This document discusses methods for detecting anomalies and compromised hosts using netflow data. It proposes both a top-down method that analyzes total traffic to detect deviations, as well as a bottom-up method that looks at individual host behavior compared to the general population. Two real examples are analyzed to demonstrate the process of finding unusual connections for a host, rating how unusual they are, and validating potential compromises through blacklists. The goal is to automatically detect anomalies, compromised systems, and botnet command and control servers through netflow correlation and analysis.
VkRunner: a simple Vulkan shader script test utility [Lightning Talk] (Lightn...Igalia
By Neil Roberts.
A short presentation of VkRunner which is a tool to help create tests using shaders on Vulkan with a simple script to verify the results.
X.Org Developer's Conference (XDC) 2018
26th, 27th and 28th of September
A Coruña, Spain
https://www.x.org/wiki/Events/XDC2018/
This document summarizes different aspects of instrumentation and runtime measurement using VampirTrace. It discusses automatic, manual, and binary instrumentation. It describes runtime measurement behind the scenes and using the OTF trace format. It outlines various options, settings, and parameters that can be configured using environment variables to control aspects like hardware counters, memory tracing, I/O tracing, and filtering.
The document reports on the status of the Rediff_RIL Grid computing cluster as of 09:15 on 20 April 2013. It lists 26 computing sources within the grid with a total of 1264 CPUs. 260 hosts were reported as up and 4 were down. The average CPU loads across the sources ranged from 0% to 100% utilization over various time periods.
Our planet is facing serious environmental challenges that threaten all life if left unaddressed. We must take steps as individuals and societies to reduce pollution, conserve natural resources, and transition to more sustainable practices. By adopting more environmentally-friendly habits in how we consume energy, manage waste, and support conservation efforts, we can help safeguard Earth's natural systems for future generations.
This document provides an example of an automatically generated true positive intrusion detection system (IDS) report. It summarizes network traffic related to a "MALWARE-CNC Win.Trojan.Badur variant outbound connection" and includes details like the source and destination IP addresses and ports, the timestamp, and the signature that triggered the alert. It also provides references and suggested contacts to provide additional context regarding the potential security incident. The report is presented over multiple pages and sections to allow for an in-depth analysis of the event.
The document discusses honeypots, which are computer resources dedicated to being probed, attacked, or compromised. Honeypots can be used to detect internal attacks, identify scans and automated attacks, identify trends, keep attackers away from important systems, and collect signatures of attacks and malicious code. They work by emulating known vulnerabilities to collect information about attacks. Honeypots include low and high interaction varieties. Popular honeypot software includes Honeyd, which simulates virtual networks, and Nepenthes, which emulates vulnerabilities to capture binaries and commands executed by worms. Logs from honeypots can be analyzed to identify attack sources and collect malware samples.
Jokingly casual introduction that scales quickly to the obscure powers of bash script.
Intended to call the attention of devs and ops, and bridge the perception of the complexity on each other sides with things too familiar and yet too far out for both.
A reminder of the capacity we have in our hands if we dare to use it.
It is in portuguese, but the language that counts here is bash script.
VkRunner: a simple Vulkan shader script test utility [Lightning Talk] (Lightn...Igalia
By Neil Roberts.
A short presentation of VkRunner which is a tool to help create tests using shaders on Vulkan with a simple script to verify the results.
X.Org Developer's Conference (XDC) 2018
26th, 27th and 28th of September
A Coruña, Spain
https://www.x.org/wiki/Events/XDC2018/
This document summarizes different aspects of instrumentation and runtime measurement using VampirTrace. It discusses automatic, manual, and binary instrumentation. It describes runtime measurement behind the scenes and using the OTF trace format. It outlines various options, settings, and parameters that can be configured using environment variables to control aspects like hardware counters, memory tracing, I/O tracing, and filtering.
The document reports on the status of the Rediff_RIL Grid computing cluster as of 09:15 on 20 April 2013. It lists 26 computing sources within the grid with a total of 1264 CPUs. 260 hosts were reported as up and 4 were down. The average CPU loads across the sources ranged from 0% to 100% utilization over various time periods.
