA WienerKolmogorov Filtering of Stationary Sequences The classical

FILTERING MACROECONOMIC DATA WienerKolmogorov Filtering of Stationary Sequences The classical theory of linear filtering was formulated independently by Norbert Wiener (1941) and Andrei Nikolaevich Kolmogorov (1941) during the Second World

437 views • 19 slides
Analyzing 750 billion events and 46 TB of code What you can learn from GitHub's shared data on

Analyzing 750 billion events and 46 TB of code What you can learn from GitHub's shared data on

Analyzing 750 billion events and 46 TB of code What you can learn from GitHub's shared data on BigQuery Felipe Hoffa Developer Advocate @felipehoffa @felipehoffa @felipehoffa @felipehoffa @felipehoffa @felipehoffa DATA @felipehoffa Who

810 views • 60 slides
Zeek (Bro) Network Security Monitor Sareena K P RISE Lab What is Bro? Facilitates broader

Zeek (Bro) Network Security Monitor Sareena K P RISE Lab What is Bro? Facilitates broader

Zeek (Bro) Network Security Monitor Sareena K P RISE Lab What is Bro? Facilitates broader spectrum of very different approaches to find malicious activity semantic misuse detection anomaly detection behavioral analysis.

617 views • 23 slides
GradientGraph Analytics: Identifying Small Yet High Impact Flows Using Zeek to Optimize Network

GradientGraph Analytics: Identifying Small Yet High Impact Flows Using Zeek to Optimize Network

GradientGraph Analytics: Identifying Small Yet High Impact Flows Using Zeek to Optimize Network Performance ZeekWeek 2019 Reservoir Labs Jordi Ros-Giralt, Sruthi Yellamraju, Peter Cullen, Troy Hanson, James Ezick, Alison Ryan, Erik Mogus,

424 views • 29 slides
Rao-Blackwellised Particle Filtering Based on Rao-Blackwellised Particle Filtering for Dynamic

Rao-Blackwellised Particle Filtering Based on Rao-Blackwellised Particle Filtering for Dynamic

Rao-Blackwellised Particle Filtering Based on Rao-Blackwellised Particle Filtering for Dynamic Bayesian Networks by Arnaud Doucet, Nando de Freitas, Kevin Murphy, and Stuart Russel Other sources Artificial Intelligence: A Modern

268 views • 26 slides
Visualizing Data with Graphs and Maps Yifan Hu AT&T Labs Research NIST May 7, 2012

Visualizing Data with Graphs and Maps Yifan Hu AT&T Labs Research NIST May 7, 2012

Visualizing Data with Graphs and Maps Yifan Hu AT&T Labs Research NIST May 7, 2012 Outline The graph visualization problem Algorithms & challenges for visualizing large graphs Visualizing cluster relationships as maps

1.06k views • 76 slides

More recommend