cipherdyne.org

Michael Rash, Security Researcher



psad Graphs of the Honeynet Scan30 Challenge

The Honeynet Scan30 results have long since been posted. The purpose of this page is not to duplicate that excellent work - it is designed to illustrate the power of visualizing security data to bolster security analysis

Automating the analysis of the Scan30 challenge iptables logfile was done with psad in logfile analysis mode ("psad -A -m <file>"). A portion of this output can be viewed online here: psad Scan30 analysis, or the complete version downloaded here: here.

All graphs on this page were generated by using psad in --CSV to send data to AfterGlow; the specific commands used appear after each graph below. The following color scheme applies to all graphs on this page:
RED - IP addresses external to the honeynet (attackers, scanners, etc.)
YELLOW - Honeynet IP addresses
BLUE - Port numbers (> 1024)
LIGHTBLUE - Port numbers (<= 1024)

Traffic Originating From the Honeynet
This graph shows all outbound traffic from the honeynet, and is one of the first things to check when looking for signs of a compromise. All IP addresses associated with the honeynet begin with 11.11.11.*. It is interesting that the host 11.11.11.67 shows up prominently in the middle of the graph, and represents the honeynet system that generated the most outbound traffic (logged by iptables that is), and connections to external web (port 80) and ftp (port 21) servers are seen coming from it. It is a good bet that this is a compromised system. Another interesting piece of information is the fact that the --log-prefix iptables command line argument was used to build the iptables logging rule, and psad has summarized all of the logging prefixes here. The graph above was generated with the following command: # psad --CSV -m honeynet-Feb1_FebXX.log --CSV-fields "src:11.11.11.0/24 dst dp" | perl afterglow.pl -c color.properties |neato -Tgif -o 11.11.11.0_subnet_src.gif
Compromised host: 11.11.11.67
The host 11.11.11.67 was compromised during the time period where the iptables logs were generated, and the following graph shows the hosts and ports it talked to (i.e. where SRC=11.11.11.67 in the iptables logs):
The graph above was generated with the following command: # psad --CSV -m honeynet-Feb1_FebXX.log --CSV-fields "src:11.11.11.67 dst dp" --CSV-max 10000 | perl afterglow.pl -c color.properties |neato -Tgif -o 11.11.11.67_src.gif
Compromised host: 11.11.11.67 (continued)
This is another graph of the compromised host, but this time it shows instances where 11.11.11.67 is the destination address as well. Note the use of the psad --CSV-regex command line argument to allow either the Netfilter SRC or DST fields to match in the iptables logs:
The graph above was generated with the following command: # psad --CSV -m honeynet-Feb1_FebXX.log --CSV-fields "src dst dp" --CSV-regex 11.11.11.67 --CSV-max 12000 | perl afterglow.pl -c color.properties |neato -Tgif -o 11.11.11.67_src.gif
MyDoom Worm
The next graph shows traffic associated with the MyDoom worm. As before, the target IP addresses are shown in yellow, with the source IP addresses in red. The graph above was generated with the following command: # psad --CSV -m honeynet-Feb1_FebXX.log --CSV-fields "src dst dp:3127" --CSV-max 100 | perl afterglow.pl -c color.properties |neato -Tgif -o general.gif
MyDoom Against Single Target IP (11.11.11.72)
The next graph shows traffic associated with the MyDoom worm against the single target IP 11.11.11.72. The graph above was generated with the following command: # psad --CSV -m honeynet-Feb1_FebXX.log --CSV-fields "src dst:11.11.11.72 dp:3127" --CSV-max 1000 | perl afterglow.pl -c color.properties |neato -Tgif -o general.gif
General Scans
The first graph below shows a selection of the scanning IP addresses (in red) and their target IP addresses (yellow) and port numbers (blue). In several cases, a single source address scans multiple target addresses, and the worst offenders are contained within the red clump in the middle of the yellow target addresses:
The graph above was generated with the following command: # psad --CSV -m honeynet-Feb1_FebXX.log --CSV-fields "src dst dp" --CSV-max 200 | perl afterglow.pl -c color.properties |neato -Tgif -o general.gif
Windows Messenger Popup Spam
This graph displays UDP packets to port 1026 where the source port is a high port, and the len of the UDP header is at least 400 bytes (note the --CSV-regex accomplishes this search criteria against the Netfilter logs). Such traffic is commonly associated with attempts to send spam through the Windows Messenger service. In this example, it is interesting that most of the source IP addresses are within the range 64.191.71-77.*, and this may indicate a remote Botnet that is being used to send large amounts of spam: The graph above was generated with the following command: # psad --CSV -m honeynet-Feb1_FebXX.log --CSV-fields "src dst dp:1026" --CSV-regex "SPT=\d{4}.*LEN=[4-9]\d{2}" --CSV-max 200 | perl afterglow.pl -c color.properties |neato -Tgif -o 203.200.213.182.gif
Attacker: 203.200.213.182
One of the top attackers in this batch of iptables logs is 203.200.213.182, and the graphical representation below displays the unique ports scanned by this IP. Among the scanned ports are 3127, which is associated with the MyDoom worm.
The graph above was generated with the following command: # psad --CSV -m honeynet-Feb1_FebXX.log --CSV-fields "src:203.200.213.182 dst dp" --CSV-max 1000 | perl afterglow.pl -c color.properties |neato -Tgif -o 203.200.213.182.gif