Successfully reported this slideshow.
/sin’fɒnjə/
Security Intelligence
Army Knowledge Online (www.us.army.mil) FM 2-0 INTELLIGENCE
/sin’fɒnjə/
/sin’fɒnjə/
The Intelligence Cycle
Direction
http://www.cni.es/es/queescni/ciclo/
Collection
Analysis
Dissemination
/sin’fɒnjə/
This is NOT OSINTThis is Copy & Paste
http://tinyurl.com/pavtula
http://tinyurl.com/npegzok
http://tinyurl.com...
What is Intelligence?
Quite simply, intelligence is the information our
nation’s leaders need to keep our country safe.
Ou...
• The generation of knowledge in support of
decision makers
Troubleshooting
Anticipation
• Intelligence is people (but not...
sheer volumen of information
volatile
time saving
gather
structure enrich
classify
store
realtime
analyze
/sin’fɒnjə/
Tool...
/sin’fɒnjə/
Storm Builder for Security Intelligence
/sin’fɒnjə/
Storm
“Apache Storm is a free and open source distributed realtime computation system.
Storm makes it easy to ...
/sin’fɒnjə/
Visual Programming
http://blog.interfacevision.com/design/design-visual-progarmming-languages-snapshots/
/sin’fɒnjə/
Module: Types
SPOUT BOLT DRAIN
/sin’fɒnjə/
Module: Types
SPOUT
“A spout is a source of streams in a
computation. Typically a spout reads from a
queueing ...
/sin’fɒnjə/
Module: Types
BOLT
“A bolt processes any number of input streams
and produces any number of new output
streams...
/sin’fɒnjə/
Module: Types
DRAIN
?
/sin’fɒnjə/
Define a Module
Load to Storm
Use in a Topology
Upload your Code
Share on
Sinfonier
Module: Life Cycle
/sin’fɒnjə/
Make a Topology
Run on Storm
Check Dashboard
Show results
Topology
cat /var/log/named/query.log | grep "IN A" | awk '{ print $6 }'
| awk -F"#" '{print $1}' |sort -n | uniq -c | sort -rn | h...
/sin’fɒnjə/
Demo & Use cases
/sin’fɒnjə/
TweetMon
/sin’fɒnjə/
TorrentPeer
/sin’fɒnjə/
Crawler
/sin’fɒnjə/
Roadmap
Fun & Profit
Community
/sin’fɒnjə/
We Want You
/sin’fɒnjə/
Become a Beta Tester
http://sinfonier-project.net/
http://tinyurl.com/sinfonier
Upcoming SlideShare
Loading in …5
×

Francisco Jesús Gómez & Carlos Juan Diaz - Sinfonier: Storm Builder for Security Investigations [Rooted CON 2014]

2,180 views

Published on

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Francisco Jesús Gómez & Carlos Juan Diaz - Sinfonier: Storm Builder for Security Investigations [Rooted CON 2014]

  1. 1. /sin’fɒnjə/ Security Intelligence
  2. 2. Army Knowledge Online (www.us.army.mil) FM 2-0 INTELLIGENCE /sin’fɒnjə/
  3. 3. /sin’fɒnjə/ The Intelligence Cycle Direction http://www.cni.es/es/queescni/ciclo/ Collection Analysis Dissemination
  4. 4. /sin’fɒnjə/ This is NOT OSINTThis is Copy & Paste http://tinyurl.com/pavtula http://tinyurl.com/npegzok http://tinyurl.com/q2ag2b9 February 26, 2014
  5. 5. What is Intelligence? Quite simply, intelligence is the information our nation’s leaders need to keep our country safe. Our leaders, like the President, make policy decisions based on this intelligence. /sin’fɒnjə/ Intelligence (Kids’ Zone) https://www.cia.gov/kids-page/6-12th-grade/who-we-are-what-we-do/what-is-intelligence.html
  6. 6. • The generation of knowledge in support of decision makers Troubleshooting Anticipation • Intelligence is people (but not all people are intelligent): – Methodologies – Tools – Techniques /sin’fɒnjə/ Intelligence
  7. 7. sheer volumen of information volatile time saving gather structure enrich classify store realtime analyze /sin’fɒnjə/ Tools are Essential integrate
  8. 8. /sin’fɒnjə/ Storm Builder for Security Intelligence
  9. 9. /sin’fɒnjə/ Storm “Apache Storm is a free and open source distributed realtime computation system. Storm makes it easy to reliably process unbounded streams of data, doing for realtime processing what Hadoop did for batch processing. Storm is simple, can be used with any programming language, and is a lot of fun to use! “ http://storm.incubator.apache.org/
  10. 10. /sin’fɒnjə/ Visual Programming http://blog.interfacevision.com/design/design-visual-progarmming-languages-snapshots/
  11. 11. /sin’fɒnjə/ Module: Types SPOUT BOLT DRAIN
  12. 12. /sin’fɒnjə/ Module: Types SPOUT “A spout is a source of streams in a computation. Typically a spout reads from a queueing broker such as Kestrel, RabbitMQ, or Kafka, but a spout can also generate its own stream or read from somewhere like the Twitter streaming API. Spout implementations already exist for most queueing systems.”
  13. 13. /sin’fɒnjə/ Module: Types BOLT “A bolt processes any number of input streams and produces any number of new output streams. Most of the logic of a computation goes into bolts, such as functions, filters, streaming joins, streaming aggregations, talking to databases, and so on.”
  14. 14. /sin’fɒnjə/ Module: Types DRAIN ?
  15. 15. /sin’fɒnjə/ Define a Module Load to Storm Use in a Topology Upload your Code Share on Sinfonier Module: Life Cycle
  16. 16. /sin’fɒnjə/ Make a Topology Run on Storm Check Dashboard Show results Topology
  17. 17. cat /var/log/named/query.log | grep "IN A" | awk '{ print $6 }' | awk -F"#" '{print $1}' |sort -n | uniq -c | sort -rn | head | awk '{ printf $1",";system("curl -s http://freegeoip.net/csv/"$2 | cut –d”,” –f3 )}’ curl --retry 3 --insecure -s https://www.rootedcon.es/ | grep -E 'href="http://.*rootedcon.es'| awk -F"href="" '{print $2}' | sed 's|".*||g' | xargs curl -s -o /dev/null --write-out "%{http_code}:%{size_download}n"| awk -F":" '{ if ( $1 == "200") { print "RSS size: " $2} }' crontab -l # m h dom mon dow command @reboot /usr/bin/python /home/charlie/.ave_phoenix.py 30 7,15,23 * * * /home/charlie/vigila/gauchap.sh –tweet fotos 2>&1 >/dev/null /sin’fɒnjə/ Shell Scripting
  18. 18. /sin’fɒnjə/ Demo & Use cases
  19. 19. /sin’fɒnjə/ TweetMon
  20. 20. /sin’fɒnjə/ TorrentPeer
  21. 21. /sin’fɒnjə/ Crawler
  22. 22. /sin’fɒnjə/ Roadmap Fun & Profit Community
  23. 23. /sin’fɒnjə/ We Want You
  24. 24. /sin’fɒnjə/ Become a Beta Tester http://sinfonier-project.net/ http://tinyurl.com/sinfonier

×