George Adamopoulos's blog

Monitoring pf logs with Gource

tcpdump pflog0 through GourceEver wanted to see your OpenBSD pf(4) logs in a cinematic way?

This post will demonstrate the use of Gource (software version control visualization tool) as a means to visualize our pf firewall logs.

The examples in this post were carried out on OpenBSD piping output from pflog(4) to a Linux workstation with OpenGL extensions support.

Using syslog and Echofish to detect persistent threats on your networks

Echofish logoHave you checked your server logs lately? Did you see those "odd" requests from arbitrary IPs that appear to perform a single request and "vanish"? Have you ever wondered how many of those are actually random? Do they return ? How often?

No matter which service you expose to the internet (http, ssh, smtp, imap), you are certain to notice protocol-aware requests (e.g. valid HTTP get request) from random IP addresses hitting your public services.

The following blog post focuses around answering these questions and the ways we utilize the Abuser module of Echofish to identify persistent attackers on our services, that would otherwise stay unnoticed.