Your SlideShare is downloading. ×
Big	  Data	  Meets	  Infosec	          Visualiza4on	      Forensics	  Challenge	  10	          Honeynet.org	  
Challenge	  •  Design	  and	  build	  a	  visualiza4on	  that	  describes	     the	  aAacks	  that	  were	  analyzed	  in	...
Solu4on	  •    4	  Cloudera	  CDH3	  Nodes	  •    Containing	  HUE	  and	  Hive	  •    Created	  “auth.log”	  table	  (Hiv...
Hadoop	  
Hive	  Parser	  –	  auth.log	  •    CREATE	  TABLE	  authlog	  (	  	  •    month	  STRING,	  	  •    Day	  STRING,	  	  • ...
Hive	  Queries	  •  SELECT	  *	  FROM	  authlog	  WHERE	  identd	  =	  "Accepted	     password	  for	  root";	  •  SELECT	...
Analysis	  and	  Visualiza4on	  Tools	  •    Logstash	  (adhoc	  queries	  to	  Hive	  data)	  •    OpenHeatMap	  (visuali...
Brute	  Force	  Report	  World	  Report	  
Link	  to	  Open	  Heat	  Map	  •  hAp://www.openheatmap.com/view.html?   map=SqueakersDjambiCarrosserie	  
Top	  10	  Brute	  Force	  Report	  
Top	  10	  A(acks	   219.150.161.20	       8.12.45.242	   222.66.204.246	      121.11.66.70	    124.207.117.9	            ...
Successful	  login	  report	  
Hive	  Query	  Output	  for	  “Accepted”	  •     Mar	  29	  13:27:26	  app-­‐1	  sshd[21556]:	  Accepted	  password	  for	...
Successful	  intrusion	  -­‐	  visualiza4on	   •  Import	  Failed	  logins	  and	  Accepted	  logins	  csv’s	  into	  Malt...
Forensic Challenge 10 - FC5 Attack Dataset Visualization
Forensic Challenge 10 - FC5 Attack Dataset Visualization
Forensic Challenge 10 - FC5 Attack Dataset Visualization
Forensic Challenge 10 - FC5 Attack Dataset Visualization
Forensic Challenge 10 - FC5 Attack Dataset Visualization
Forensic Challenge 10 - FC5 Attack Dataset Visualization
Forensic Challenge 10 - FC5 Attack Dataset Visualization
Upcoming SlideShare
Loading in...5
×

Forensic Challenge 10 - FC5 Attack Dataset Visualization

259

Published on

HoneyNet Forensic Challenge 10 Attack Visualization Winning Submission

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
259
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Transcript of "Forensic Challenge 10 - FC5 Attack Dataset Visualization"

