3D netwok map with different OS

3D netwok map with different OS

A 3d map of my network with nmap and mysql. We made it by using VRML.

So, the blue color is Windows computer and the red one is linux, the others in yellow are the printers (the eight is the number of the open ports)
It is very easy to compare two different scan (different days or weeks). When the cylinder is blue (microsoft computer) with a black cylinder, it is the different of port between the two scan, there is in this some new ports.
It possible to see it from fornt, up, left, right using vrml player.

:-))

Entropy analysis of RDP sessions

Entropy analysis of RDP sessions

This graph shows the statistical entropy of nine RDP sessions, as observed by net-entropy. There are two notable outliers - at this level of zoom, the black line is the most obvious. This was an RDP session to a server whose encryption level was set to "Low" - the other eight were to servers set to use "Client Compatible" encryption.
A second outlier appears at the beginning of the session (hard to see at this zoom level), and was due to the use of a different RDP client package. Further outliers (not on this graph) were observed when using rdesktop instead of the native Windows RDP client.
A fuller writeup is here.

Symantec A/V log parser

I was culling through the logs on one of my systems the other day and realized that I was getting a fair amount of alerts from my Symantec A/V servers. At first, I was not interested in what malware was being detected and cleaned but it got me thinking about what interesting patterns existed. I suspected that the majority of malware infections were caused by a minority of users as most malware these days require some user action. To test this theory I wrote a simple parser
to convert the logs to something that I could push into a visualizer and started looking for interesting patterns.

Here is a histogram and a heatmap of several months of data.

A/V Malware detect heat map

A/V Malware detect heat map

A/V Malware detect heat map

Picviz GUI 0.7 is out!

As announced on the Picviz mailing list, the new GUI is out. This is not a new release of the engine (libpicviz) but the GUI.

There is a lot of new feature that came from the Google summer of code, since Picviz was a project proposed by the Honeynet project. It is mostly about interaction that a graphical interface can give you to deal with parallel coordinates.

You can download it there: http://www.wallinfire.net/files/picviz

Picviz GUI 0.7

Picviz GUI 0.7

Picviz GUI 0.7

Most dangerous time on the Australian Internet - Honeynet activity

Most dangerous time on the Australian Internet - Honeynet activity

Shown is a visual of a time series analysis representing malicious activity reported by our 6 most active and reliable SensorNET honeypots. These honeypots have been deployed for between 9 months and 2 years in the Australian IP space.
For the full analysis, see my blog http://honeynet.org.au/?q=Most_dangerous_time_on_the_Australian_Internet

ben

SPAM senders

SPAM senders

From blog:
http://honeynet.org.au/?q=time_series_geomapping_of_spam

"In a previous blog, we showed off some heatmaps that were supposed to help answer the question "Where does SPAM come from?". The problem with these maps, is that they are the combination of months of data without any respect to time.
So I set out to show the same information in a video to help answer a broader question "When and Where does SPAM come from?". Each red flash represents a moment in time that a point on the earth sent us some spam.
Without further ado, here is a video of about a week's worth of SPAM on the planet Earth......"

Note, I learnt about the logster tool here on the secviz blog first :)
Watch the vid on the blog, Here is a snapshot picture.

ben

Equilibrium Networks UI screenshot showing Slammer worm amongst all UDP/ICMP traffic on a gigabit network testbed

Equilibrium Networks UI screenshot showing Slammer worm amongst all UDP/ICMP traffic on a gigabit network testbed

video available at http://www.youtube.com/watch?v=53p0A_3WjgA

whitepaper describing the UI available at http://www.eqnets.com

SOI 2.0

SOI 2.0