Add functionality to pull in REAL attack data from security system sources (Honeypot/IPS/Firewalls).

Question

Add functionality to pull in REAL attack data from security system sources (Honeypot/IPS/Firewalls).

HackVector opened this issue 9 years ago · comments

Hello,

It would be awesome to add functionality of this attack map so that the map displays real attack data from security system sources such as Honeypots, Intrusion Prevention Systems, Intrusion Detection Systems, and Firewalls that we run on our network.

Gold-Vibes · Answer 1 · Sat Aug 22 2015 03:01:02 GMT+0800 (China Standard Time)

We could really use this feature. If we could pull from a log file that we generate, within a customize-able time period, it will help show what our systems deal with on a daily basis!

Shabahz · Answer 2 · Sun Sep 13 2015 08:59:31 GMT+0800 (China Standard Time)

I second this enhancement

boB Rudis · Answer 3 · Sun Sep 13 2015 09:38:04 GMT+0800 (China Standard Time)

If you inspect the HTML on the link described here - http://datadrivensecurity.info/blog/posts/2015/Aug/mhn-machinations-r-python-javascript/ - there's a gd start on it (pulling live data from the MHN network).

iskono · Answer 4 · Tue Mar 29 2016 13:24:45 GMT+0800 (China Standard Time)

like your project and would like to ask for something if possible , rather than using random ip , can you make it reads a csv file that contain source attacker , target ip and source country and target country?

would be amazing if it's possible

Joshua Friedman · Answer 5 · Tue May 17 2016 06:43:00 GMT+0800 (China Standard Time)

So, I've pretty much got a working version of this now. I made a few mods to this project to suit my needs and trimmed down most of the options.(i took out most of the formatting, sounds, etc.,). I was looking to display live attack data on a dashboard.

They key is a node.js app i wrote which serves up the map web page, listens on 514 for incoming messages, pulls IP addresses out of the message, performs an ip-geolookup, and sends that data to the browser, where the arcs are drawn.

The idea was that you can send any syslog data at it, and it will map the IP's it sees. For my project, all the destination IP's are always my datacenter, so I have that as a static destination for all the arcs. For that reason, I put the bubbles at the source, not the destination. You could mess with the logic a bit and feed it live source and destination if you choose.

Disclaimer: First javascript and html I've written, so excuse any formatting or logic errors. Also, pretty new to github, so hopefully everything is set up right.

I did have a working version which parsed log files as I built this. I had trouble slowing it down when running it in javascript. I think this works better - I wrote a powershell script which I've included in the project test folder which will parse a csv file for IP Addresses, and send it over a socket 514 to your node instance. The powershell script has a throttle in it. Alternately, the node app could be reworked to read a file.

https://github.com/joshftx/maps

Kevin Bryant · Answer 6 · Mon Jun 06 2016 23:57:34 GMT+0800 (China Standard Time)

Josh - You rock! This is perfect. I will try this out and give you some feedback. I agree on making a buffer on the attack map server.