Our planet is facing serious environmental challenges that threaten all life if left unaddressed. We must take steps as individuals and societies to reduce pollution, conserve natural resources, and transition to more sustainable practices. By adopting more environmentally-friendly habits in how we consume energy, manage waste, and support conservation efforts, we can help safeguard Earth's natural systems for future generations.
This document provides an example of an automatically generated true positive intrusion detection system (IDS) report. It summarizes network traffic related to a "MALWARE-CNC Win.Trojan.Badur variant outbound connection" and includes details like the source and destination IP addresses and ports, the timestamp, and the signature that triggered the alert. It also provides references and suggested contacts to provide additional context regarding the potential security incident. The report is presented over multiple pages and sections to allow for an in-depth analysis of the event.
The document discusses honeypots, which are computer resources dedicated to being probed, attacked, or compromised. Honeypots can be used to detect internal attacks, identify scans and automated attacks, identify trends, keep attackers away from important systems, and collect signatures of attacks and malicious code. They work by emulating known vulnerabilities to collect information about attacks. Honeypots include low and high interaction varieties. Popular honeypot software includes Honeyd, which simulates virtual networks, and Nepenthes, which emulates vulnerabilities to capture binaries and commands executed by worms. Logs from honeypots can be analyzed to identify attack sources and collect malware samples.
Jokingly casual introduction that scales quickly to the obscure powers of bash script.
Intended to call the attention of devs and ops, and bridge the perception of the complexity on each other sides with things too familiar and yet too far out for both.
A reminder of the capacity we have in our hands if we dare to use it.
It is in portuguese, but the language that counts here is bash script.
OpenStack - A Python-based Cloud-SoftwareCédric Soulas
This document summarizes a Meetup Paris.py event on October 10, 2013 hosted by Cloudwatt to discuss OpenStack. It provides an overview of OpenStack services like dashboard, orchestration, and shared libraries. It also discusses tools for contributing to OpenStack like Launchpad, Gerrit and Jenkins. Finally, it lists the presenter's contact information and sources for images used in the presentation.
Talk about using Ganglia and other tools for storing all kinds of web application metrics for both operations and business purposes. Presented at Cambridge Geek Night
Capture and replay hardware behaviour for regression testing and bug reportingmartin-pitt
This document discusses umockdev, a tool for emulating hardware devices in Linux for testing purposes. It allows creating virtual devices that behave like real devices by responding to reads, writes, ioctls and emitting uevents. This allows testing software that interacts with devices without requiring physical hardware. The tool works by preloading a library that intercepts system calls and responds based on scripts or a recorded device behavior. It has been used successfully in several Linux packages for testing code that interacts with devices.
This document provides an overview of Linux performance monitoring tools including mpstat, top, htop, vmstat, iostat, free, strace, and tcpdump. It discusses what each tool measures and how to use it to observe system performance and diagnose issues. The tools presented provide visibility into CPU usage, memory usage, disk I/O, network traffic, and system call activity which are essential for understanding workload performance on Linux systems.
Talk by Brendan Gregg for USENIX LISA 2019: Linux Systems Performance. Abstract: "
Systems performance is an effective discipline for performance analysis and tuning, and can help you find performance wins for your applications and the kernel. However, most of us are not performance or kernel engineers, and have limited time to study this topic. This talk summarizes the topic for everyone, touring six important areas of Linux systems performance: observability tools, methodologies, benchmarking, profiling, tracing, and tuning. Included are recipes for Linux performance analysis and tuning (using vmstat, mpstat, iostat, etc), overviews of complex areas including profiling (perf_events) and tracing (Ftrace, bcc/BPF, and bpftrace/BPF), and much advice about what is and isn't important to learn. This talk is aimed at everyone: developers, operations, sysadmins, etc, and in any environment running Linux, bare metal or the cloud."
The document provides best practices for handling performance issues in an Odoo deployment. It recommends gathering deployment information, such as hardware specs, number of machines, and integration with web services. It also suggests monitoring tools to analyze system performance and important log details like CPU time, memory limits, and request processing times. The document further discusses optimizing PostgreSQL settings, using tools like pg_activity, pg_stat_statements, and pgbadger to analyze database queries and performance. It emphasizes reproducing issues, profiling code with tools like the Odoo profiler, and fixing problems in an iterative process.
