I wanted to post this picture for a while. Here we go. Anton (NetForensics) and myself (ArcSight) at some of our competitors booths … Thanks for taking the pictures!
Another release of AfterGlow. It’s mainly a feature release where I introduce fan-out filtering. I also fixed some minor bugs around property file parsing and some error messages. Nothing major.
The fan-out filtering is really cool. So far you could only filter based on node counts. Saying for example you wanted to eliminate all the nodes which had a count of 5 or less. Now you can say you want to filter out all the nodes which have a fan out (outgoing neighbors) of 4 or less. This way you can for example identify scans, as here:
This was generated with:
afterglow.pl -c color.properties -p 1 -d -o 7 -g 8
Where -g is the filter for the fan-outs. The graph clearly shows that some external machines were scanning all the internal machines on one and the same port.
I am still waiting for people to send me their graphs!!
I was playing with AfterGlow and visualizing netflow data lately. I realized that some of the configurations in AfterGlow are a bit tedious. So I added a new property to address coloring independent of the node: color=”blue” for example. I also added a feature to turn off labels on a per-node type. For example label.source=0 turns off source node labels. And finally I started playing with clustering of nodes. A lot of times you end up with a huge amount of nodes and you don’t really need to know all the details of that cluster, you just want to know that there is something going on around there. So for example for IP addresses, oftentimes you want to cluster by subnets (e.g., A, B, C classes):
cluster.source=regex_replace(“(\\d\+\\.\\d+)”).”/16″ if (!match(“^(212\.254\.110|195\.141\.69)”))
This looks complicated, but it’s not that bad. Basically there are a few functions I introduced. Read it from right to left. First you check whether there is a match on the source field (we are doing cluster.source) for either of these two IP ranges. If so, you take that value and you do a regex_replace on it. Basically getting the two first octets and adding “/16″ to it. An easier example would be:
cluster.target=”bigger than 1024” if ($fields>1024)
AfterGlow 1.4, which supports clusters and all the other things is now available via sourceforge.
Fresh from the press and fueling the discussion on the acronyms that I started earlier. Not just authors of articles are starting to make up new acronyms, now apparently the NBAD space is being renamed to NBA (Network Bahavioral Analysis). Why do we have to make things more complicated. People have a hard enough time already keeping track of technologies, and now you need to have a special dictionary for security acronyms?