Iptables Attack Visualization
Michael Rash, Security Architect, Enterasys Networks, Inc.
Date: Thursday, July 26
Time: 10:45am - 11:30am
The iptables logging format provided by the Netfilter project contains a wealth of detailed information about network traffic. Nearly every interesting field in the network and transport layer headers is logged by iptables. By combining the graphing capabilities of the AfterGlow with the attack detection capabilities of the psad project, it is possible to render eye-catching graphical visualizations of network attacks. These visualizations can expose important relationships between attackers and their targets that are difficult to acquire via non-graphical means.
This talk will analyze iptables log data from two sources: the Honeynet Project, and from an internet-facing Linux system. The data contains instances of the Nachi and Slammer worms, and suspicious outbound SSH and IRC connections from compromised systems. In addition, material from the book Linux Firewalls: Attack Detection and Response will be presented to show you how to deploy psad on a live firewall.
As more people run Linux, mountains of iptables log data are piling up. It is time to maximize the effectiveness of this data and mine it for suspicious traffic and network-based attacks. This talk will show you how.