Our "Know Your Tools: use Picviz to find attacks" whitepaper was released on November 25th 2009 as a PDF only. You can download the full paper from the link below.
Picviz is a parallel coordinates plotter which enables easy scripting from various input (tcpdump, syslog, iptables logs, apache logs, etc..) to visualize data and discover interesting aspects of that data quickly. Picviz uncovers previously hidden data that is difficult to identify with traditional analysis methods.
In the first paper of our new Know Your Tools series, Sebastien Tricaud from the French Honeynet Project Chapter and Victor Amaducci from the University of Campinas, focus on Picviz. After a brief overview on parallel coordinates, Picviz architecture, and installation procedure, three real-world examples are presented that illustrate how to identify attacks from large amounts of data: Picviz is used to analyze SSH logs, Apache access logs and network traffic. With these examples, it is demonstrated how Picviz can find attacks that previously have been hidden.
Recent additions to Picviz GUI have been made by Victor Amaducci under the mentorship of Sebastien Tricaud as part of the Google Summer of Code program 2009. The most recent version of Picviz is freely available for download from its project site at http://www.wallinfire.net/picviz and support can be sought from the Picviz mailing list at http://www.wallinfire.net/cgi-bin/mailman/listinfo/picviz.
Paper last updated November 25th 2009
PDF Sha1: 282e2708f92a6bf689ff735af97cc0c6f1c1a9a3 (KYT-Picviz_v1_0.pdf)