-
How To: Creating Your Own Animated Threat Map
One day, I was challenged to create a “live” threat map from our existing SIEM data for display on our SOC wall screens. Never one to shrink from a challenge, I accepted. But I know practically no JavaScript, I’m not a web developer by any stretch of the imagination, and I had nowhere to start except this project, which is a joke threat map that plots random attacks using random geographical coordinates.…more
-
Various Shell Tricks
Quickest way to get your ssh key to a remote host: ssh-copy-id username@host.example.com Shuffle items in a file: cat file.txt | perl -MList::Util=shuffle -e 'print shuffle(<STDIN>);' >file-shuffled.txt Count the number of comma-separated items on each line in a file: cat file.txt |perl -ne 'print 1+@{[/,/g]},"\n"' Count number of comma-separated items on each line in a file, and generate average of items: cat file.txt |perl -ne 'print 1+@{[/,/g]},"\n"' |awk '{ sum += $1; n++ } END { if (n > 0) print sum / n; }' Give the average of a list of numbers in a file: cat numbers-list.…more
-
Analyst Tip: Suspicious DNS Behavior
The following rules of thumb may be used to build analytics to search for suspicious DNS-related activity. I have provided references that support their use wherever possible. Reference Sudden short, large burst of queries for a domain Domain resolves to multiple IPs in different ASes, countries, and/or regions (A RRs) TTL changes over period of time Reference IP assigned to domain changes frequenty over a period of time Reference…more
-
Converting pcap files to network flow data
Pcap data is a wonderful resource; indispensible when doing certain kinds of analyses. Sometimes, however, you want to be able to use network flow data instead. Flow is much more compact, and allows you to more easily explore the relationships among hosts on a network before digging into the nuts and bolts with pcap. It also allows you to archive months or years of data in a much more efficient manner than you can with pcap.…more