The document discusses firewalls, including what they are, how they work, and different types. A firewall controls traffic flowing into and out of a network to prevent attacks. A DMZ (demilitarized zone) contains servers that are protected from both external and internal attacks. Firewalls work by blocking packets based on criteria like source/destination IP addresses and ports. Types of firewalls include edge, appliance, and network firewalls. Sample firewall configuration rules and log files are also presented.
The document discusses network integration considerations for Hadoop data centers. It addresses traffic types, job patterns, network attributes, architecture, availability, capacity, flexibility, management and visibility. It provides examples of buffer usage on switches and recommendations for dual 1GbE or 10GbE NIC configuration for Hadoop servers.
Codemotion Rome 2015 - Building a drone from scratch with spare parts is a challenging business. To accomplish this journey, a Linux embedded stability control system is developed entirely from 0.This is a journey starting from the hardware choosing (a home WIFI router), to a stable and real flight. Unconventional implementations are one of the main topic, like using WiFi as communication between drone and pilot, HTML5 and COMET to show telemetry from the router web server, and implementing a entirely new protocol based on 802.11 Beacon Frames to prevent deauthentication attacks.
Spatial Crowdsourcing (SC) is a transformative platform that engages individuals, groups and communities in the act of collecting, analyzing, and disseminating environmental, social and other spatio-temporal information. The objective of SC is to outsource a set of spatio-temporal tasks to a set of workers, i.e., individuals with mobile devices that perform the tasks by physically traveling to specified locations of interest. However, current solutions require the workers, who in many cases are simply volunteering for a cause, to disclose their locations to untrustworthy entities. In this paper, we introduce a framework for protecting location privacy of workers participating in SC tasks. We argue that existing location privacy techniques are not sufficient for SC, and we propose a mechanism based on differential privacy and geocasting that achieves effective SC services while offering privacy guarantees to workers. We investigate analytical models and task assignment strategies that balance multiple crucial aspects of SC functionality, such as task completion rate, worker travel distance and system overhead. Extensive experimental results on real-world datasets show that the proposed technique protects workers' location privacy without incurring significant performance metrics penalties.
Link: http://dl.acm.org/citation.cfm?id=2732966
- The document discusses various Linux system log files such as /var/log/messages, /var/log/secure, and /var/log/cron and provides examples of log entries.
- It also covers log rotation tools like logrotate and logwatch that are used to manage log files.
- Networking topics like IP addressing, subnet masking, routing, ARP, and tcpdump for packet sniffing are explained along with examples.
DepokCyberSecurity - ServerHack - Wisolusindo -Adul Andreas
This document lists various tools categorized by their usage for reverse engineering, networking, steganography, forensics, scripting/programming, and cryptography. It provides links to download reverse engineering tools like GDB, IDA Pro, and OllyDbg. For networking it includes Wireshark, OpenVPN, OpenSSL, tcpdump and nmap. Steganography tools covered are OpenStego, OutGuess, SilentEye, Steghide and StegFS. Forensic tools mentioned are dd, strings, scalpel, TrID, binwalk and foremost. It also lists text editors, cryptographic tools and online cryptanalysis resources.
The document describes sdl2pml, a tool for automatically generating SPIN models in Promela from SDL specifications. SDL2pml takes an SDL specification as input and outputs a corresponding Promela model. It implements algorithms for model construction, static analysis of the SDL specification, and generation of the Promela code. The tool is implemented in C++ and consists of around 120,000 lines of code. Examples are provided showing an SDL specification and the corresponding Promela model generated by sdl2pml both with and without probes.
OpenDaylight can be used as the SDN controller for OpenStack networking. The document discusses:
1. What OpenDaylight and SDN controllers are and their roles.
2. How to configure OpenStack to use OpenDaylight by cleaning Neutron configurations, installing OpenDaylight, configuring Open vSwitch to connect to OpenDaylight, and setting OpenDaylight as the ML2 mechanism driver.
