SlideShare a Scribd company logo

Safely Drinking from the Data Waterhose

Jan Schaumann
Jan Schaumann

An ingite talk given at DataGotham 2012 about how we extract security related events and alerts from our logs. I repeated the same talk at DevOpsDays NYC 2013.

TechnologyDesign
1 of 20
Download to read offline
Safely Drinking From The Fire Hose @jschauma Jan Schaumann Señor Network Security Engineer jschauma@etsy.com B60D A9F7 0D89 544A 7995 7D25 5A5B 4375 275F 0BB5
I <3 logs! @jschauma web logs mail logs system logs vpn logs 2 08/28/12
Log Bongzilla, aka Splunk @jschauma Logs go in… Is this how Octocat came to be? ts come ler out ri ty a secu 2 08/28/12
Splunk Alerts FTW! @jschauma YO DAWG, I HERD YOU LIKE LOGS SO I PUT SOME LOGS IN YOUR LOGS SO YOU CAN SPLUNK WHILE YOU SPLUNK 2 08/28/12
sudo make me a sandwich @jschauma 2 08/28/12
Know your patterns. @jschauma VPN Connections July 4th was a Wednesday People making up for People slacking off early last week? on a Friday, eh? 5 08/28/12
That was unexpected… @jschauma
XSS detection @jschauma Announcement of Bug Bounty program: http://is.gd/UTZ5wD code push to address reported vulnerabilities 6 08/28/12
Geolocate all the things! @jschauma 3 08/28/12
XSS detection @jschauma IP : 79.182.16.1 - bzq-79-182-16-1.red.bezeqint.net Geolocation : Even Yehuda, 02, IL Whois : *SE4-DRP*, RIPE, BEZEQINT-BROADBAND Requests : 146 Method : GET URL : /suggest_username.php?first-name=test&last-name= onerror%3Dalert(0)%3E&email=shai%40exploit.co.il 13 minutes after we announced our security bug bounty program http://is.gd/UTZ5wD Method : POST URL : /your/profile Data : u'fb_avatar_url=&gender=female&city3=&new_city= "><img src=x onerror=prompt(1);>&new_region=&new_countrycode= &new_latlon=,&city3_dup="><img src=x’ […] 6 08/28/12
SQLi detection @jschauma IP : 216.185.114.219 – unknown Geolocation : Jurong East, 00, SG Whois : ThePlanet.com Internet Services, Inc., ARIN, NET216 Requests : 20 Method : GET URL : /listing/102946830/womens-shirt-beige-tunic-womens- blouse?ref=999999.9%27+union+all+select+0x313032353438303035 36%2C0x31303235343830303536%2C0x31303235343830303536 %2C0x31303235343830303536%2C0x31303235343830303536%2 C0x31303235343830303536%2C0x31303235343830303536%2C0 x31303235343830303536%2C0x31303235343830303536%2C0x31 830303536%2C0x31303235343830303536%2C0x31303235343830 303536%2C0x31303235343830303536%2C0x31303235343830303 536+and+%27x%27%3D%27x Method : GET URL : /category/furniture?page=499999%27%20union%20 select%20unhex(hex(version()))%20 […] 6 08/28/12
Know when people can’t log in… @jschauma 2 08/28/12
High number of failed logins @jschauma Admin : <username> (<internal login>, <site login>) IP : 64.124.192.210 - 64.124.192.210.t01419-07.above.net Geolocation : Brooklyn, NY, US Whois : ETSY Inc, ARIN, NET64 # of failed logins : 13 doesn’t know what he’s doing; do not trust! Admin : jschauma (jschauma, jschauma) IP : 207.38.139.33 - 207-38-139-33.c3-0.avec-ubr2.nyr- avec.ny.cable.rcn.com Geolocation : New York, United States Whois : RCN Corporation, ARIN, NET207 # of failed logins : 16 6 08/28/12
Geolocate all the things! @jschauma 4 08/28/12
“Unexpected” login detection @jschauma Admin : <username> (<internal login>, <site login>) IP : 83.160.48.31 - a83-160-48-31.adsl.xs4all.nl Geolocation : Rotterdam, 11, NL Whois : XS4ALL Internet BV, RIPE, DEMON-NL-DSL Admin : <username> (<internal login>, <site login>) IP : 217.192.56.102 – unknown Geolocation : Zurich, 25, CH Whois : The Hub Zuerich Assoc., RIPE, THE-HUB-ZUERICH-NET Admin : <username> (<internal login>, <site login>) IP : 24.231.49.240 - unknown Geolocation : Nassau, 23, BS Whois : Cable Bahamas, ARIN, CABLEBAHAMAS-NET Admin : <username> (<internal login>, <site login>) IP : 200.49.191.120 - map120.network49.191.tigo.net.gt Geolocation : Guatemala City, 07, GT Whois : COMCEL GUATEMALA S.A., LACNIC 6 08/28/12
I said: “Please insert girder!” @jschauma
Identify scrapers. @jschauma Admin : <username> (<internal login>, <site login>) IP : 50.17.73.70 - ec2-50-17-73-70.compute-1.amazonaws.com Geolocation : Ashburn, VA, US Whois : Amazon.com, Inc., ARIN, NET50 Provider : Amazon AWS Count :7 Admin : <username> (<internal login>, <site login>) IP : 207.228.237.110 – unknown Geolocation : New York, NY, US Whois : HopOne Internet Corporation, ARIN, NET207 Provider : HopOne Count :1 6 08/28/12
Re-re-re-re-re-CAPTCHA @jschauma source=”info.log" reCAPTCHA status="incorrect" | transaction ip | where eventcount > 50 | table ip,eventcount | sort -eventcount 6 08/28/12
Of Liars and Outliers (good book, btw) @jschauma wtf happened here? Ooh, right… this: http://is.gd/fognju http://is.gd/0hRDLY http://is.gd/WxcA0r 6 08/28/12
This talk was too long! @jschauma Log it now, log it all. Geolocate all the things. Build profiles. (Creepy, I know.) Reduce false positives. (Whitelists!) Have defined reactions to all alerts. Notice the outliers. Explain them. That’s all, folks! Thanks! 2 08/28/12

