Just a reminder, we are approaching the June 29th deadline for WASL, http://www.systemloganalysis.com/
Thursday, June 11 2009
Workshop on the Analysis of System Logs
By Sebastien Tricaud on Thursday, June 11 2009, 19:41
Monday, May 25 2009
Eicar 2009 slides available
By Sebastien Tricaud on Monday, May 25 2009, 21:59
Friday, May 15 2009
Eicar 2009 paper available
By Sebastien Tricaud on Friday, May 15 2009, 18:17
The paper Philippe and I wrote for Eicar is now available for download.
By looking on how computer security issues are handled today, dealing with numerous and unknown events is not easy. Events need to be normalized, abnormal behaviors must be described and known attacks are usually signatures.
Parallel coordinates plot offers a new way to deal with such a vast amount of events and event types: instead of working with an alert system, an image is generated so that issues can be visualized.
By simply looking at this image, one can see line patterns with particular color, thickness, frequency, or convergence behavior that gives evidence of subtle data correlation.
This paper first starts with the mathematical theory needed to understand the power of such a system and later introduces the Picviz software which implements part of it.
Picviz dissects acquired data into a graph description language to make a parallel coordinate picture of it. Its architecture and features are covered with examples of how it can be used to discover security related issues.
Dowload here
Applied Parallel Coordinates for Logs and Network Traffic Attack Analysis (Best paper award)
By looking on how computer security issues are handled today, dealing with numerous and unknown events is not easy. Events need to be normalized, abnormal behaviors must be described and known attacks are usually signatures.
Parallel coordinates plot offers a new way to deal with such a vast amount of events and event types: instead of working with an alert system, an image is generated so that issues can be visualized.
By simply looking at this image, one can see line patterns with particular color, thickness, frequency, or convergence behavior that gives evidence of subtle data correlation.
This paper first starts with the mathematical theory needed to understand the power of such a system and later introduces the Picviz software which implements part of it.
Picviz dissects acquired data into a graph description language to make a parallel coordinate picture of it. Its architecture and features are covered with examples of how it can be used to discover security related issues.
Dowload here
Thursday, April 30 2009
Prague
By Sebastien Tricaud on Thursday, April 30 2009, 20:59
I am in Prague until next Monday. Between city tours, Picviz hacking, slides writing for Eicar and working on my Picviz paper for the Journal of Computer Virology let's meet up!
just drop me an email.
Monday, April 20 2009
Picviz selected for Google Summer Of Code (GSOC)!
By Sebastien Tricaud on Monday, April 20 2009, 20:07
The honeynet project had several projects, 8 in total. They were all carefully chosen and I had the honor to have Picviz as one of those projects.
I really believe parallel coordinates will greatly improve the data analysis area, and it seemed I was not the only one to think so.
You can check out some very cool projects that also got selected. This is a great opportunity for us, even though we had really hard time to reject other great projects.
Anyway, because they will work intensively in Python, I completely rewrote the bindings, and I even documented it!
Ah, I forgot, do you know that sometime challenges that some people do in some Chinese restaurants can be found simply using 'strings' and reading the enigma in the end of a binary?
Friday, April 17 2009
Random stuff
By Sebastien Tricaud on Friday, April 17 2009, 21:59
It's been a while I haven't blogged. There we go... quite some random late things
- Raffy started his company, PixlCloud. If you need someone reliable and who get things done in the computer security visualization area, go find him!
- The honeynet project released a KYE (Know Your Enemy) paper on the Conficker virus. Our Norwegian friends explain to us how you can get and use nmap to detect if Conficker is around on your network. I visited customers recently who were deeply infected. Being able to isolate machines with nmap was great. The Girafe folks from germany released a simple conficker scanner (SCS), grab version 2 and test with it also. Their output is actually easier to read. The virus uses the new MD6 algorithm to hash its updates. It would be the first known and public implementation of this algorithm.
- IP link can now export into the Picviz Graph Description Language!
- Picviz can now reorder axes on the fly in the axes section. You can even hide or add an already existing axis several times. This is one of the key feature I designed the language this way and never actually really used it.
- I've got a twitter account now! I am web 3000 ready!
- Picviz Python bindings are being rewritten, a lot of cool stuff will finally happen on the GUI in the next following weeks!
Friday, March 20 2009
Hors Série Linux Mag sur Netfilter
By Sebastien Tricaud on Friday, March 20 2009, 16:12
Ça y est, après quelques mois de réflexion, nous avons finalement démarré la rédaction d'un hors série sur Netfilter en décembre, pour le rendre mi-janvier afin qu'il soit dans las bacs aujourd'hui.