3. This allows OpenDaylight to centrally manage network policies and topologies for OpenStack.
The document describes a Cisco Live 2014 presentation on advanced troubleshooting of Cisco Nexus 7000 series switches. It includes an agenda that covers system, data plane, and control plane troubleshooting over 120 minutes. It also discusses strategies, tools, and techniques for troubleshooting these different areas. Some key tools highlighted include show commands, scripts like SystemCheck, packet capture with ELAME, and analyzing logs. The presentation provides guidance on approaches for each troubleshooting area and highlights the extensive logging capabilities of NX-OS.
This document provides a summary of files and programs installed on a Windows 7 system between January 16th and February 16th 2013. It lists new files and folders created, installed programs, active services, drivers, and other system information. Changes included installing AVG Secure Search, Samsung drivers, and updates to existing programs like Flash Player and Outpost Firewall. The summary also notes exclusions made and files/folders created during the period.
Tips on how to improve the performance of your custom modules for high volume...Odoo
The document discusses performance optimization for OpenERP deployments handling high volumes of transactions and data. It provides recommendations around hardware sizing, PostgreSQL and OpenERP architecture, monitoring tools, and analyzing PostgreSQL logs and statistics. Key recommendations include proper sizing based on load testing, optimizing PostgreSQL configuration and storage, monitoring response times and locks, and analyzing logs to identify performance bottlenecks like long-running queries or full table scans.
Ns is a network simulator developed at UC Berkeley and elsewhere that allows modeling of TCP/IP networks and wireless networks using C++ and OTcl. It provides objects for nodes, links, network traffic and wireless channel modeling. The document outlines how to install ns, create basic simulations with nodes and traffic, and extend it for wireless simulations using various protocols.
This document provides a log from a ComboFix scan run on a Windows 7 system. It lists processes, drivers, files created between given dates, and includes details about Windows components and antivirus software installed on the system.
This document provides a log from a ComboFix scan run on a Windows 7 system. It lists processes, drivers, files created between given dates, and includes details about Windows components and antivirus software installed on the system.
More Related Content
Similar to ETH_Anomaly-Detection-in-Netflows-PPT_v2_of_year_2013
OpenStack - A Python-based Cloud-SoftwareCédric Soulas
This document summarizes a Meetup Paris.py event on October 10, 2013 hosted by Cloudwatt to discuss OpenStack. It provides an overview of OpenStack services like dashboard, orchestration, and shared libraries. It also discusses tools for contributing to OpenStack like Launchpad, Gerrit and Jenkins. Finally, it lists the presenter's contact information and sources for images used in the presentation.
Talk about using Ganglia and other tools for storing all kinds of web application metrics for both operations and business purposes. Presented at Cambridge Geek Night
Capture and replay hardware behaviour for regression testing and bug reportingmartin-pitt
This document discusses umockdev, a tool for emulating hardware devices in Linux for testing purposes. It allows creating virtual devices that behave like real devices by responding to reads, writes, ioctls and emitting uevents. This allows testing software that interacts with devices without requiring physical hardware. The tool works by preloading a library that intercepts system calls and responds based on scripts or a recorded device behavior. It has been used successfully in several Linux packages for testing code that interacts with devices.
This document provides an overview of Linux performance monitoring tools including mpstat, top, htop, vmstat, iostat, free, strace, and tcpdump. It discusses what each tool measures and how to use it to observe system performance and diagnose issues. The tools presented provide visibility into CPU usage, memory usage, disk I/O, network traffic, and system call activity which are essential for understanding workload performance on Linux systems.
Talk by Brendan Gregg for USENIX LISA 2019: Linux Systems Performance. Abstract: "
Systems performance is an effective discipline for performance analysis and tuning, and can help you find performance wins for your applications and the kernel. However, most of us are not performance or kernel engineers, and have limited time to study this topic. This talk summarizes the topic for everyone, touring six important areas of Linux systems performance: observability tools, methodologies, benchmarking, profiling, tracing, and tuning. Included are recipes for Linux performance analysis and tuning (using vmstat, mpstat, iostat, etc), overviews of complex areas including profiling (perf_events) and tracing (Ftrace, bcc/BPF, and bpftrace/BPF), and much advice about what is and isn't important to learn. This talk is aimed at everyone: developers, operations, sysadmins, etc, and in any environment running Linux, bare metal or the cloud."
