January 28, 2006

GTK2 and Perl and Treemaps

Category: Uncategorized — Raffael Marty @ 3:35 pm

I am frustrated. I found these Perl libraries to buld treemaps (Treemap::Squarified). The problem is that it needs this special input format, which is either an XML tree or you can hack it into the internal perl datastructure which are basically a bunch of arrays. Once I figured out the internal datastructure (I was too lazy to go through XML), it got worse. You need to do everything yourself. The library does not even take care of sizing the pieces for you. You need to make sure that the numbers along the hierarchy are all correct and add up. But that’s not all. After playing with that for a while (basically my problem was to convert CSV to a tree; no I did not finish implementing it), I got into GTK2 coding. Well, that’s a mess too. Hardly anything documented. I just wanted to show some pictures in a window. Easy? No! I wanted to resize them to fit two arbitrary images into one window. Resize? I could not quite figure out how to have pixbufs and Gtk2 and all that interact. So I gave up…
Back to a language that I know a bit better: JAVA. Starting over…

January 24, 2006

ITM – Insider Threat Management

Category: Security Article Reviews — Raffael Marty @ 6:26 pm

I just read this article about ITM – yet another acronym, which stands for insider threat management. Looking at the products they reviewed in the infoworld article, I just don’t see what is so new about them. They seem to be either a NIDS or a HIDS on steroids. Why wouldn’t I be able to flag specific traffic with a NIDS? I can build a rule in snort which looks for SSN numbers floating around on my network. Yes, there are some nice managebility features built into these new products, but why don’t NIDS vendors add them on top of their products? I am over-simplifying, but think about it, all these new products are not really _that_ new. They wrap old concepts in new products.
Is marketing taking over completely?

January 23, 2006


Category: Log Analysis,Visualization — Raffael Marty @ 1:23 am

Wow. I just found this pretty awesome TreeMap tool. The data format it reads is pretty easy and I quickly built a file with some of my firewall data. Well, fake firewall data 😉

TreeMap Example Firewall Data

What you see in here is first the color: green are firewall passes, red are blocks, then the hierarchy is such that the target system is top, then the target IP and then you see the date inside of the boxes, when the access happened.

Well, the tool is pretty awesome. Lots of interactivity. You define the hierarchies manually, on the fly it updates the graph. Then you can color and filter and all kinds of nifty things. Try it out.

January 21, 2006

GraphViz – Related Tools

Category: Visualization — Raffael Marty @ 10:33 pm

It’s one of those afternoons again where I am loosing myself in doing some research on graph tools. Maybe I can spare some others an afternoon of browsing around and summarize some things I found:

  • kgraphviewer – this is a tool to show graphics. The exciting thing is that you can open .dot files. However, only dot is used to render them, not neato or twopi. Too bad.
  • ZGRViewer – looks very promising. You can open .dot files and render them with anything (neato, twopi) the output is zoomable and you can move around. Pretty nice. It’s written in Java. Now the question is whether I could use this framework to build my animated viewer that reads the next .dot file and updates the graph nicely. I will get it done someday!
  • tinfu – Another java library that draw .dot files. It had trouble with some of my .dot files. I guess the tool’s not very robust.
  • Grappa – Another Java tool. The feature list looks promising. The Web demo is interesting. Need to download it and have a closer look.

I guess one thing that I realized is that you could principally build a graph with, let’s say twopi, and generate an SVG. Then you can manipulate that, show it to the user and so on. The question is still how to periodically update a graph without totally re-layouting it. Well, I am working on this. I think I just haven’t really understood the problem yet 😉

January 17, 2006

GraphViz Graph Nodes

Category: Visualization — Raffael Marty @ 1:00 am

While playing with the AT&T graphviz library again, I was trying to get nodes to show up as pictures, which is fairly simple:

node [peripheries=0, fontsize=10, shapefile="computer.gif"]

However, what I really want is a transparent gif (computer.gif) and then using background color to color that node. That way I could programmatically change the color of the nodes and still use icons to make the nodes a bit nicer. This is what I tried:

node [peripheries=1, fontsize=10, shapefile="computer.gif", fillcolor=blue]

Unfortunately it did not work. Anyone?

January 16, 2006

Wireless Access – Linux

Category: UNIX Scripting — Raffael Marty @ 6:40 pm

Sitting down at a cafe around the corner from where I live, I realize that some of the scripts I wrote a while back might actually benefit others too. This one is to connect to the first available access point:


iwlist ath0 s > /tmp/$$

ap=`cat /tmp/$$ | grep "Encryption key:off" -B 5 | head -1 | sed -e 's/Cell.*Address: \(.*\)/\1/g'`
essid=`cat /tmp/$$ | grep "Encryption key:off" -B 4 | head -1 | sed -e 's/ESSID:"\(.*\)"/\1/g'`
essid=`echo $essid | sed -e 's/ //g'`

echo Tryping AP:$ap / SSID:$essid

iwconfig ath0 ap $ap
iwconfig ath0 essid $essid
iwconfig ath0 nick test
killall -9 dhclient
dhclient ath0

Not sure whether there would be a simpler solution natively supported by linux…

Shoki – Packet Hustler

Category: Visualization — Raffael Marty @ 5:05 pm

I haven’t looked at Shoki in a while. Today I downloaded a version again and tried to compile it on my Fedora Core 4 installation, just to find out that the thing would not compile. Well, I dug around in the code for a bit and after some searches on the Web, I realized that gcc 4 is stricter about the C conventions and Shoki was written with some declarations being non-standard. What fixed it was to define the CC flag in the Makefile to use gcc32 instead of gcc.
Playing with this tool, I somehow have the impression that I just don’t get it. I can redefine the axes and play with that, but even zomming into a certain selection I can’t seem to accomplish. And then there is all this extra stuff like fast fourier transformations etc. While I know what that is, I just don’t quite understand how all that works in Shoki. Maybe I have to spend an afternoon with the documentation 😉 Or maybe there are people out there who have some tips or hints for me?
What I am really interested in is if someone managed to analyze a dataset and can show me what he found with what feature. Do all the bells and whistles (some of the advanced features) really help? Help me out!

January 12, 2006


Category: Visualization — Raffael Marty @ 1:41 am

Conference season is kicking in again. It looks like this year will be a busy year for me. I will be speaking at the RSA conference mid February in San Jose. Then I just got notice that I got accepted to EuSecWest06. Both places I will be talking about Security Event Visualization. The EuSecWest presentation is going to be more technical and AfterGlow driven, while the RSA presentation is more on the higher level of visualizing security data and attaching a workflow to that.
I have been interested in the workflow aspect of security monitoring for a long time already. It kind of started about three years back with a presentation on Intrusion Management I gave at ETH Zurich. There I tried to outline that the incident response and security event monitoring processes need to be tightly integrated into the other IT process. I guess over time this has become quite apparent, but I still don’t see it completely implemented at many places.