bash script to visualize OSSEC attack data on a world map
已查看 163 次
跳至第一个未读帖子
nitefood
2015年8月29日 21:02:092015/8/29
收件人 ossec-list
Hello all,
I have created a bash script to visualize attack data from
OSSEC DB on a world map by geolocating attackers IPs (using MaxMind's GeoIP db and tools) and calculating
Top N attacking countries.
Not sure if this is a novel idea, but I
couldn't find anything to do this the way I wanted it, so I
decided to quickly hack together a little script.
This is what the output html looks like:
By clicking the toggle button, you'll see the list of all unique, geolocalized attackers IPs found in your OSSEC database, sorted by the number of attaks (actually the times they appear in the DB) they ran on you. Something like this:
157 attacks : 1.2.3.4 (Russia)
140 attacks : 5.6.7.8 (China)
etc.
Disclaimer: I wrote this script quickly and in my spare time, just to get some insight on the attack sources on my infrastructure. The HTML output is probably fugly by today's standards, there's very little sanity checking, and next to no code optimization or cleanup in here, so if you feel so inclined, improve or rewrite it in a faster language and share it for others to enjoy it.
Hope you find it useful.
Take care,
nitefood
Hak Bun
2015年10月23日 00:32:012015/10/23
收件人 ossec-list
Hi Nitefood,
I am new to OSSEC.
Can you show the step to test above attack script?
Thanks,
Hak
I am new to OSSEC.
Can you show the step to test above attack script?
Thanks,
Hak
nitefood
2015年11月8日 17:08:122015/11/8
收件人 ossec-list
Hi,
you should have an OSSEC setup (using a mysql DB backend for your data) up and running already. At that point, as long as you received attacks/failed login attempts/etc on your infrastructure, this script will fetch that data off your database, geolocate the offending IP addresses, and visualize their geographic position on the output web page.
In order to get proper results from this script, you'll first need to edit it and fill in the required configuration variables (for instance database credentials for your OSSEC db). I've put in some hints regarding the required tools you'll need for geolocation.
Once you've set it up, simply run the script from your shell and pipe the output to an html file, and open such file in your browser. I personally run this as a daily cron job and make it output the result to my wwwroot, and simply access the page from my browser.
HTH
nitefood
you should have an OSSEC setup (using a mysql DB backend for your data) up and running already. At that point, as long as you received attacks/failed login attempts/etc on your infrastructure, this script will fetch that data off your database, geolocate the offending IP addresses, and visualize their geographic position on the output web page.
In order to get proper results from this script, you'll first need to edit it and fill in the required configuration variables (for instance database credentials for your OSSEC db). I've put in some hints regarding the required tools you'll need for geolocation.
Once you've set it up, simply run the script from your shell and pipe the output to an html file, and open such file in your browser. I personally run this as a daily cron job and make it output the result to my wwwroot, and simply access the page from my browser.
HTH
nitefood
nitefood
2015年11月8日 17:18:412015/11/8
收件人 ossec-list
Oh, perhaps I should also add that I've hardcoded a rule in the db query that grabs only alerts of level 8+, so as to show only "serious" attempts, and not false positives or minor errors.
If you need to change it for test purposes, or for whatever reason, just change the "signature.level >= 8" part of the database query at line 105.
nitefood
If you need to change it for test purposes, or for whatever reason, just change the "signature.level >= 8" part of the database query at line 105.
nitefood
回复全部
回复作者
转发
0 个新帖子