December 19, 2007

Network Captures – IM decoding

Filed under: Log Analysis — @ 19th of December 2007, 23:45

I just had a moment of awe. I was playing around with packet captures and was wondering whether Wireshark would still ship with a command line alternative for the GUI version. I always liked Ethereal for its protocol analysis capabilities. I pretty quickly found out that the command line version was still maintained. Now called tshark. I was sort of shocked, when I realized how much protocol traffic was actually decoded:

~/tmp$ sudo tshark -ni en1
Capturing on en1
2.004403 -> MSNMS USR 1 1452999922.70216123.6471199
3.672270 -> AIM Buddylist Offgoing Buddy: ZZZZZZZZZZ
3.673979 -> AIM Buddylist Offgoing Buddy: ZZZZZZZZZZ
5.136301 -> MSNMS [TCP Retransmission] USR 1 OK Raffael%20Marty
5.136735 -> MSNMS CAL 2
5.174140 -> MSNMS CAL 2 RINGING 1111111111
6.750004 -> MSNMS JOI XXXX%20Buding%20in%20boston

It understands the IM protocols (above version is anonymized)! I wonder how I could exploit this for some interesting visualization.

December 10, 2007

Risk Management – Moving Average Analysis

Filed under: Log Analysis — @ 10th of December 2007, 12:12

moving_average.pngToday I found myself researching “moving average analysis” techniques. Using moving average analysis can be fairly useful in trending risk. Plot the moving average over your risk and compare it with the actual risk numbers, much like you would analyze a stock chart. I will write more extensively about this in my book in the “Visual Security Analysis” chapter.

What I just learned and what really pointed me to write this blog post is that Excel has a data analysis add-in that lets you compute moving averages. In my Excel instance, I had to first enable the “Data Analysis” add-in by going to Tools|Add-Ins… Once enabled, I got a new menu item under Tools which is Data Analysis… There you can choose from a variety of data analysis tools, among them a moving average calculator. This blog post shows exactly to to apply the add-in.

December 7, 2007 is online

Filed under: Log Analysis — @ 7th of December 2007, 14:00

cee-logo.gifFinally, Common Event Expression (CEE) has its Web site up!

We are working on a few initiatives right now. If you want to contribute to the discussion, join the mailing list. Send an email to to subscribe.

December 3, 2007

My Splunk Blog

Filed under: Uncategorized — @ 3rd of December 2007, 16:02

logo_splunk.gifI wanted to mention this a long time ago, I am really behind with blogging …

I started another blog. I hope this is not going to be too confusing.

Here is what goes where: