Learn, hack!

Hacking and security documentation: slides, papers, video and audio recordings. All in high-quality, daily updated, avoiding security crap documents. Spreading hacking knowledge, for free, enjoy. Follow on .

Security Log Visualization with a Correlation Engine

log analysis
Chris Kubecka
Chaos Communication Congress 28th (28C3) 2011
Indexed on
Mar 27, 2013
File name
File size
1.9 MB

This brief session focuses on the visualization of actual security incidents, network forensics and counter surveillance of covert criminal communications utilizing large data sets from various security logs and a very brief introduction to correlation engine logic. Visually displaying security or network issues can express the risk or urgency in a way a set of dry logs or other methods might not be able to. Additionally, many organizations rely on a more singular approach and react to security events, many times from a high false positive rate source such as isolated intrusion prevention or firewall alerts, or relying only on anti-virus alerts. Utilizing a correlation engine (especially open source) or similar applications could offer a method of discovering or in some cases proactively detecting issues. The research discussed involves analysis and interrogation of firewall, intrusion detection and prevention systems, web proxy logs and available security research. What does a compromised server infected with spam malware look like or cyber warfare? A 20 minute presentation of data visualization and investigation scenarios of five actual issues discovered using various security logs and a correlation engine. The lecturer will take you on a visual journey from seemingly mundane entries in firewall logs through to detecting covert communications between a corporate web server and a cyber-criminal drop zone. Additional visualizations presented: a United Kingdom based portion of the South Korean DNS Distributed Denial of Service attacks of July/August 2008, what bypassing deep packet inspection using HTTPS/SSL/TLS looks like, detecting a rouge corporate email server, malicious DNS usage and more. Although the presenter used a commercial correlation engine, the presentation will conclude with the discussion of an open source correlation engine.

About us

Secdocs is a project aimed to index high-quality IT security and hacking documents. These are fetched from multiple data sources: events, conferences and generally from interwebs.


Serving 8166 documents and 531.0 GB of hacking knowledge, indexed from 2419 authors from 163 security conferences.


To support this site and keep it alive, you can click on the buttons below. Any help is really appreciated! This service is provided for free, but real money is needed to pay bills.

Flattr this Click here to lend your support to: Keep live SecDocs for an year and make a donation at www.pledgie.com !