Recommended

HTML5.tx 2013: Embedded JavaScript, HTML5 and the Internet of Things
HTML5.tx 2013: Embedded JavaScript, HTML5 and the Internet of ThingsHTML5.tx 2013: Embedded JavaScript, HTML5 and the Internet of Things
HTML5.tx 2013: Embedded JavaScript, HTML5 and the Internet of ThingsJesse Cravens
 
Fancy pants
Fancy pantsFancy pants
Fancy pantsJan Schaumann
 
Development is Production Too
Development is Production TooDevelopment is Production Too
Development is Production Toojgoulah
 
WCIT 2012 - Assespro Oficial Bid Book
WCIT 2012 - Assespro Oficial Bid BookWCIT 2012 - Assespro Oficial Bid Book
WCIT 2012 - Assespro Oficial Bid BookAssespro Nacional
 
April 17, 2012 CIty Council Agenda Packet
April 17, 2012 CIty Council Agenda PacketApril 17, 2012 CIty Council Agenda Packet
April 17, 2012 CIty Council Agenda PacketCity of San Angelo Texas
 
Memcached Presentation @757rb
Memcached Presentation @757rbMemcached Presentation @757rb
Memcached Presentation @757rbKen Collins
 
Gerenciamento de Backups PostgreSQL com pgbarman
Gerenciamento de Backups PostgreSQL com pgbarmanGerenciamento de Backups PostgreSQL com pgbarman
Gerenciamento de Backups PostgreSQL com pgbarmanJuliano Atanazio
 
Various hints & tips around Solution Selling (January 2014)
Various hints & tips around Solution Selling (January 2014)Various hints & tips around Solution Selling (January 2014)
Various hints & tips around Solution Selling (January 2014)Eric Van 't Hoff
 

Recommended

HTML5.tx 2013: Embedded JavaScript, HTML5 and the Internet of Things
HTML5.tx 2013: Embedded JavaScript, HTML5 and the Internet of ThingsHTML5.tx 2013: Embedded JavaScript, HTML5 and the Internet of Things
HTML5.tx 2013: Embedded JavaScript, HTML5 and the Internet of ThingsJesse Cravens
 
