squert - an open source web
interface for NSM data
paul halliday |
| CANHEIT 2014
NSM
the collecton and analysis of data to help you detect and respond to intrusions
“... I was trying to lookup squert at work but the search was blocked by our web proxy”
got any freaky new
genres in the pipe Ron?
“... while I was researching information for this post I very
quickly realized that safe search is a requirement!”
some history
sguil (circa 2003)
event driven
distributed
scales well
..future ES
< tcl/tk >
(my) problems
tmestamps
(yeah you UTC!)
lack of summary informaton
no visuals
difcult to constrain results
(my) solution
version 0.1.0
< php >
version 0.6.0
ip2c.tcl – afrinic|apnic|arin|lacnic|arin -> to MySQL
then in 2009
NSM in minutes
even Mom can do it!
but
Obscurity can be good
no more hiding
version 0.9.0
STOP! regroup..
problems
slow… long load tmes
statc content
no plan
lots of duplicaton
generally inefcient
architecture (old)
*
client
server
architecture (now)
{
client
}
JSON
“id”: 1,
“signature”:”bad guys”,
“src_ip”:”65.55.58.201”,
“dst_ip”:”10.0.0.1”
Are we safe?
server
version 1.3.0
< js >
so what can it do?
data
Suricata ids
Bro network security monitor
PCAP
Windows eventlog
Barracuda spam frewall
volume / day
alerts: 500 (15% high priority)
immediately actonable
notces: 4000
PCAP: 1TB FIFO
Elastcsearch: 1500/s
complimentary
the interface
content links
display toggles
summary
feature icons
the date controls
the diferent event displays
event drill down
payload link
transcript link
…?
transcript
details
p0f output
transcript
and the file?
but wait.. there’s more
external lookups
software and version info
not bad, anything else?
how about the user account
hostname
user
event categorization
option 1 – class only
function keys: F1…F9
side note
aggressiveness
option 2 – class & comment
auto categorization
auto categorization
filters
filters – explicit or shell
explicit
shell
seems complicated..
No. This was complicated
tabs
(I thought I was done)
what about force directed?
siren of the sea
future?
consistency issues (bugs)
more external sources (elsa)
more charts (hive plots, cluster layouts)
sguil and elastcsearch
beautfy tme boundaries (summaries)
code consolidaton
Me:
int13h - GitHub
@01110000
Squert:
http://www.squertproject.org
Sguil:
http://sguil.net
Secuity Onion:
http://blog.securityonion.net

FU-BEST Transcripts Order & Regulations • Please note that FU

Studying Spoken Language Text 18 and 19

Application for Sam W

slides - CS Course Webpages

Application Form Summer Programs (pdf)

Who to contact in Study related Certificates?

FD-FOC4060 - Wayne County Circuit Court

POPULATION OF THERMOSTATICALLY - EEH

VISUM Safety

Canadian BioinformaScs Workshops

GRC2014-Ph-II_Plea_ PGE_20141014_314777

ERM AD623_cert - European Commission

Agenda - Achilles Live 2014

checklist PLI 2015 - Graduate School of Education and Information

Subcriticality Evaluation of AGN

GH3 - Student Rank

Open Clinica RBM Risk Based Monitoring

Certificate IV in Massage Therapy Practice RPL Form

Finance - California State University, Long Beach

Online Automatenspiele Kostenlos Echtgeld Online Casino Mit