The document provides best practices for handling performance issues in an Odoo deployment. It recommends gathering deployment information, such as hardware specs, number of machines, and integration with web services. It also suggests monitoring tools to analyze system performance and important log details like CPU time, memory limits, and request processing times. The document further discusses optimizing PostgreSQL settings, using tools like pg_activity, pg_stat_statements, and pgbadger to analyze database queries and performance. It emphasizes reproducing issues, profiling code with tools like the Odoo profiler, and fixing problems in an iterative process.
The document discusses firewalls, including what they are, how they work, and different types. A firewall controls traffic flowing into and out of a network to prevent attacks. A DMZ (demilitarized zone) contains servers that are protected from both external and internal attacks. Firewalls work by blocking packets based on criteria like source/destination IP addresses and ports. Types of firewalls include edge, appliance, and network firewalls. Sample firewall configuration rules and log files are also presented.
The document discusses network integration considerations for Hadoop data centers. It addresses traffic types, job patterns, network attributes, architecture, availability, capacity, flexibility, management and visibility. It provides examples of buffer usage on switches and recommendations for dual 1GbE or 10GbE NIC configuration for Hadoop servers.
Codemotion Rome 2015 - Building a drone from scratch with spare parts is a challenging business. To accomplish this journey, a Linux embedded stability control system is developed entirely from 0.This is a journey starting from the hardware choosing (a home WIFI router), to a stable and real flight. Unconventional implementations are one of the main topic, like using WiFi as communication between drone and pilot, HTML5 and COMET to show telemetry from the router web server, and implementing a entirely new protocol based on 802.11 Beacon Frames to prevent deauthentication attacks.
Spatial Crowdsourcing (SC) is a transformative platform that engages individuals, groups and communities in the act of collecting, analyzing, and disseminating environmental, social and other spatio-temporal information. The objective of SC is to outsource a set of spatio-temporal tasks to a set of workers, i.e., individuals with mobile devices that perform the tasks by physically traveling to specified locations of interest. However, current solutions require the workers, who in many cases are simply volunteering for a cause, to disclose their locations to untrustworthy entities. In this paper, we introduce a framework for protecting location privacy of workers participating in SC tasks. We argue that existing location privacy techniques are not sufficient for SC, and we propose a mechanism based on differential privacy and geocasting that achieves effective SC services while offering privacy guarantees to workers. We investigate analytical models and task assignment strategies that balance multiple crucial aspects of SC functionality, such as task completion rate, worker travel distance and system overhead. Extensive experimental results on real-world datasets show that the proposed technique protects workers' location privacy without incurring significant performance metrics penalties.
Link: http://dl.acm.org/citation.cfm?id=2732966
- The document discusses various Linux system log files such as /var/log/messages, /var/log/secure, and /var/log/cron and provides examples of log entries.
- It also covers log rotation tools like logrotate and logwatch that are used to manage log files.
- Networking topics like IP addressing, subnet masking, routing, ARP, and tcpdump for packet sniffing are explained along with examples.
DepokCyberSecurity - ServerHack - Wisolusindo -Adul Andreas
This document lists various tools categorized by their usage for reverse engineering, networking, steganography, forensics, scripting/programming, and cryptography. It provides links to download reverse engineering tools like GDB, IDA Pro, and OllyDbg. For networking it includes Wireshark, OpenVPN, OpenSSL, tcpdump and nmap. Steganography tools covered are OpenStego, OutGuess, SilentEye, Steghide and StegFS. Forensic tools mentioned are dd, strings, scalpel, TrID, binwalk and foremost. It also lists text editors, cryptographic tools and online cryptanalysis resources.