Fancy pants
Fancy pantsFancy pants
Fancy pantsJan Schaumann
 
Development is Production Too
Development is Production TooDevelopment is Production Too
Development is Production Toojgoulah
 
WCIT 2012 - Assespro Oficial Bid Book
WCIT 2012 - Assespro Oficial Bid BookWCIT 2012 - Assespro Oficial Bid Book
WCIT 2012 - Assespro Oficial Bid BookAssespro Nacional
 
April 17, 2012 CIty Council Agenda Packet
April 17, 2012 CIty Council Agenda PacketApril 17, 2012 CIty Council Agenda Packet
April 17, 2012 CIty Council Agenda PacketCity of San Angelo Texas
 
Memcached Presentation @757rb
Memcached Presentation @757rbMemcached Presentation @757rb
Memcached Presentation @757rbKen Collins
 
Gerenciamento de Backups PostgreSQL com pgbarman
Gerenciamento de Backups PostgreSQL com pgbarmanGerenciamento de Backups PostgreSQL com pgbarman
Gerenciamento de Backups PostgreSQL com pgbarmanJuliano Atanazio
 
Various hints & tips around Solution Selling (January 2014)
Various hints & tips around Solution Selling (January 2014)Various hints & tips around Solution Selling (January 2014)
Various hints & tips around Solution Selling (January 2014)Eric Van 't Hoff
 
PGP for Smarties
PGP for SmartiesPGP for Smarties
PGP for SmartiesJan Schaumann
 
Marco Hogewoning -XS4all
Marco Hogewoning -XS4allMarco Hogewoning -XS4all
Marco Hogewoning -XS4allIPv6 Summit 2010
 
Simple Log Analysis and Trending
Simple Log Analysis and TrendingSimple Log Analysis and Trending
Simple Log Analysis and TrendingMike Brittain
 
12-Step Program for Scaling Web Applications on PostgreSQL
12-Step Program for Scaling Web Applications on PostgreSQL12-Step Program for Scaling Web Applications on PostgreSQL
12-Step Program for Scaling Web Applications on PostgreSQLKonstantin Gredeskoul
 
Ipv6 basics
Ipv6 basicsIpv6 basics
Ipv6 basicsJan Schaumann
 
英文 Rc heli
英文 Rc heli英文 Rc heli
英文 Rc helitiffanysrc
 
Scaling postgres
Scaling postgresScaling postgres
Scaling postgresDenish Patel
 
Cybersecurity nl
Cybersecurity nlCybersecurity nl
Cybersecurity nlMark Johnson
 
Scaling Etsy: What Went Wrong, What Went Right
Scaling Etsy: What Went Wrong, What Went RightScaling Etsy: What Went Wrong, What Went Right
Scaling Etsy: What Went Wrong, What Went RightRoss Snyder
 
4000 auto approve wordpress blogs backlink list (pr8-pr1)
4000 auto approve wordpress blogs backlink list (pr8-pr1)4000 auto approve wordpress blogs backlink list (pr8-pr1)
4000 auto approve wordpress blogs backlink list (pr8-pr1)Djuwarsjah Linnus
 
The Evolution Of The Music Industry The Effect Of Technology And Law On Stra...
The Evolution Of The Music Industry The Effect Of Technology And Law On Stra...The Evolution Of The Music Industry The Effect Of Technology And Law On Stra...
The Evolution Of The Music Industry The Effect Of Technology And Law On Stra...Ben Kilmer
 
Talk talk talk 2
Talk talk talk 2Talk talk talk 2
Talk talk talk 2Trần Thanh Hảo
 
From Obvious to Ingenius: Incrementally Scaling Web Apps on PostgreSQL
From Obvious to Ingenius: Incrementally Scaling Web Apps on PostgreSQLFrom Obvious to Ingenius: Incrementally Scaling Web Apps on PostgreSQL
From Obvious to Ingenius: Incrementally Scaling Web Apps on PostgreSQLKonstantin Gredeskoul
 