Je suis vraiment content de ce hors série. Typiquement le genre de magazine que j'aurais aimé avoir entre les mains lorsque je découvrais Netfilter.
Par exemple, avec Éric nous avons souhaité avoir une introduction sur iptables et netfilter très pratique, avec un exemple simple mais assez courant, ainsi que des manières de comprendre que votre configuration est la bonne avec tcpdump et netcat.
Enfin, c'est la deuxième fois que Picviz apparait discrètement dans un Linux Mag, il sera peut-être temps que j'écrive un articles dessus 
Bonne lecture!
Thursday, March 5 2009
Eicar 2009 - 18th edition
By Sebastien Tricaud on Thursday, March 5 2009, 18:49
The Eicar agenda is now online.
And well, wow!
Not only the paper I co-wrote with Philippe Saadé got selected, but it also got the best paper award.
Thank you people who nominated our paper, we will make our best to explain how parallel coordinates can be used for computer security.
Saturday, February 28 2009
Security Visualization Mailing list
By Sebastien Tricaud on Saturday, February 28 2009, 05:14
Finally! after quite some talks and emails to Raffy, the computer security visualization community has a mailing list: Join us!
http://www.secviz.org/mailinglist
...and be the first to post 
Wednesday, February 25 2009
Malaysia - day 1
By Sebastien Tricaud on Wednesday, February 25 2009, 00:25
I arrived in Kuala Lumpur, and I really enjoy the weather (not sunny though), nature and people I already met.
Meling kindly picked my up at the airport, we had lunch and headed towards the hotel. The hotel is incredible, just in front the prime minister house in a very nice area, on top of a hill. The welcome is incredibly warm from the Malaysian folks.
Meling at lunch time
A beer with fellow honeynet members.
View from my hotel room.
Malaisian friends and myself in front of the hotel
Friday, February 20 2009
Expected weather in Kuala Lumpur
By Sebastien Tricaud on Friday, February 20 2009, 09:47
Since a picture is worth thousand words:
Wednesday, February 11 2009
Going to Honeynet workshop
By Sebastien Tricaud on Wednesday, February 11 2009, 21:42
I am finally going to the Honeynet projet workshop in Malaysia, Kuala Lumpur.
While it will be great to see good old friends, meet new ones and see in real life some people I work with, I will sure not miss the famous Durian fruit:
At the same time, I will have the opportunity to share my work and thoughts on three important projects: Nufw, Prelude IDS and Picviz.The odour has led to the fruit's banishment from certain hotels and public transportation in Southeast Asia.
Lecture title: Scalable Intrusion Detection Systems
Synopsis: This talk is about how a firewall, a hybrid IDS, and a visualization system can interact with each other to defend attacks occurring at a national scale. The detection and prevention lifecycle will be covered so that you can react and be efficient to face such problems.
Thursday, February 5 2009
Picviz and OSSEC wedding
By Sebastien Tricaud on Thursday, February 5 2009, 18:35
As Daniel announced on his blog, OSSEC v.2 is about and needs testing. Especially the agentless feature.
Maybe you haven't noticed, but OSSEC v.2 goes along with Picviz output support, as announced here. Get instructions to get OSSEC and Picviz working together on the OSSEC wiki right here.
Remember that the support needs SVN and is experimental.
I generated this image :
Right now some things in the template need to be improved, but I am more than likely to do so.
Enjoy!
Saturday, January 24 2009
Honeynet work
By Sebastien Tricaud on Saturday, January 24 2009, 22:51
The French honeynet 2008 status report is now online.It is just a few words about what was done in December since the group (re-)started very recently.
The infrastructure is very basic for now (nepenthes, rsyslog and snort) but it is a good way to start an tune all the little things that must be done before going further. Next steps should also be in the collaboration side with ISP to get as much feedback on our tools possible.
At the same time, I wrote a patch for Nepenthes to be able to catch packets from libnetfilter_queue. This patch compiles but I had for tonight no time for testing. As I would be more than happy to get feedback, I make it public on this blog, and after few testings, that will get into the nepenthes mailing list.
Enjoy!
The infrastructure is very basic for now (nepenthes, rsyslog and snort) but it is a good way to start an tune all the little things that must be done before going further. Next steps should also be in the collaboration side with ISP to get as much feedback on our tools possible.