The document describes sdl2pml, a tool for automatically generating SPIN models in Promela from SDL specifications. SDL2pml takes an SDL specification as input and outputs a corresponding Promela model. It implements algorithms for model construction, static analysis of the SDL specification, and generation of the Promela code. The tool is implemented in C++ and consists of around 120,000 lines of code. Examples are provided showing an SDL specification and the corresponding Promela model generated by sdl2pml both with and without probes.
OpenDaylight can be used as the SDN controller for OpenStack networking. The document discusses:
1. What OpenDaylight and SDN controllers are and their roles.
2. How to configure OpenStack to use OpenDaylight by cleaning Neutron configurations, installing OpenDaylight, configuring Open vSwitch to connect to OpenDaylight, and setting OpenDaylight as the ML2 mechanism driver.
3. This allows OpenDaylight to centrally manage network policies and topologies for OpenStack.
The document describes a Cisco Live 2014 presentation on advanced troubleshooting of Cisco Nexus 7000 series switches. It includes an agenda that covers system, data plane, and control plane troubleshooting over 120 minutes. It also discusses strategies, tools, and techniques for troubleshooting these different areas. Some key tools highlighted include show commands, scripts like SystemCheck, packet capture with ELAME, and analyzing logs. The presentation provides guidance on approaches for each troubleshooting area and highlights the extensive logging capabilities of NX-OS.
This document provides a summary of files and programs installed on a Windows 7 system between January 16th and February 16th 2013. It lists new files and folders created, installed programs, active services, drivers, and other system information. Changes included installing AVG Secure Search, Samsung drivers, and updates to existing programs like Flash Player and Outpost Firewall. The summary also notes exclusions made and files/folders created during the period.
Tips on how to improve the performance of your custom modules for high volume...Odoo
The document discusses performance optimization for OpenERP deployments handling high volumes of transactions and data. It provides recommendations around hardware sizing, PostgreSQL and OpenERP architecture, monitoring tools, and analyzing PostgreSQL logs and statistics. Key recommendations include proper sizing based on load testing, optimizing PostgreSQL configuration and storage, monitoring response times and locks, and analyzing logs to identify performance bottlenecks like long-running queries or full table scans.
Ns is a network simulator developed at UC Berkeley and elsewhere that allows modeling of TCP/IP networks and wireless networks using C++ and OTcl. It provides objects for nodes, links, network traffic and wireless channel modeling. The document outlines how to install ns, create basic simulations with nodes and traffic, and extend it for wireless simulations using various protocols.
This document provides a log from a ComboFix scan run on a Windows 7 system. It lists processes, drivers, files created between given dates, and includes details about Windows components and antivirus software installed on the system.
This document provides a log from a ComboFix scan run on a Windows 7 system. It lists processes, drivers, files created between given dates, and includes details about Windows components and antivirus software installed on the system.
Similar to ETH_Anomaly-Detection-in-Netflows-PPT_v2_of_year_2013 (20)
3. First Goal (1)
To create an automated method of detecting
unusual connections and/or anomalies with
netflows, thereby finding compromised hosts
3
4. Top Down Method Works Well With
IDS
4
N=100
P2P BitTorrent transfer „Deviation“
(total traffic)
5. Netflow Anomaly Detection
Top Down Strategy
Analyzing the total traffic down to individual hosts
by detecting behavioral deviations.
Been there and done that with netflows (2008).
The problem:
Even though a malicious traffic event is usually
an anomaly, an anomaly is not always a malicious
event
5
6. With an automated method, finding the
correlating netflows of incidents regardless of
source of information (IDS, Switch, AV, User,
Admin, Netflows)
New Goal (2)
6
12. Pros and Cons With This Method
Pro: It is automatic and indeed sometimes
successfull
Con: It may take a long time to run
Again:
All anomalies are not malicious.
The potential problem is when the individual host is
generating harmless but very diverse unusal traffic.
Both pros and cons:
It is possible to automatically sort the connections
based on how usual/unusal they are
12
14. A Real Example (Switch)
[SWITCH-CERT #22814x ]
Most likely compromised system
[129.132.208.10x]
[Botnet]
Based on received information about a
‘malicious IRC command master at
183.203.15.205
2013-08-14 17:40:08.070 14
15. ./analyzerdynamic2.sh 129.132.208.10x 20130814 1800
Enter Comment. End it with ^D
Subject: [SWITCH-CERT #228144] Most likely compromised system [129.132.208.10x ...]