K TO 12 GRADE 7 LEARNING MATERIAL IN EDUKASYON SA PAGPAPAKATAO (Q1-Q2)
K TO 12 GRADE 7 LEARNING MATERIAL IN EDUKASYON SA PAGPAPAKATAO (Q1-Q2)K TO 12 GRADE 7 LEARNING MATERIAL IN EDUKASYON SA PAGPAPAKATAO (Q1-Q2)
K TO 12 GRADE 7 LEARNING MATERIAL IN EDUKASYON SA PAGPAPAKATAO (Q1-Q2)LiGhT ArOhL
 
Etsy Case Study
Etsy Case StudyEtsy Case Study
Etsy Case StudySlideShare
 
88 Gibraltar i-remit collection procedure
88 Gibraltar i-remit collection procedure88 Gibraltar i-remit collection procedure
88 Gibraltar i-remit collection procedure88gibraltar
 
Design for Continuous Experimentation
Design for Continuous ExperimentationDesign for Continuous Experimentation
Design for Continuous ExperimentationDan McKinley
 
Netflix marketing plan
Netflix marketing plan Netflix marketing plan
Netflix marketing plan Evelyne Otto
 
The Razors Edge - Cutting your TLS Baggage
The Razors Edge - Cutting your TLS BaggageThe Razors Edge - Cutting your TLS Baggage
The Razors Edge - Cutting your TLS BaggageJan Schaumann
 
OpSec101
OpSec101OpSec101
OpSec101Jan Schaumann
 
Know Your Enemy - An Introduction to Threat Modeling
Know Your Enemy - An Introduction to Threat ModelingKnow Your Enemy - An Introduction to Threat Modeling
Know Your Enemy - An Introduction to Threat ModelingJan Schaumann
 
Crazy Like A Fox - #Infosec Ideas That Just Might Work
Crazy Like A Fox - #Infosec Ideas That Just Might WorkCrazy Like A Fox - #Infosec Ideas That Just Might Work
Crazy Like A Fox - #Infosec Ideas That Just Might WorkJan Schaumann
 

More Related Content

Viewers also liked

Simple Log Analysis and Trending
Simple Log Analysis and TrendingSimple Log Analysis and Trending
Simple Log Analysis and TrendingMike Brittain
 
12-Step Program for Scaling Web Applications on PostgreSQL
12-Step Program for Scaling Web Applications on PostgreSQL12-Step Program for Scaling Web Applications on PostgreSQL
12-Step Program for Scaling Web Applications on PostgreSQLKonstantin Gredeskoul
 
英文 Rc heli
英文 Rc heli英文 Rc heli
英文 Rc helitiffanysrc
 
Scaling Etsy: What Went Wrong, What Went Right
Scaling Etsy: What Went Wrong, What Went RightScaling Etsy: What Went Wrong, What Went Right
Scaling Etsy: What Went Wrong, What Went RightRoss Snyder
 
4000 auto approve wordpress blogs backlink list (pr8-pr1)
4000 auto approve wordpress blogs backlink list (pr8-pr1)4000 auto approve wordpress blogs backlink list (pr8-pr1)
4000 auto approve wordpress blogs backlink list (pr8-pr1)Djuwarsjah Linnus
 
The Evolution Of The Music Industry The Effect Of Technology And Law On Stra...
The Evolution Of The Music Industry The Effect Of Technology And Law On Stra...The Evolution Of The Music Industry The Effect Of Technology And Law On Stra...
The Evolution Of The Music Industry The Effect Of Technology And Law On Stra...Ben Kilmer
 
From Obvious to Ingenius: Incrementally Scaling Web Apps on PostgreSQL
From Obvious to Ingenius: Incrementally Scaling Web Apps on PostgreSQLFrom Obvious to Ingenius: Incrementally Scaling Web Apps on PostgreSQL
From Obvious to Ingenius: Incrementally Scaling Web Apps on PostgreSQLKonstantin Gredeskoul
 