  1. 1. Big  Data  Meets  Infosec   Visualiza4on   Forensics  Challenge  10   Honeynet.org  
  2. 2. Challenge  •  Design  and  build  a  visualiza4on  that  describes   the  aAacks  that  were  analyzed  in  FC5.    •  Use  the  three  prize  winners’  solu4ons  as   references  and  to  give  you  a  head  start  on  the   data  analysis.    •  Use  the  FC5  dataset  to  create  your  FC10   visualiza4on.  
  3. 3. Solu4on  •  4  Cloudera  CDH3  Nodes  •  Containing  HUE  and  Hive  •  Created  “auth.log”  table  (Hive  data  parser)  •  Used  exis4ng  Apache  log  (Hive  parser)  •  Imported  FC5  log  data  to  Hadoop  Hive  •  Queried  data  and  stored  output  to  files  •  Used  csv  files  for  visualiza4ons  
  4. 4. Hadoop  
  5. 5. Hive  Parser  –  auth.log  •  CREATE  TABLE  authlog  (    •  month  STRING,    •  Day  STRING,    •  4me  STRING,    •  something  STRING,      •  identd  STRING,    •  user  STRING,    •  ipaddress  STRING,    •  port  INT,  •  applica4on  string    •  )  •  ROW  FORMAT  SERDE  org.apache.hadoop.hive.serde2.dynamic_type.DynamicSerDe  •  WITH  SERDEPROPERTIES  (  •  serializa4on.format=org.apache.hadoop.hive.serde2.thrid.TCTLSeparatedProtocol,  •  quote.delim=("|[|]),  •  field.delim=  ,  •  serializa4on.null.format=-­‐)  •  STORED  AS  TEXTFILE;  
  6. 6. Hive  Queries  •  SELECT  *  FROM  authlog  WHERE  identd  =  "Accepted   password  for  root";  •  SELECT  *  FROM  authlog  WHERE  identd  =  "Failed   password  for  root”;  •  CREATE  TABLE  ipsummary  (ipaddress  STRING,   numrequest  INT);  INSERT  OVERWRITE  TABLE   ipsummary  SELECT  ipaddress,  COUNT(1)  FROM   accepted_temp_log  GROUP  BY  ipaddress;  •  SELECT  ipsummary.ipaddress,  ipsummary.numrequest   FROM  (SELECT  MAX(numrequest)  AS  themax  FROM   ipsummary)  ipsummarymax  JOIN  ipsummary  ON   ipsummarymax.themax  =  ipsummary.numrequest;  
  7. 7. Analysis  and  Visualiza4on  Tools  •  Logstash  (adhoc  queries  to  Hive  data)  •  OpenHeatMap  (visualiza4on  of  aAackers)  •  Excel  (Top  10  Brute  Force  AAacker  Chart)  •  Maltego  (Link  analysis  of  Brute/Accepted)  
  8. 8. Brute  Force  Report  World  Report  
  9. 9. Link  to  Open  Heat  Map  •  hAp://www.openheatmap.com/view.html? map=SqueakersDjambiCarrosserie  
  10. 10. Top  10  Brute  Force  Report  
  11. 11. Top  10  A(acks   219.150.161.20   8.12.45.242   222.66.204.246   121.11.66.70   124.207.117.9   Top  10  AAacks  222.169.224.197  211.154.254.248   217.15.55.133   122.226.202.12   65.208.122.48   0   5000   10000   15000   20000   25000   30000  
  12. 12. Successful  login  report  
  13. 13. Hive  Query  Output  for  “Accepted”  •  Mar  29  13:27:26  app-­‐1  sshd[21556]:  Accepted  password  for  root  from  10.0.1.2  port  51784  ssh2  •  Apr  19  05:41:44  app-­‐1  sshd[8810]:  Accepted  password  for  root  from  219.150.161.20  port  51249  ssh2  •  Apr  19  05:42:27  app-­‐1  sshd[9031]:  Accepted  password  for  root  from  219.150.161.20  port  40877  ssh2  •  Apr  19  05:55:20  app-­‐1  sshd[12996]:  Accepted  password  for  root  from  219.150.161.20  port  55545  ssh2  •  Apr  19  05:56:05  app-­‐1  sshd[13218]:  Accepted  password  for  root  from  219.150.161.20  port  36585  ssh2  •  Apr  19  10:45:36  app-­‐1  sshd[28030]:  Accepted  password  for  root  from  222.66.204.246  port  48208  ssh2  •  Apr  19  11:03:44  app-­‐1  sshd[30277]:  Accepted  password  for  root  from  201.229.176.217  port  54465  ssh2  •  Apr  19  11:15:26  app-­‐1  sshd[30364]:  Accepted  password  for  root  from  190.167.70.87  port  49497  ssh2  •  Apr  19  22:37:24  app-­‐1  sshd[2012]:  Accepted  password  for  root  from  190.166.87.164  port  50753  ssh2  •  Apr  19  22:54:06  app-­‐1  sshd[2149]:  Accepted  password  for  root  from  190.166.87.164  port  51101  ssh2  •  Apr  19  23:02:25  app-­‐1  sshd[2210]:  Accepted  password  for  root  from  190.166.87.164  port  51303  ssh2  •  Apr  20  06:13:03  app-­‐1  sshd[26712]:  Accepted  password  for  root  from  121.11.66.70  port  33828  ssh2  •  Apr  21  11:51:38  app-­‐1  sshd[2649]:  Accepted  password  for  root  from  193.1.186.197  port  38318  ssh2  •  Apr  21  11:56:37  app-­‐1  sshd[2686]:  Accepted  password  for  root  from  151.81.205.100  port  54272  ssh2  •  Apr  22  01:30:27  app-­‐1  sshd[4877]:  Accepted  password  for  root  from  151.82.3.201  port  49249  ssh2  •  Apr  22  06:41:38  app-­‐1  sshd[5876]:  Accepted  password  for  root  from  151.81.204.141  port  59064  ssh2  •  Apr  22  11:02:15  app-­‐1  sshd[7940]:  Accepted  password  for  root  from  222.169.224.197  port  45356  ssh2  •  Apr  23  03:11:03  app-­‐1  sshd[13633]:  Accepted  password  for  root  from  122.226.202.12  port  40892  ssh2  •  Apr  23  03:20:41  app-­‐1  sshd[13930]:  Accepted  password  for  root  from  122.226.202.12  port  40209  ssh2  •  Apr  24  11:36:19  app-­‐1  sshd[24436]:  Accepted  password  for  root  from  121.11.66.70  port  58832  ssh2  •  Apr  24  15:28:37  app-­‐1  sshd[31338]:  Accepted  password  for  root  from  61.168.227.12  port  43770  ssh2  •  Apr  24  16:33:36  app-­‐1  sshd[31845]:  Accepted  password  for  root  from  188.131.22.69  port  1844  ssh2  •  Apr  24  19:15:54  app-­‐1  sshd[32299]:  Accepted  password  for  root  from  190.167.74.184  port  60992  ssh2  •  Apr  25  10:38:56  app-­‐1  sshd[9560]:  Accepted  password  for  root  from  94.52.185.9  port  59821  ssh2  •  Apr  26  04:42:55  app-­‐1  sshd[20096]:  Accepted  password  for  root  from  188.131.23.37  port  3527  ssh2  •  Apr  26  04:59:02  app-­‐1  sshd[20491]:  Accepted  password  for  root  from  188.131.23.37  port  3561  ssh2  •  Apr  26  08:47:28  app-­‐1  sshd[23501]:  Accepted  password  for  root  from  188.131.23.37  port  4271  ssh2  •  Apr  26  08:51:50  app-­‐1  sshd[23542]:  Accepted  password  for  root  from  188.131.23.37  port  4280  ssh2  
  14. 14. Successful  intrusion  -­‐  visualiza4on   •  Import  Failed  logins  and  Accepted  logins  csv’s  into  Maltego  

×