SlideShare a Scribd company logo

Safely Drinking from the Data Waterhose

R
removed_2f549eee70d939dfede7ace2e2d83869

The document discusses various aspects of network security, focusing on log management and detection of anomalies or threats. It highlights specific incidents such as failed logins, cross-site scripting (XSS) attacks, and SQL injection attempts, while emphasizing the importance of geolocating user activity and analyzing patterns. The author advocates for proactive security measures including building profiles, reducing false positives, and responding to alerts effectively.

TechnologyDesign
1 of 20
Downloaded 25 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
Safely Drinking From The Fire Hose @jschauma Jan Schaumann Señor Network Security Engineer jschauma@etsy.com B60D A9F7 0D89 544A 7995 7D25 5A5B 4375 275F 0BB5
I <3 logs! @jschauma web logs mail logs system logs vpn logs 2 08/28/12
Log Bongzilla, aka Splunk @jschauma Logs go in… Is this how Octocat came to be? ts come ler out ri ty a secu 2 08/28/12
Splunk Alerts FTW! @jschauma YO DAWG, I HERD YOU LIKE LOGS SO I PUT SOME LOGS IN YOUR LOGS SO YOU CAN SPLUNK WHILE YOU SPLUNK 2 08/28/12
sudo make me a sandwich @jschauma 2 08/28/12
Know your patterns. @jschauma VPN Connections July 4th was a Wednesday People making up for People slacking off early last week? on a Friday, eh? 5 08/28/12
That was unexpected… @jschauma
XSS detection @jschauma Announcement of Bug Bounty program: http://is.gd/UTZ5wD code push to address reported vulnerabilities 6 08/28/12
Geolocate all the things! @jschauma 3 08/28/12
XSS detection @jschauma IP : 79.182.16.1 - bzq-79-182-16-1.red.bezeqint.net Geolocation : Even Yehuda, 02, IL Whois : *SE4-DRP*, RIPE, BEZEQINT-BROADBAND Requests : 146 Method : GET URL : /suggest_username.php?first-name=test&last-name= onerror%3Dalert(0)%3E&email=shai%40exploit.co.il 13 minutes after we announced our security bug bounty program http://is.gd/UTZ5wD Method : POST URL : /your/profile Data : u'fb_avatar_url=&gender=female&city3=&new_city= "><img src=x onerror=prompt(1);>&new_region=&new_countrycode= &new_latlon=,&city3_dup="><img src=x’ […] 6 08/28/12
SQLi detection @jschauma IP : 216.185.114.219 – unknown Geolocation : Jurong East, 00, SG Whois : ThePlanet.com Internet Services, Inc., ARIN, NET216 Requests : 20 Method : GET URL : /listing/102946830/womens-shirt-beige-tunic-womens- blouse?ref=999999.9%27+union+all+select+0x313032353438303035 36%2C0x31303235343830303536%2C0x31303235343830303536 %2C0x31303235343830303536%2C0x31303235343830303536%2 C0x31303235343830303536%2C0x31303235343830303536%2C0 x31303235343830303536%2C0x31303235343830303536%2C0x31 830303536%2C0x31303235343830303536%2C0x31303235343830 303536%2C0x31303235343830303536%2C0x31303235343830303 536+and+%27x%27%3D%27x Method : GET URL : /category/furniture?page=499999%27%20union%20 select%20unhex(hex(version()))%20 […] 6 08/28/12
Know when people can’t log in… @jschauma 2 08/28/12
High number of failed logins @jschauma Admin : <username> (<internal login>, <site login>) IP : 64.124.192.210 - 64.124.192.210.t01419-07.above.net Geolocation : Brooklyn, NY, US Whois : ETSY Inc, ARIN, NET64 # of failed logins : 13 doesn’t know what he’s doing; do not trust! Admin : jschauma (jschauma, jschauma) IP : 207.38.139.33 - 207-38-139-33.c3-0.avec-ubr2.nyr- avec.ny.cable.rcn.com Geolocation : New York, United States Whois : RCN Corporation, ARIN, NET207 # of failed logins : 16 6 08/28/12
Geolocate all the things! @jschauma 4 08/28/12
“Unexpected” login detection @jschauma Admin : <username> (<internal login>, <site login>) IP : 83.160.48.31 - a83-160-48-31.adsl.xs4all.nl Geolocation : Rotterdam, 11, NL Whois : XS4ALL Internet BV, RIPE, DEMON-NL-DSL Admin : <username> (<internal login>, <site login>) IP : 217.192.56.102 – unknown Geolocation : Zurich, 25, CH Whois : The Hub Zuerich Assoc., RIPE, THE-HUB-ZUERICH-NET Admin : <username> (<internal login>, <site login>) IP : 24.231.49.240 - unknown Geolocation : Nassau, 23, BS Whois : Cable Bahamas, ARIN, CABLEBAHAMAS-NET Admin : <username> (<internal login>, <site login>) IP : 200.49.191.120 - map120.network49.191.tigo.net.gt Geolocation : Guatemala City, 07, GT Whois : COMCEL GUATEMALA S.A., LACNIC 6 08/28/12
I said: “Please insert girder!” @jschauma
Identify scrapers. @jschauma Admin : <username> (<internal login>, <site login>) IP : 50.17.73.70 - ec2-50-17-73-70.compute-1.amazonaws.com Geolocation : Ashburn, VA, US Whois : Amazon.com, Inc., ARIN, NET50 Provider : Amazon AWS Count :7 Admin : <username> (<internal login>, <site login>) IP : 207.228.237.110 – unknown Geolocation : New York, NY, US Whois : HopOne Internet Corporation, ARIN, NET207 Provider : HopOne Count :1 6 08/28/12
Re-re-re-re-re-CAPTCHA @jschauma source=”info.log" reCAPTCHA status="incorrect" | transaction ip | where eventcount > 50 | table ip,eventcount | sort -eventcount 6 08/28/12
Of Liars and Outliers (good book, btw) @jschauma wtf happened here? Ooh, right… this: http://is.gd/fognju http://is.gd/0hRDLY http://is.gd/WxcA0r 6 08/28/12
This talk was too long! @jschauma Log it now, log it all. Geolocate all the things. Build profiles. (Creepy, I know.) Reduce false positives. (Whitelists!) Have defined reactions to all alerts. Notice the outliers. Explain them. That’s all, folks! Thanks! 2 08/28/12