K TO 12 GRADE 7 LEARNING MATERIAL IN EDUKASYON SA PAGPAPAKATAO (Q1-Q2)
K TO 12 GRADE 7 LEARNING MATERIAL IN EDUKASYON SA PAGPAPAKATAO (Q1-Q2)K TO 12 GRADE 7 LEARNING MATERIAL IN EDUKASYON SA PAGPAPAKATAO (Q1-Q2)
K TO 12 GRADE 7 LEARNING MATERIAL IN EDUKASYON SA PAGPAPAKATAO (Q1-Q2)LiGhT ArOhL
 
Etsy Case Study
Etsy Case StudyEtsy Case Study
Etsy Case StudySlideShare
 
88 Gibraltar i-remit collection procedure
88 Gibraltar i-remit collection procedure88 Gibraltar i-remit collection procedure
88 Gibraltar i-remit collection procedure88gibraltar
 
Design for Continuous Experimentation
Design for Continuous ExperimentationDesign for Continuous Experimentation
Design for Continuous ExperimentationDan McKinley
 
Netflix marketing plan
Netflix marketing plan Netflix marketing plan
Netflix marketing plan Evelyne Otto
 

Viewers also liked (18)

PGP for Smarties
PGP for SmartiesPGP for Smarties
PGP for Smarties
 
Marco Hogewoning -XS4all
Marco Hogewoning -XS4allMarco Hogewoning -XS4all
Marco Hogewoning -XS4all
 
Simple Log Analysis and Trending
Simple Log Analysis and TrendingSimple Log Analysis and Trending
Simple Log Analysis and Trending
 
12-Step Program for Scaling Web Applications on PostgreSQL
12-Step Program for Scaling Web Applications on PostgreSQL12-Step Program for Scaling Web Applications on PostgreSQL
12-Step Program for Scaling Web Applications on PostgreSQL
 
Ipv6 basics
Ipv6 basicsIpv6 basics
Ipv6 basics
 
英文 Rc heli
英文 Rc heli英文 Rc heli
英文 Rc heli
 
Scaling postgres
Scaling postgresScaling postgres
Scaling postgres
 
Cybersecurity nl
Cybersecurity nlCybersecurity nl
Cybersecurity nl
 
Scaling Etsy: What Went Wrong, What Went Right
Scaling Etsy: What Went Wrong, What Went RightScaling Etsy: What Went Wrong, What Went Right
Scaling Etsy: What Went Wrong, What Went Right
 
4000 auto approve wordpress blogs backlink list (pr8-pr1)
4000 auto approve wordpress blogs backlink list (pr8-pr1)4000 auto approve wordpress blogs backlink list (pr8-pr1)
4000 auto approve wordpress blogs backlink list (pr8-pr1)
 
The Evolution Of The Music Industry The Effect Of Technology And Law On Stra...
The Evolution Of The Music Industry The Effect Of Technology And Law On Stra...The Evolution Of The Music Industry The Effect Of Technology And Law On Stra...
The Evolution Of The Music Industry The Effect Of Technology And Law On Stra...
 
Talk talk talk 2
Talk talk talk 2Talk talk talk 2
Talk talk talk 2
 
From Obvious to Ingenius: Incrementally Scaling Web Apps on PostgreSQL
From Obvious to Ingenius: Incrementally Scaling Web Apps on PostgreSQLFrom Obvious to Ingenius: Incrementally Scaling Web Apps on PostgreSQL
From Obvious to Ingenius: Incrementally Scaling Web Apps on PostgreSQL
 
K TO 12 GRADE 7 LEARNING MATERIAL IN EDUKASYON SA PAGPAPAKATAO (Q1-Q2)
K TO 12 GRADE 7 LEARNING MATERIAL IN EDUKASYON SA PAGPAPAKATAO (Q1-Q2)K TO 12 GRADE 7 LEARNING MATERIAL IN EDUKASYON SA PAGPAPAKATAO (Q1-Q2)
K TO 12 GRADE 7 LEARNING MATERIAL IN EDUKASYON SA PAGPAPAKATAO (Q1-Q2)
 
