logger foobar

Forensic Challenge 5: Log Mysteries

2010-09-01T01:27:00.000-07:00

Anton, Raffy and I are pleased to release the 5th honeynet forensic challenge. Challenges are one of the favorite Honeynet Project things that people enjoy from us, and it is a pleasure for me to participate in such a great log analysis challenge.

Data are one of the hardest things to get, I regularly hear from customers and people I meet during various conferences around the world (both industrial and academic) that they had a hard time to test their tools on real data.

Indeed, it is not easy to setup an environment that looks real, and until now, despite the few efforts out there, DARPA was the only one to release data in 1998, 1999 and 2000, we don't see much data available to the public. Good data must mix both real stuff you have on your network and attacks in it (and not just attacks).

A lot of people have data but cannot share it for mostly confidentiality reasons. I admit this is not easy and this is why I started the loganon project during the last Google Summer Of Code (I will post something specific on this project later).

Most of the time I bring this subject on the table I hear people saying this is a dead-end, too hard to do, nobody will cooperate. Well, I am pretty sure Wikipedia heard the same stuff before starting.

So instead of worrying and wondering how to do it, we just do it. Enjoy this challenge, since it is a pretty open challenge I expect a lot of surprising results.

Get it here http://honeynet.org/challenges/2010_5_log_mysteries

PicViz News

2010-03-01T11:35:00.000-08:00

It has been almost 6 months without new releases of PicViz. There are good reason to it !

Philippe and I actually reworked on the architecture to make it way more powerful. Our first goal was to give PicViz an efficient way to integrate logs and network traffic without going through the PGDL language and various scripts to generate it. These types of input are now automagically integrated and we are tuning the whole thing for even better performance...

We also injected in PicViz a lot of abstract maths to make it a terrific tool to find correlations in multiple dimensions. We want PicViz to assist users to find attacks very quickly.

This work is very exciting, looking at the results we already have. Needless to say that there is a big gap between the Picviz you know and the one we are working on! The GUI has been completely rewritten and is incomparably snappier. We also provide a lot of assistance and interaction to the user.

Parallel Coordinates are now easier to understand and use. We are closer than ever before to the original target of the project : be able to manage and react quickly to attacks at a nation's level and fill the technical gap of a long term SIEM and IDS usage.

Stay tuned!

3c501.c

2010-02-05T04:30:00.000-08:00

Working on a secret project, I had to work on the 3c501.c driver. Reading comments I had the pleasure to read:

This is a device driver for the 3Com Etherlink 3c501. Do not purchase this card, even as a joke. It's performance is horrible, and it breaks in many ways.