Hello all,
I have created a bash script to visualize attack data from
OSSEC DB on a world map by geolocating attackers IPs (using MaxMind's GeoIP db and tools) and calculating
Top N attacking countries.
Not sure if this is a novel idea, but I
couldn't find anything to do this the way I wanted it, so I
decided to quickly hack together a little script.
This is what the output html looks like:
By clicking the toggle button, you'll see the list of all unique, geolocalized attackers IPs found in your OSSEC database, sorted by the number of attaks (actually the times they appear in the DB) they ran on you. Something like this:
157 attacks : 1.2.3.4 (Russia)
140 attacks : 5.6.7.8 (China)
etc.
If anybody is interested, the script is attached. Feel free to modify it in any way you please. Make sure you read the notes at the beginning and change the appropriate values in the configuration section.
Disclaimer: I wrote this script quickly and in my spare time, just to get some insight on the attack sources on my infrastructure. The HTML output is probably fugly by today's standards, there's very little sanity checking, and next to no code optimization or cleanup in here, so if you feel so inclined, improve or rewrite it in a faster language and share it for others to enjoy it.
Hope you find it useful.
Take care,
nitefood