Etsy Case Study
Etsy Case StudyEtsy Case Study
Etsy Case Study
 
88 Gibraltar i-remit collection procedure
88 Gibraltar i-remit collection procedure88 Gibraltar i-remit collection procedure
88 Gibraltar i-remit collection procedure
 
Design for Continuous Experimentation
Design for Continuous ExperimentationDesign for Continuous Experimentation
Design for Continuous Experimentation
 
Netflix marketing plan
Netflix marketing plan Netflix marketing plan
Netflix marketing plan
 

More from Jan Schaumann

The Razors Edge - Cutting your TLS Baggage
The Razors Edge - Cutting your TLS BaggageThe Razors Edge - Cutting your TLS Baggage
The Razors Edge - Cutting your TLS BaggageJan Schaumann
 
Know Your Enemy - An Introduction to Threat Modeling
Know Your Enemy - An Introduction to Threat ModelingKnow Your Enemy - An Introduction to Threat Modeling
Know Your Enemy - An Introduction to Threat ModelingJan Schaumann
 
Crazy Like A Fox - #Infosec Ideas That Just Might Work
Crazy Like A Fox - #Infosec Ideas That Just Might WorkCrazy Like A Fox - #Infosec Ideas That Just Might Work
Crazy Like A Fox - #Infosec Ideas That Just Might WorkJan Schaumann
 
It's the people, stupid.
It's the people, stupid.It's the people, stupid.
It's the people, stupid.Jan Schaumann
 
Semper Ubi Sub Ubi - Things They Don't Teach You In School
Semper Ubi Sub Ubi - Things They Don't Teach You In SchoolSemper Ubi Sub Ubi - Things They Don't Teach You In School
Semper Ubi Sub Ubi - Things They Don't Teach You In SchoolJan Schaumann
 
Everything is Awful (And You're Not Helping)
Everything is Awful (And You're Not Helping)Everything is Awful (And You're Not Helping)
Everything is Awful (And You're Not Helping)Jan Schaumann
 
Primum non nocere - Ethical Obligations in Internet Operations
Primum non nocere - Ethical Obligations in Internet OperationsPrimum non nocere - Ethical Obligations in Internet Operations
Primum non nocere - Ethical Obligations in Internet OperationsJan Schaumann
 
Protecting Data in Untrusted Locations
Protecting Data in Untrusted LocationsProtecting Data in Untrusted Locations
Protecting Data in Untrusted LocationsJan Schaumann
 
Headless Host Scanning
Headless Host ScanningHeadless Host Scanning
Headless Host ScanningJan Schaumann
 
L3DSR - Overcoming Layer 2 Limitations of Direct Server Return Load Balancing
L3DSR - Overcoming Layer 2 Limitations of Direct Server Return Load BalancingL3DSR - Overcoming Layer 2 Limitations of Direct Server Return Load Balancing
L3DSR - Overcoming Layer 2 Limitations of Direct Server Return Load BalancingJan Schaumann
 
Building better tools
Building better toolsBuilding better tools
Building better toolsJan Schaumann
 

More from Jan Schaumann (15)

The Razors Edge - Cutting your TLS Baggage
The Razors Edge - Cutting your TLS BaggageThe Razors Edge - Cutting your TLS Baggage
The Razors Edge - Cutting your TLS Baggage
 
OpSec101
OpSec101OpSec101
OpSec101
 
Know Your Enemy - An Introduction to Threat Modeling
Know Your Enemy - An Introduction to Threat ModelingKnow Your Enemy - An Introduction to Threat Modeling
Know Your Enemy - An Introduction to Threat Modeling
 
Crazy Like A Fox - #Infosec Ideas That Just Might Work
Crazy Like A Fox - #Infosec Ideas That Just Might WorkCrazy Like A Fox - #Infosec Ideas That Just Might Work
Crazy Like A Fox - #Infosec Ideas That Just Might Work
 
It's the people, stupid.
It's the people, stupid.It's the people, stupid.
It's the people, stupid.
 