More Related Content

PDF
HTML5.tx 2013: Embedded JavaScript, HTML5 and the Internet of Things
Jesse Cravens
 
PDF
Development is Production Too
jgoulah
 
PDF
WCIT 2012 - Assespro Oficial Bid Book
Assespro Nacional
 
PDF
April 17, 2012 CIty Council Agenda Packet
City of San Angelo Texas
 
PDF
Memcached Presentation @757rb
Ken Collins
 
PDF
Gerenciamento de Backups PostgreSQL com pgbarman
Juliano Atanazio
 
PDF
Various hints & tips around Solution Selling (January 2014)
Eric Van 't Hoff
 
PDF
Marco Hogewoning -XS4all
IPv6 Summit 2010
 
HTML5.tx 2013: Embedded JavaScript, HTML5 and the Internet of Things
Jesse Cravens
 
Development is Production Too
jgoulah
 
WCIT 2012 - Assespro Oficial Bid Book
Assespro Nacional
 
April 17, 2012 CIty Council Agenda Packet
City of San Angelo Texas
 
Memcached Presentation @757rb
Ken Collins
 
Gerenciamento de Backups PostgreSQL com pgbarman
Juliano Atanazio
 
Various hints & tips around Solution Selling (January 2014)
Eric Van 't Hoff
 
Marco Hogewoning -XS4all
IPv6 Summit 2010
 

Viewers also liked (15)

PDF
Simple Log Analysis and Trending
Mike Brittain
 
PDF
12-Step Program for Scaling Web Applications on PostgreSQL
Konstantin Gredeskoul
 
TXT
英文 Rc heli
tiffanysrc
 
PDF
Scaling postgres
Denish Patel
 
PDF
Cybersecurity nl
Mark Johnson
 
PDF
Scaling Etsy: What Went Wrong, What Went Right
Ross Snyder
 
TXT
4000 auto approve wordpress blogs backlink list (pr8-pr1)
Djuwarsjah Linnus
 
PDF
The Evolution Of The Music Industry The Effect Of Technology And Law On Stra...
Ben Kilmer
 
PDF
Talk talk talk 2
Trần Thanh Hảo
 
PDF
From Obvious to Ingenius: Incrementally Scaling Web Apps on PostgreSQL
Konstantin Gredeskoul
 
PDF
K TO 12 GRADE 7 LEARNING MATERIAL IN EDUKASYON SA PAGPAPAKATAO (Q1-Q2)
LiGhT ArOhL
 
PDF
Etsy Case Study
SlideShare
 
PDF
88 Gibraltar i-remit collection procedure
88gibraltar
 
PDF
Design for Continuous Experimentation
Dan McKinley
 
PDF
Netflix marketing plan
Evelyne Otto
 
Simple Log Analysis and Trending
Mike Brittain
 
12-Step Program for Scaling Web Applications on PostgreSQL
Konstantin Gredeskoul
 
英文 Rc heli
tiffanysrc
 
Scaling postgres
Denish Patel
 
Cybersecurity nl
Mark Johnson
 
Scaling Etsy: What Went Wrong, What Went Right
Ross Snyder
 
4000 auto approve wordpress blogs backlink list (pr8-pr1)
Djuwarsjah Linnus
 
The Evolution Of The Music Industry The Effect Of Technology And Law On Stra...
Ben Kilmer
 