At the same time, I wrote a patch for Nepenthes to be able to catch packets from libnetfilter_queue. This patch compiles but I had for tonight no time for testing. As I would be more than happy to get feedback, I make it public on this blog, and after few testings, that will get into the nepenthes mailing list.
Enjoy!
Friday, December 26 2008
India
By Sebastien Tricaud on Friday, December 26 2008, 07:48
I am going to India and I will be away from keyboard until January 11th.
Tuesday, December 23 2008
Nmap facts with parallel coordinates
By Sebastien Tricaud on Tuesday, December 23 2008, 23:59
I played a bit with nmap scans and argus to have a flow-wise graph:
tcpdump -i any -w scan2.pcap -n 'ip'
nmap 192.168.0.11
/usr/sbin/argus -r scan2.pcap -w - | ra -n > scan2.netflow
parsers/net/argus2picviz.pl scan2.netflow > scan2.pgdl
pcv -Tpngcairo scan2.pgdl -Rheatline > scan2-freq.png
Which gives this image:
Higher resolution available here.
Doing frequency analysis on those data are quite interesting:
- We can see that nmap religiously scans the first 1024 ports
- Among those 1024 ports, some are tested more than others (as we see red lines between source port and dest port) using the same source port
- Some higher ports are tested several times from different source ports
- The higher we get on the dest port axis, spreader ports are tested
- Some localhost tests are tried
Ah and by the way, a lot of Picviz news will arose January 2009, stay tuned!
Tuesday, December 16 2008
udev hell
By Sebastien Tricaud on Tuesday, December 16 2008, 10:20
Beware, this is a rant!
Today I installed a new network card in my machine. My interface that used to be eth0 suddenly got renamed as eth1.
How intuitive! Especially with all the network scripts I have, being a big libpcap user. So what happened?
# dmesg |grep eth0
[ 2.672035] forcedeth 0000:00:07.0: ifname eth0, PHY OUI 0x732 @ 1, addr 00:de:ad:be:ef:23
[ 2.785500] udev: renamed network interface eth0 to eth1
[ 5.460834] eth0: RealTek RTL8139 at 0xffffc20000322000, 00:fe:ed:da:d0:42, IRQ 17
[ 5.471601] eth0: Identified 8139 chip type 'RTL-8100B/8139D'
[ 90.021757] eth0_rename: link down
[ 90.030918] ADDRCONF(NETDEV_UP): eth0_rename: link is not ready
Yeah, eth0 becomes eth1, eth1 becomes eth0, and eth0 is renamed as eth0_rename. Silly me! how come I am not happy with the current situation?
It is very obvious that you should edit the file "/etc/udev/rules.d/70-persistent-net.rules" and keep only those two lines:
SUBSYSTEM=="net", DRIVERS=="?*", ATTR{address}=="00:de:ad:be:ef:23", NAME="eth0"SUBSYSTEM=="net", DRIVERS=="?*", ATTR{address}=="00:fe:ed:da:d0:42", NAME="eth1"Which after a reboot links my card "00:de:ad:be:ef:23" to eth1, and the other to eth0. Very logic huh? ok at least I don't have the "eth0_rename" interface.I think I will waste less time changing the interface name in my scripts.
Monday, December 15 2008
Picviz lectures tour
By Sebastien Tricaud on Monday, December 15 2008, 10:22
I just arrived from San Diego, USA, where I have the opportunity to talk about Picviz and how you can use it to do system logs analysis.
This was part of the Usenix Workshop on the analysis of System Logs. Lectures were interesting, especially those on logs used to do failure prediction. WASL 2008 material is now available on the conference website.
As I already said on the honeynet blog, I went through the Cray log analysis contest. I lost by one vote only, which is fair since I started the contest after my presentation.
My pictures are all uploaded there.
Yesterday, I submitted a paper for the next Eicar convention. This paper is a very maths-centric view of parallel coordinates and of course later talks about how things got implemented in Picviz. I wrote it along with my good friend Philippe. Here's a small teaser:
Sunday, December 7 2008
Usenix slides
By Sebastien Tricaud on Sunday, December 7 2008, 19:20
My talk is over, and my slides on ' Picviz: finding a needle in a haystack' are available.
Friday, December 5 2008
San Diego
By Sebastien Tricaud on Friday, December 5 2008, 18:39
Just arrived, the trip was quite long but worth doing since the weather is pretty cool here.
I walk in streets in shirt and we have clear sunny sky.
Gotta finish my slides now!
« previous entries - page 1 of 6