[Botnet]
Done. Comment stored in -rw-r--r-- 1 hall nsg 93 Aug 22 18:05 comment
DEBUG: starthour:201308141700 endhour:201308141800 startday:201308131800
port:-1
First DYNAMIC STAGE *************************************
nfdump -M /nfsen -R nfcapd.201308141700:nfcapd.201308141800 '( host
129.132.208.10x )' | grep ^2013 | awk '{ print $7 }' | sed s/:/ /g | awk '{ print $1 }' | grep -v
"129.132.208.10x:" | sort -u > ./analyzer_129.132.208.10x.outp Debug dnumber:41 Second
DYNAMIC STAGE *************************************
107.21.234.205
112 107.21.234.205 (40)
108.160.162.53
1938 108.160.162.53 (39)
108.160.163.46
229 108.160.163.46 (38)
12.130.131.80
120 12.130.131.80 (37)
... 15
19. The Concept in a Nutshell
1. Find all connections around the investigated
IP over a 60 minute period
2. Take those connections and rate how usual
(or unusal) these are in the general
population over a 24hr period
19
20. Find All Connections Around the Investigated
IP Over a 60 Minute Period
20
Time point
of interest
for the
investigated
ip
Internet
Investigated
IP at ETH
network
21. Take Those Connections and Rate How Usual
(or Unusal) These are in the General
Population Over a 24hr Period
InternetETH network
22. Another Real Example (IDS)
IDS Event with destination google:
EVENT:
ET TROJAN Zeus Bot Get to Google checking Internet connectivity
Date: 08/24-13:13:01.713666
SOURCE: 129.132.211.21x:50086
DEST: 173.194.112.210.80
22
23. ./analyzerdynamic2.sh 129.132.211.21x 20130824 1320
Enter Comment. End it with ^D
EVENT: ET TROJAN Zeus Bot Get to Google checking Internet connectivity DATE: 08/24-
13:13:01.713666 SOURCE: 129.132.211.21x:50086 DEST: 173.194.112.210:80
Done. Comment stored in -rw-r--r-- 1 hall nsg 124 Aug 28 15:41 comment
DEBUG: starthour:201308241220 endhour:201308241320 startday:201308231320
port:-1
First DYNAMIC STAGE *************************************
nfdump -M /nfsen -R nfcapd.201308241220:nfcapd.201308241320 '( host
129.132.211.215 )' | grep ^2013 | awk '{ print $7 }' | sed s/:/ /g | awk '{ print $1 }' | grep -v
"129.132.211.21x:" | sort -u > ./analyzer_129.132.211.21x.outp Debug dnumber:90 Second
DYNAMIC STAGE *************************************
108.160.162.111
133 108.160.162.111 (89)
108.160.162.99
118 108.160.162.99 (88)
111.111.111.111
19 111.111.111.111 (87)
12.161.242.20
...
23
26. Black List SBL Reference
http://www.spamhaus.org/sbl/query/SBL193024
Ref: SBL193024
140.116.72.75/32 is listed on the Spamhaus Block List - SBL
140.116.72.75/32 is listed on the Spamhaus Botnet C&C List - BGPCC
2013-08-26 15:56:50 GMT | edu.tw
Citadel botnet controller @140.116.72.75
Update Aug 26, 2013
Problem still exists, Citadel botnet controller located here:
http://dashuxmaecrme.com/wel/file.php
http://dashuxmaecrme.com/wel/qwrt.php
http://frontrunnings.com/fdet/file.php
http://joyrideengend.net/wel/file.php
http://spottingculde.com/wel/file.php
http://eenyellowredpf.su/wel/file.php
http://stabilitymess.net/wel/file.php
http://systemlevelge.com/wel/file.php
…
26
27. Possible to do’s
• Include (dest) Port in the analysis
• Automatically track compromised Ips
• Automatically analyse compromised Ips
• Automatically build and update CC lists
• Automatically correlation check between CC-
clusters and malware
27