Talk talk talk 2
Trần Thanh Hảo
 
From Obvious to Ingenius: Incrementally Scaling Web Apps on PostgreSQL
Konstantin Gredeskoul
 
K TO 12 GRADE 7 LEARNING MATERIAL IN EDUKASYON SA PAGPAPAKATAO (Q1-Q2)
LiGhT ArOhL
 
Etsy Case Study
SlideShare
 
88 Gibraltar i-remit collection procedure
88gibraltar
 
Design for Continuous Experimentation
Dan McKinley
 
Netflix marketing plan
Evelyne Otto
 
Ad

Recently uploaded (20)

PPTX
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
PDF
1 - Historical Antecedents, Social Consideration.pdf
tuazon2030627
 
PPTX
Group 1 Presentation -Planning and Decision Making .pptx
MatthewLewis227954
 
PDF
Approach and Philosophy of On baking technology
30anthuong17
 
PPTX
TLE Review Electricity (Electricity).pptx
JayPolicarpio2
 
PDF
Hindi spoken digit analysis for native and non-native speakers
IAESIJAI
 
PDF
Video forgery: An extensive analysis of inter-and intra-frame manipulation al...
IAESIJAI
 
PDF
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
PDF
Enhancing emotion recognition model for a student engagement use case through...
IAESIJAI
 
PDF
Assigned Numbers - 2025 - Bluetooth® Document
Bloombase
 
PDF
August Patch Tuesday
Ivanti
 
PDF
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
PDF
WOOl fibre morphology and structure.pdf for textiles
Rajendrakumar868651
 
PDF
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
PDF
Hybrid model detection and classification of lung cancer
IAESIJAI
 
PDF
project resource management chapter-09.pdf
ssuser00e6e21
 
PPTX
cloud_computing_Infrastucture_as_cloud_p
mainakbhattacharya20
 
PPTX
Chapter 5: Probability Theory and Statistics
RandyFin
 
PDF
Heart disease approach using modified random forest and particle swarm optimi...
IAESIJAI
 
PPTX
OMC Textile Division Presentation 2021.pptx
JahangirAlam816069
 
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
1 - Historical Antecedents, Social Consideration.pdf
tuazon2030627
 
Group 1 Presentation -Planning and Decision Making .pptx
MatthewLewis227954
 
Approach and Philosophy of On baking technology
30anthuong17
 
TLE Review Electricity (Electricity).pptx
JayPolicarpio2
 
Hindi spoken digit analysis for native and non-native speakers
IAESIJAI
 
Video forgery: An extensive analysis of inter-and intra-frame manipulation al...
IAESIJAI
 
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
Enhancing emotion recognition model for a student engagement use case through...
IAESIJAI
 
Assigned Numbers - 2025 - Bluetooth® Document
Bloombase
 
August Patch Tuesday
Ivanti
 
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
WOOl fibre morphology and structure.pdf for textiles
Rajendrakumar868651
 
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
Hybrid model detection and classification of lung cancer
IAESIJAI
 
project resource management chapter-09.pdf
ssuser00e6e21
 
cloud_computing_Infrastucture_as_cloud_p
mainakbhattacharya20
 
Chapter 5: Probability Theory and Statistics
RandyFin
 
Heart disease approach using modified random forest and particle swarm optimi...
IAESIJAI
 
