Visualization of 15 minutes of log data
for a class B firewall, with and without background worm
traffic. Courtesy of
Ed Blanchfield.
I'd like to nominate my brother Ed Blanchfield for Graph of the Month.
You're going to love what he did with some Firewall/Intrusion Detection System
(IDS) log data using aiSee, to get "before" and "after" graphs showing
the impact of an MS-SQL worm which hit the Internet around January 25th 2003.
When this particular worm hit a a large class B sized network,
an IDS system Ed designed and implemented from scratch while working under
contract to a large managed services provider, was one of the first sites
in the world to detect and report the incident.
Ed posted
his original findings and info to various security lists.
He then used aiSee to demonstrate the impact of
the worm to his management and their client.
(I had previously recommended aiSee to Ed, as at
the time I'd been using it to map the .AU name space and IP address space
crawled by a search engine project of mine.)
Anyway, Ed, being the data junkie and Perl guru that he is,
quickly wrote up a parser to create GDL files
from Firewall and IDS logs, fed them into aiSee and visually mapped
this worm's effect on their customer's network.
The graphs show just 15 minutes worth of traffic at midnight,
but the impact of the worm is already clearly visible. You can imagine what
24 hours must have been like.
I love to see Ed's work recognised, and this is just one
example of what he does both for
a living and for fun, on a day-to-day basis. He is indeed a great guy, a very
bright, humble, quietly spoke fellow. And singularly the best and brightest
security guru I know.
I am very grateful to AbsInt for the opportunity to have Ed's work
displayed as the aiSee Graph(s) of the Month. This will be a most unexpected
early Christmas gift for him.