Event Analysis Training

Event Analysis Training – Worm Outbreak

by Ron Gula
May 13, 2009

On Friday April 10, the Conficker worm was supposed to wake up and start network scanning. I grabbed the following screen shot from one of Tenable’s research sites:


Event Analysis Training – SSH Brute Forcing with Mixed Log Sources

by Ron Gula
April 29, 2009

I was recently working with a Log Correlation Engine customer who had gone through a typical deployment. Tenable advises customers to carefully consider which system and application logs they want their LCE Clients to send to the LCE server, in addition to a variety of Snort, Firewall and network activity logs. In this case, the customer had recently configured their system to send SSH logs to the LCE whereas before, they were only getting "network" events. When I had the opportunity to chat with them, they were very concerned about various worms or potential intruders performing a network scan such as those shown below:

Event Analysis Training -– An aggressive active worm analysis that isn’t Conficker

by Ron Gula
February 25, 2009

Recently, I saw a spike in “compliance” violations in the logs of one of the large research deployments of Tenable’s network and log monitoring products. At first glance, a web server appeared to be sharing content that matched our passive adult media data rules. On further analysis, we discovered that this was actually a worm infection. This blog demonstrates many of the techniques to use network analysis to identify the worm’s activity.

Event Analysis Training - Run NT and Pay the Price

by Ron Gula
October 16, 2008

Most large enterprise networks have a few legacy systems around – either because they were “forgotten” or because they support an old application that was never ported to a newer release. Such legacy systems can be the Achilles  heel of network security.

The following sanitized screen shot comes from one of Tenable’s research sites:

Event Analysis Training - Advanced Blacklist Analysis

by Ron Gula
September 3, 2008

DNS blacklists are publicly accessible lists of IP addresses that have been identified as associated with undesirable Internet behavior, mostly involving the sending of spam e-mails.

Event Analysis Training -- Working with "BlackLists"

by Ron Gula
June 10, 2008

Many SIM, NIDS and NBAD solutions have some sort of "blacklist" functionality which highlights when systems on your network interact with IP addresses that have been identified as being associated with scanning, virus propogation, SPAM originators and so on. These solutions typically take one or more lists of potentially "bad" IP addresses and then scour your netflow, IDS, firewall or other types of logs and to see if there are any correlations. This blog entry will focus on how these types of events can be analyzed.