The image shows a Nmap scan. It covers the middle half of class C network range (.64 to .192) and at the same time probes the popular ports at each address. It is a parallel network and port sweep with decoys to hide the true identity of the scanner - so it simultaneously address scans and port scans while spoofing other source addresses to obscure the scanners identity. The scan was generated by the Nmap command below:
nmap -sS 127.21.146.64-192 -e lo -F -T5 --host-timeout 10m --max-retries 0 --initial-rtt-timeout 25ms --max-rtt-timeout 250ms --max-scan-delay 250ms --scan-delay 10ms --min-hostgroup 32 --max-hostgroup 32 -D 126.96.36.199,188.8.131.52,184.108.40.206
In summary, the command tells Nmap to SYN scan the middle half of the loop-back network (-sS 127.21.146.64-192 -e lo) on common ports (-F) in a non-random manner (-r), and scan in parallel address blocks of 32 (--min-hostgroup 32 --max-hostgroup 32) while creating decoy packets with 3 spoofed addresses (-D 220.127.116.11,18.104.22.168,22.214.171.124).
The data is visualised in IneVis, a time-animated interactive 3-D packet trace visualisation. InetVis supports, IP ICMP, TCP, and UDP. Essentially, it's a 3-D scatter-plot:
In the sample image, the lines are 'sweeping' across popular ports at each address (in the direction of the blue axis). Note the concentration in the lower port range (bottom green axis) where most common service ports reside. The four identical 'columns' of activity are the sources (separated by red-axis). One of these is the true scanner, the other's are spoofed decoys. The image is shown with a 45 minute time-window and 'transparent' ageing which makes older packets fainter. The chosen colour scheme is by destination port.
InetVis was inspired by Stephen lau's Spinning Cube of Potential Doom. For more details about InetVis, see: http://www.cs.ru.ac.za/research/g02v2468/inetvis.html.
currently I am searching for a nice tool (OSS/commercial) to do some jobs on my checkpoint firewall rules (cpdb2html generated a 348 page file):
1. Aggregation of rules - Let's say every server in a subnet has ssh enabled then I would like to create ONE rule for the whole environment and remove the dupes.
2. Visualization - I'd like to have a nice graph of my subnets where I can see the hosts and the ports which are openend.
I am no firewall administrator and I only saw the checkpoint GUI once - so maybe I am missing something obvious here.
Thanks and Kind Regards,
Ruediger G. Biernat
I came across this presentation from Tamara Munzner. A great read about some of her latest research in visualization. Here are the tools the presentation references. They are really interesting and if you look around on Tamara's Web page, you will find some videos and the tools themselves.
Recently I've stumbled upon this interesting little app called glTail , it's pretty bare at the moment but there's potential.
As I don't like duplication of the post, the detail explanation of the graph can be found at security.org.my here.
AfterGlow 1.5.9 is out. It's not a huge release, but it allows for some new things that, for example, Tenshi needed to make it more useful. The feature that helps there is that you can now dynamically change node labels.
Another new feature is the addition of URLs to nodes. This is needed to support image maps. If you generate an image map through GraphViz (-Tcmapx), you can provide URLs that go along with the nodes. If you then use that image map in an HTML file along with the graph, you have an interactive graph. If you are interested in how this looks, I blogged about a Splunk - AfterGlow integration on my Splunk blog. The new search command I built, is using image maps to build an HTML file, which is then linked back to Splunk. Check it out.
I wanted to see if I could hook up Tenshi, a log monitoring application, with some pretty graph, for a long time. The current tree supports a csv output feature that allows pipeing to something like AfterGlow.
In order to get this you can use something like this in your tenshi configuration (if you use the latest version from the tree):
set csv [0 * * * *] /usr/local/bin/tenshi_graph.sh
Where tenshi_graph.sh could be
/usr/local/bin/afterglow.pl -c /etc/afterglow.conf -t | neato -v -Tpng -o /var/lib/tenshi/tenshi_graph.png
and afterglow.conf configuration could be something like
color.target="red" if ($fields > 1000);
color.target="orange" if ($fields > 500);
color.target="blue" if ($fields > 100);
color.target="lightblue" if ($fields > 50);
color.target="yellow" if ($fields == 1);
This allows having target node colours depending on the number of hits of the affected log, but of course it might be whatever conditions you want. You can see how it's possible to quickly evaluate logs that are common to different servers and their frequency.
Keep in mind that in order to have useful and readable graphs your tenshi configuration must be accordingly tuned. Arbitrary logs in the csv queue would quickly generate huge and unreadable node maps.
This is just an example, more advanced processing can be done. If you have new ideas please share them on firstname.lastname@example.org mailing list and/or the SecViz portal :).
I’ve wanted to post this graph for a while but only just got round to anonymising the data.
Looking at piles of IRC logs can be very unilluminating, but it’s not obvious what to do with all the data. One nice way of getting a handle on links between channels is to plot channels with links between them weighted by the number of users in common.
The example above is from a honeynet we ran in 2004/5. The graph shows up a couple of things nicely:
1) There are two distinct groups of channels, and a look at the data shows that there two groups correspond to channels in different languages and,
2) The strong links between a couple of channels in the main group show up that these channels are related and looking at the data shows them to be used for discussing hacking, while the other channels are innocuous.
The original channel names have been replaced by ‘cN’ to protect the guilty.
For a full size copy of the image, see UK Honeynet blog where this was first posted.
VizSEC 2007 Workshop on Visualization for Computer Security
To be held between October 28 and November 1, 2007 in Sacramento, CA
The VizSEC 2007 Workshop on Visualization for Computer Security will provide a forum for new research in visualization for computer security. Building on the success of the previous three VizSEC workshops, we will again be meeting in conjunction with the IEEE Vis and InfoVis Conferences. The workshop will be held in Sacramento, CA USA between October 28 and November 1, 2007. The exact date of the workshop is still to be determined by the Conference committee; please check the web site for further details.
Reasearchers and practitioners from academia and industry are encouraged to submit papers and attend the event. We are looking for diversity and are particularly hoping that practitioners who have experience designing and using visualization in the field will consider joining us. Please see the web site for further details: http://vizsec.org/workshop2007/
This is a first attempt at visualizating open ports detected by nmap in around 60 servers.
I've used Freshcookies-Treemap and custom scripts.
Ports are all TCP.