Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add functionality to pull in REAL attack data from security system sources (Honeypot/IPS/Firewalls). #16

Open
HackVector opened this issue Aug 20, 2015 · 6 comments
Assignees

Comments

@HackVector
Copy link

Hello,

It would be awesome to add functionality of this attack map so that the map displays real attack data from security system sources such as Honeypots, Intrusion Prevention Systems, Intrusion Detection Systems, and Firewalls that we run on our network.

@hrbrmstr hrbrmstr self-assigned this Aug 20, 2015
@Gold-Vibes
Copy link

We could really use this feature. If we could pull from a log file that we generate, within a customize-able time period, it will help show what our systems deal with on a daily basis!

@Shabahz
Copy link

Shabahz commented Sep 13, 2015

I second this enhancement

@hrbrmstr
Copy link
Owner

If you inspect the HTML on the link described here - http://datadrivensecurity.info/blog/posts/2015/Aug/mhn-machinations-r-python-javascript/ - there's a gd start on it (pulling live data from the MHN network).

@iskono
Copy link

iskono commented Mar 29, 2016

like your project and would like to ask for something if possible , rather than using random ip , can you make it reads a csv file that contain source attacker , target ip and source country and target country?

would be amazing if it's possible

@joshftx
Copy link

joshftx commented May 16, 2016

So, I've pretty much got a working version of this now. I made a few mods to this project to suit my needs and trimmed down most of the options.(i took out most of the formatting, sounds, etc.,). I was looking to display live attack data on a dashboard.

They key is a node.js app i wrote which serves up the map web page, listens on 514 for incoming messages, pulls IP addresses out of the message, performs an ip-geolookup, and sends that data to the browser, where the arcs are drawn.

The idea was that you can send any syslog data at it, and it will map the IP's it sees. For my project, all the destination IP's are always my datacenter, so I have that as a static destination for all the arcs. For that reason, I put the bubbles at the source, not the destination. You could mess with the logic a bit and feed it live source and destination if you choose.

Disclaimer: First javascript and html I've written, so excuse any formatting or logic errors. Also, pretty new to github, so hopefully everything is set up right.

I did have a working version which parsed log files as I built this. I had trouble slowing it down when running it in javascript. I think this works better - I wrote a powershell script which I've included in the project test folder which will parse a csv file for IP Addresses, and send it over a socket 514 to your node instance. The powershell script has a throttle in it. Alternately, the node app could be reworked to read a file.

https://github.com/joshftx/maps

@HackVector
Copy link
Author

Josh - You rock! This is perfect. I will try this out and give you some feedback. I agree on making a buffer on the attack map server.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

6 participants