OMC Textile Division Presentation 2021.pptx
JahangirAlam816069
 
Ad

Safely Drinking from the Data Waterhose

  • 1. Safely Drinking From The Fire Hose @jschauma Jan Schaumann Señor Network Security Engineer jschauma@etsy.com B60D A9F7 0D89 544A 7995 7D25 5A5B 4375 275F 0BB5
  • 2. I <3 logs! @jschauma web logs mail logs system logs vpn logs 2 08/28/12
  • 3. Log Bongzilla, aka Splunk @jschauma Logs go in… Is this how Octocat came to be? ts come ler out ri ty a secu 2 08/28/12
  • 4. Splunk Alerts FTW! @jschauma YO DAWG, I HERD YOU LIKE LOGS SO I PUT SOME LOGS IN YOUR LOGS SO YOU CAN SPLUNK WHILE YOU SPLUNK 2 08/28/12
  • 5. sudo make me a sandwich @jschauma 2 08/28/12
  • 6. Know your patterns. @jschauma VPN Connections July 4th was a Wednesday People making up for People slacking off early last week? on a Friday, eh? 5 08/28/12
  • 8. XSS detection @jschauma Announcement of Bug Bounty program: http://is.gd/UTZ5wD code push to address reported vulnerabilities 6 08/28/12
  • 9. Geolocate all the things! @jschauma 3 08/28/12
  • 10. XSS detection @jschauma IP : 79.182.16.1 - bzq-79-182-16-1.red.bezeqint.net Geolocation : Even Yehuda, 02, IL Whois : *SE4-DRP*, RIPE, BEZEQINT-BROADBAND Requests : 146 Method : GET URL : /suggest_username.php?first-name=test&last-name= onerror%3Dalert(0)%3E&email=shai%40exploit.co.il 13 minutes after we announced our security bug bounty program http://is.gd/UTZ5wD Method : POST URL : /your/profile Data : u'fb_avatar_url=&gender=female&city3=&new_city= "><img src=x onerror=prompt(1);>&new_region=&new_countrycode= &new_latlon=,&city3_dup="><img src=x’ […] 6 08/28/12
  • 11. SQLi detection @jschauma IP : 216.185.114.219 – unknown Geolocation : Jurong East, 00, SG Whois : ThePlanet.com Internet Services, Inc., ARIN, NET216 Requests : 20 Method : GET URL : /listing/102946830/womens-shirt-beige-tunic-womens- blouse?ref=999999.9%27+union+all+select+0x313032353438303035 36%2C0x31303235343830303536%2C0x31303235343830303536 %2C0x31303235343830303536%2C0x31303235343830303536%2 C0x31303235343830303536%2C0x31303235343830303536%2C0 x31303235343830303536%2C0x31303235343830303536%2C0x31 830303536%2C0x31303235343830303536%2C0x31303235343830 303536%2C0x31303235343830303536%2C0x31303235343830303 536+and+%27x%27%3D%27x Method : GET URL : /category/furniture?page=499999%27%20union%20 select%20unhex(hex(version()))%20 […] 6 08/28/12
  • 12. Know when people can’t log in… @jschauma 2 08/28/12
  • 13. High number of failed logins @jschauma Admin : <username> (<internal login>, <site login>) IP : 64.124.192.210 - 64.124.192.210.t01419-07.above.net Geolocation : Brooklyn, NY, US Whois : ETSY Inc, ARIN, NET64 # of failed logins : 13 doesn’t know what he’s doing; do not trust! Admin : jschauma (jschauma, jschauma) IP : 207.38.139.33 - 207-38-139-33.c3-0.avec-ubr2.nyr- avec.ny.cable.rcn.com Geolocation : New York, United States Whois : RCN Corporation, ARIN, NET207 # of failed logins : 16 6 08/28/12
  • 14. Geolocate all the things! @jschauma 4 08/28/12
  • 15. “Unexpected” login detection @jschauma Admin : <username> (<internal login>, <site login>) IP : 83.160.48.31 - a83-160-48-31.adsl.xs4all.nl Geolocation : Rotterdam, 11, NL Whois : XS4ALL Internet BV, RIPE, DEMON-NL-DSL Admin : <username> (<internal login>, <site login>) IP : 217.192.56.102 – unknown Geolocation : Zurich, 25, CH Whois : The Hub Zuerich Assoc., RIPE, THE-HUB-ZUERICH-NET Admin : <username> (<internal login>, <site login>) IP : 24.231.49.240 - unknown Geolocation : Nassau, 23, BS Whois : Cable Bahamas, ARIN, CABLEBAHAMAS-NET Admin : <username> (<internal login>, <site login>) IP : 200.49.191.120 - map120.network49.191.tigo.net.gt Geolocation : Guatemala City, 07, GT Whois : COMCEL GUATEMALA S.A., LACNIC 6 08/28/12
  • 16. I said: “Please insert girder!” @jschauma
  • 17. Identify scrapers. @jschauma Admin : <username> (<internal login>, <site login>) IP : 50.17.73.70 - ec2-50-17-73-70.compute-1.amazonaws.com Geolocation : Ashburn, VA, US Whois : Amazon.com, Inc., ARIN, NET50 Provider : Amazon AWS Count :7 Admin : <username> (<internal login>, <site login>) IP : 207.228.237.110 – unknown Geolocation : New York, NY, US Whois : HopOne Internet Corporation, ARIN, NET207 Provider : HopOne Count :1 6 08/28/12
  • 18. Re-re-re-re-re-CAPTCHA @jschauma source=”info.log" reCAPTCHA status="incorrect" | transaction ip | where eventcount > 50 | table ip,eventcount | sort -eventcount 6 08/28/12
  • 19. Of Liars and Outliers (good book, btw) @jschauma wtf happened here? Ooh, right… this: http://is.gd/fognju http://is.gd/0hRDLY http://is.gd/WxcA0r 6 08/28/12
  • 20. This talk was too long! @jschauma Log it now, log it all. Geolocate all the things. Build profiles. (Creepy, I know.) Reduce false positives. (Whitelists!) Have defined reactions to all alerts. Notice the outliers. Explain them. That’s all, folks! Thanks! 2 08/28/12