Hi, you should have an OSSEC setup (using a mysql DB backend for your data) up and running already. At that point, as long as you received attacks/failed login attempts/etc on your infrastructure, this script will fetch that data off your database, geolocate the offending IP addresses, and visualize their geographic position on the output web page.
In order to get proper results from this script, you'll first need to edit it and fill in the required configuration variables (for instance database credentials for your OSSEC db). I've put in some hints regarding the required tools you'll need for geolocation. Once you've set it up, simply run the script from your shell and pipe the output to an html file, and open such file in your browser. I personally run this as a daily cron job and make it output the result to my wwwroot, and simply access the page from my browser. HTH nitefood Il giorno venerdì 23 ottobre 2015 06:32:01 UTC+2, Hak Bun ha scritto: > > Hi Nitefood, > > I am new to OSSEC. > Can you show the step to test above attack script? > > Thanks, > Hak > > On Sunday, August 30, 2015 at 8:02:09 AM UTC+7, nitefood wrote: >> >> Hello all, >> >> I have created a bash script to visualize attack data from OSSEC DB on a >> world map by geolocating attackers IPs (using MaxMind's GeoIP db and tools) >> and calculating Top N attacking countries. >> Not sure if this is a novel idea, but I couldn't find anything to do this >> the way I wanted it, so I decided to quickly hack together a little script. >> This is what the output html looks like: >> >> >> >> <https://lh3.googleusercontent.com/-wbPYWRLZ-94/VeJLuN6rU7I/AAAAAAAABFo/thlpjlAmiBU/s1600/Screenshot%2B2015-08-30%2B01.29.51.png> >> >> >> By clicking the toggle button, you'll see the list of all unique, >> geolocalized attackers IPs found in your OSSEC database, sorted by the >> number of attaks (actually the times they appear in the DB) they ran on >> you. Something like this: >> >> 157 attacks : 1.2.3.4 (*Russia*) >> 140 attacks : 5.6.7.8 (*China*) >> etc. >> >> If anybody is interested, the script is attached. Feel free to modify it >> in any way you please. Make sure you read the notes at the beginning and >> change the appropriate values in the configuration section. >> >> Disclaimer: I wrote this script quickly and in my spare time, just to get >> some insight on the attack sources on my infrastructure. The HTML output is >> probably fugly by today's standards, there's very little sanity checking, >> and next to no code optimization or cleanup in here, so if you feel so >> inclined, improve or rewrite it in a faster language and share it for >> others to enjoy it. >> >> Hope you find it useful. >> >> Take care, >> nitefood >> >> -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
