cipherdyne.org

Michael Rash, Security Researcher



Chapter 14: iptables Log Visualization

The last chapter in the book wraps up with some graphical representations of iptables log data. A picture can quickly illustrate trends in network communications that may indicate a system compromise, and by combining psad with the Gnuplot and AfterGlow project you can see what iptables has to show you.

All of the graphical representations in Chapter 14 are reproduced below, along with the data files and Gnuplot directive files. The data source for all of the visualizations is the iptables log data provided by the Honeynet Project in the Scan 34 challenge. You can view all of the visualizations on a single page here if you like.

Figure Description Files
Figure 14-1 Traffic Spike: Number of packets to ports per minute graph, .dat, .gnu
Figure 14-2 Traffic Spike: Number of SYN packets to ports per hour graph, .dat, .gnu
Figure 14-3 Port Scan: Source IP addresses vs. number of unique ports graph, .dat, .gnu
Figure 14-4 Port Scan: Time vs. unique ports graph, .dat, .gnu
Figure 14-5 Port Sweep: External sources vs. number of unique local destinations graph, .dat, .gnu
Figure 14-6 Port Sweep (3D): External source addresses vs.
destination ports vs. packet counts
graph, .dat, .gnu
Figure 14-7 Port Sweep: MySQL 3306 graph, .dat, .gnu
Figure 14-8 Link graph of MySQL port sweep graph
Figure 14-9 Slammer worm: packet counts by the hour graph, .dat, .gnu
Figure 14-10 Slammer worm: packet counts by the minute graph, .dat, .gnu
Figure 14-11 Nachi worm traffic by the hour graph, .dat, .gnu
Figure 14-12 Link graph of Nachi worm 92-byte ICMP packets graph
Figure 14-13 Compromised Honeynet system: Point graph of outbound connections graph, .dat, .gnu
Figure 14-14 Compromised Honeynet system: Link graph of outbound connections graph