Add Post   Gallery
This is a community portal. Sign up on the left and start posting about analytics and visualization of security data.

 


 

heatmap_sensornet.jpg

heatmap_sensornet.jpg

This was made using gheat to generate a nice map of locations that are attacking our SensorNET.
SensorNET is a set of distributed nepenthes sensors that we set up at the Australian Honeynet Project.

Scans from attacking IP's and network borne malware is captured and analyzed.
These attacks are portrayed on this heatmap.

For full story go here http://honeynet.org.au/?q=node/41

Inappropriate Email Investigation - From User 46

Inappropriate Email Investigation - From User 46

see http://5thsentinel.wordpress.com/2009/04/01/inappropriate-content-visualization/ for background.

This was done manually in Visio and shows emails sent by a specific user to recipients that contained inappropriate content.

Inappropriate Email Investigation - Overview

Inappropriate Email Investigation - Overview

see http://5thsentinel.wordpress.com/2009/04/01/inappropriate-content-visualization/ for background.

This was done manually in Visio and shows emails sent per user to various recipients that contained inappropriate content.

SIP -> DIP With Circos

SIP -> DIP With Circos

The original graph.

I'm working on a project which aims to visualize relations between IP with different ways. So, I'm opened for all ideas !
This graph was created with Circos. I use some Python scripts to get the IPs and generate the Circos matrix.

nmap Scanning Behavior Visualized in R Project

nmap Scanning Behavior Visualized in R Project

R Project is an open-source software for statistical computing. It is a very comprehensive suite and offers many 2D and 3D visualizations. Data can easily be imported from file or even database.

The histogram shows the distribution of the scanned TCP ports when using nmap in default mode against one target system. The other plot shows the order of the TCP ports being scanned. We can see that the ports are scanned rather randomly and not in sequence as one might expect. The data for the visualization was extracted using tshark, the command line version of Wireshark.

The plots where generated with following commands:
root@davix:~/# tshark -r nmap_option_v_oA.cap -Tfields -Eseparator=, -R "ip.dst == 192.168.119.135 and tcp" -e tcp.dstport | sort -n | uniq > tcp_ports_sorted.csv
root@davix:~/# tshark -r nmap_option_v_oA.cap -Tfields -Eseparator=, -R "ip.dst == 192.168.119.135 and tcp" -e tcp.dstport > tcp_ports_unsorted.csv
root@davix:~/# R
R version 2.6.1 (2007-11-26)
Copyright (C) 2007 The R Foundation for Statistical Computing
...
> results <- read.csv("tcp_ports_sorted.csv", header=T);
> attach(results);
> names(results);
> png(filename="tcp_port_histogram.png");
> hist(TCP_PORT, freq=TRUE, col="lightblue", breaks=seq(from=0, to=70000, by=1000));
> dev.off();
...
> results <- read.csv("tcp_ports_unsorted.csv", header=T);
> attach(results);
> names(results);
> png(filename="tcp_port_over_time.png");
> plot(TCP_PORT, col="blue");
> dev.off();
> q();

If you are looking for a quick and easy introduction I recommend looking at the first three chapters in Jane Horgan's book "Probability with R: An Introduction with Computer Science Applications".

Another timeline from Apache logs

Another timeline from Apache logs

Knock off from the previous timeline post. I wrote a perl script to parse the SOTM 34 log files and create an XML file for the timeline.
Sp3ar0

Timeline Visualization AJAX API

Timeline Visualization AJAX API

This is a timeline visualization of surfing activity recovered from Internet Explorer cache index.dat files. The graph was generated with the SIMILE Timeline Widget AJAX API. The graph has two timeline bands: The bottom one gives an overview of the activity over the complete timeline and the top one shows the details. The graph can be interactively navigated by panning the graph right/left. Different magnification levels can be set for each timeline band and also within a timeline.

Extraction from the index.dat files was done with Pasco. With awk/sed and some manual tweaking the data was transformed to a XML that can then be visualized with the API.

SecViz Mailinglist - Subscribe Today!

SecViz has a mailinglist!

The charter for the list is the same as for the SecViz Web site: share, discuss, challenge, and learn about security visualization. The mailinglist should help to have more in-depth discussions and get quicker responses on specific topics. I am looking forward to some good discussions around visualization applications, visualization methods, use-cases, etc. Fire away!

Note that the list keeps a public archive!

Nmap 3d

Nmap 3d

Hi,

After some modifcation on the code of the Nmap 3d, the manp result scan works perfectly.
The 3d object are not so bad, move, rotate , zoom. It is possible to do it in a very short time

++

Asdp38

Connections display (SSH attack)

Connections display (SSH attack)

This image is a screenshot of nf3d. This software uses a GANTT like approach to display IP connections as seen by Netfilter. Connections are sorted following their start date and they are drawn from back to front under the form of a cylinder. The small balls are specific packets which are put on the the connection they belong to. Here, the balls represent SYN or FIN packets.

This image displays a ssh scan attack that can be compared with regular traffic displayed at the front (right) of the image.