Semper Ubi Sub Ubi - Things They Don't Teach You In School
Semper Ubi Sub Ubi - Things They Don't Teach You In SchoolSemper Ubi Sub Ubi - Things They Don't Teach You In School
Semper Ubi Sub Ubi - Things They Don't Teach You In School
 
Everything is Awful (And You're Not Helping)
Everything is Awful (And You're Not Helping)Everything is Awful (And You're Not Helping)
Everything is Awful (And You're Not Helping)
 
Defense at Scale
Defense at ScaleDefense at Scale
Defense at Scale
 
Primum non nocere - Ethical Obligations in Internet Operations
Primum non nocere - Ethical Obligations in Internet OperationsPrimum non nocere - Ethical Obligations in Internet Operations
Primum non nocere - Ethical Obligations in Internet Operations
 
Protecting Data in Untrusted Locations
Protecting Data in Untrusted LocationsProtecting Data in Untrusted Locations
Protecting Data in Untrusted Locations
 
Headless Host Scanning
Headless Host ScanningHeadless Host Scanning
Headless Host Scanning
 
L3DSR - Overcoming Layer 2 Limitations of Direct Server Return Load Balancing
L3DSR - Overcoming Layer 2 Limitations of Direct Server Return Load BalancingL3DSR - Overcoming Layer 2 Limitations of Direct Server Return Load Balancing
L3DSR - Overcoming Layer 2 Limitations of Direct Server Return Load Balancing
 
Building better tools
Building better toolsBuilding better tools
Building better tools
 
Useless use of *
Useless use of *Useless use of *
Useless use of *
 
DST @ Yahoo!
DST @ Yahoo!DST @ Yahoo!
DST @ Yahoo!
 

Recently uploaded

The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...Wes McKinney
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersNicole Novielli
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality AssuranceInflectra
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
Data governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationData governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationKnoldus Inc.
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Mark Goldstein
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Strongerpanagenda
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsNathaniel Shimoni
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Hiroshi SHIBATA
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI AgeCprime
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentPim van der Noll
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfMounikaPolabathina
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfpanagenda
 

Recently uploaded (20)

The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software Developers
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
Data governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationData governance with Unity Catalog Presentation
Data governance with Unity Catalog Presentation
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directions
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI Age
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdf
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
 

