cipherdyne.org

15 April, 2007

At the O'Reilly Open Source Convention of 2007 (July 23-27, Portland, Oregon) I will give a talk about visualizing iptables log data. Here is the talk abstract:

The iptables logging format provided by the Netfilter project contains a wealth of detailed information about network traffic. Nearly every interesting field in the network and transport layer headers is logged by iptables. By combining the graphing capabilities of AfterGlow with the attack detection capabilities of psad it is possible to render eye-catching graphical visualizations of network attacks. These visualizations can expose important relationships between attackers and their targets that are difficult to acquire in via non-graphical means. This talk will analyze iptables log data from two sources: the Honeynet Project, and from an Internet-facing Linux system. This data contains instances of the Nachi and Slammer worms, and suspicious outbound SSH and IRC connections from compromised systems. In addition, material from the book "Linux Firewalls: Attack Detection and Response" will be presented to show you how to deploy psad on a live firewall. As more people run Linux, mountains of iptables log data are piling up. It is time to maximize the effectiveness of this data and mine it for suspicious traffic and network-based attacks. This talk will show you how.