Safely Drinking from the Data Waterhose

  • 1. Safely Drinking From The Fire Hose @jschauma Jan Schaumann Señor Network Security Engineer jschauma@etsy.com B60D A9F7 0D89 544A 7995 7D25 5A5B 4375 275F 0BB5
  • 2. I <3 logs! @jschauma web logs mail logs system logs vpn logs 2 08/28/12
  • 3. Log Bongzilla, aka Splunk @jschauma Logs go in… Is this how Octocat came to be? ts come ler out ri ty a secu 2 08/28/12
  • 4. Splunk Alerts FTW! @jschauma YO DAWG, I HERD YOU LIKE LOGS SO I PUT SOME LOGS IN YOUR LOGS SO YOU CAN SPLUNK WHILE YOU SPLUNK 2 08/28/12
  • 5. sudo make me a sandwich @jschauma 2 08/28/12
  • 6. Know your patterns. @jschauma VPN Connections July 4th was a Wednesday People making up for People slacking off early last week? on a Friday, eh? 5 08/28/12
  • 8. XSS detection @jschauma Announcement of Bug Bounty program: http://is.gd/UTZ5wD code push to address reported vulnerabilities 6 08/28/12
  • 9. Geolocate all the things! @jschauma 3 08/28/12
  • 10. XSS detection @jschauma IP : 79.182.16.1 - bzq-79-182-16-1.red.bezeqint.net Geolocation : Even Yehuda, 02, IL Whois : *SE4-DRP*, RIPE, BEZEQINT-BROADBAND Requests : 146 Method : GET URL : /suggest_username.php?first-name=test&last-name= onerror%3Dalert(0)%3E&email=shai%40exploit.co.il 13 minutes after we announced our security bug bounty program http://is.gd/UTZ5wD Method : POST URL : /your/profile Data : u'fb_avatar_url=&gender=female&city3=&new_city= "><img src=x onerror=prompt(1);>&new_region=&new_countrycode= &new_latlon=,&city3_dup="><img src=x’ […] 6 08/28/12
  • 11. SQLi detection @jschauma IP : 216.185.114.219 – unknown Geolocation : Jurong East, 00, SG Whois : ThePlanet.com Internet Services, Inc., ARIN, NET216 Requests : 20 Method : GET URL : /listing/102946830/womens-shirt-beige-tunic-womens- blouse?ref=999999.9%27+union+all+select+0x313032353438303035 36%2C0x31303235343830303536%2C0x31303235343830303536 %2C0x31303235343830303536%2C0x31303235343830303536%2 C0x31303235343830303536%2C0x31303235343830303536%2C0 x31303235343830303536%2C0x31303235343830303536%2C0x31 830303536%2C0x31303235343830303536%2C0x31303235343830 303536%2C0x31303235343830303536%2C0x31303235343830303 536+and+%27x%27%3D%27x Method : GET URL : /category/furniture?page=499999%27%20union%20 select%20unhex(hex(version()))%20 […] 6 08/28/12
  • 12. Know when people can’t log in… @jschauma 2 08/28/12
  • 13. High number of failed logins @jschauma Admin : <username> (<internal login>, <site login>) IP : 64.124.192.210 - 64.124.192.210.t01419-07.above.net Geolocation : Brooklyn, NY, US Whois : ETSY Inc, ARIN, NET64 # of failed logins : 13 doesn’t know what he’s doing; do not trust! Admin : jschauma (jschauma, jschauma) IP : 207.38.139.33 - 207-38-139-33.c3-0.avec-ubr2.nyr- avec.ny.cable.rcn.com Geolocation : New York, United States Whois : RCN Corporation, ARIN, NET207 # of failed logins : 16 6 08/28/12
  • 14. Geolocate all the things! @jschauma 4 08/28/12
  • 15. “Unexpected” login detection @jschauma Admin : <username> (<internal login>, <site login>) IP : 83.160.48.31 - a83-160-48-31.adsl.xs4all.nl Geolocation : Rotterdam, 11, NL Whois : XS4ALL Internet BV, RIPE, DEMON-NL-DSL Admin : <username> (<internal login>, <site login>) IP : 217.192.56.102 – unknown Geolocation : Zurich, 25, CH Whois : The Hub Zuerich Assoc., RIPE, THE-HUB-ZUERICH-NET Admin : <username> (<internal login>, <site login>) IP : 24.231.49.240 - unknown Geolocation : Nassau, 23, BS Whois : Cable Bahamas, ARIN, CABLEBAHAMAS-NET Admin : <username> (<internal login>, <site login>) IP : 200.49.191.120 - map120.network49.191.tigo.net.gt Geolocation : Guatemala City, 07, GT Whois : COMCEL GUATEMALA S.A., LACNIC 6 08/28/12
  • 16. I said: “Please insert girder!” @jschauma
  • 17. Identify scrapers. @jschauma Admin : <username> (<internal login>, <site login>) IP : 50.17.73.70 - ec2-50-17-73-70.compute-1.amazonaws.com Geolocation : Ashburn, VA, US Whois : Amazon.com, Inc., ARIN, NET50 Provider : Amazon AWS Count :7 Admin : <username> (<internal login>, <site login>) IP : 207.228.237.110 – unknown Geolocation : New York, NY, US Whois : HopOne Internet Corporation, ARIN, NET207 Provider : HopOne Count :1 6 08/28/12
  • 18. Re-re-re-re-re-CAPTCHA @jschauma source=”info.log" reCAPTCHA status="incorrect" | transaction ip | where eventcount > 50 | table ip,eventcount | sort -eventcount 6 08/28/12
  • 19. Of Liars and Outliers (good book, btw) @jschauma wtf happened here? Ooh, right… this: http://is.gd/fognju http://is.gd/0hRDLY http://is.gd/WxcA0r 6 08/28/12
  • 20. This talk was too long! @jschauma Log it now, log it all. Geolocate all the things. Build profiles. (Creepy, I know.) Reduce false positives. (Whitelists!) Have defined reactions to all alerts. Notice the outliers. Explain them. That’s all, folks! Thanks! 2 08/28/12