Oh, perhaps I should also add that I've hardcoded a rule in the db query that grabs only alerts of level 8+, so as to show only "serious" attempts, and not false positives or minor errors. If you need to change it for test purposes, or for whatever reason, just change the "signature.level >= 8" part of the database query at line 105.
nitefood Il giorno domenica 8 novembre 2015 23:08:12 UTC+1, nitefood ha scritto: > > Hi, > > you should have an OSSEC setup (using a mysql DB backend for your data) up > and running already. At that point, as long as you received attacks/failed > login attempts/etc on your infrastructure, this script will fetch that data > off your database, geolocate the offending IP addresses, and visualize > their geographic position on the output web page. > > In order to get proper results from this script, you'll first need to edit > it and fill in the required configuration variables (for instance database > credentials for your OSSEC db). I've put in some hints regarding the > required tools you'll need for geolocation. > Once you've set it up, simply run the script from your shell and pipe the > output to an html file, and open such file in your browser. I personally > run this as a daily cron job and make it output the result to my wwwroot, > and simply access the page from my browser. > > HTH > nitefood > > > Il giorno venerdì 23 ottobre 2015 06:32:01 UTC+2, Hak Bun ha scritto: >> >> Hi Nitefood, >> >> I am new to OSSEC. >> Can you show the step to test above attack script? >> >> Thanks, >> Hak >> >> On Sunday, August 30, 2015 at 8:02:09 AM UTC+7, nitefood wrote: >>> >>> Hello all, >>> >>> I have created a bash script to visualize attack data from OSSEC DB on a >>> world map by geolocating attackers IPs (using MaxMind's GeoIP db and tools) >>> and calculating Top N attacking countries. >>> Not sure if this is a novel idea, but I couldn't find anything to do >>> this the way I wanted it, so I decided to quickly hack together a little >>> script. >>> This is what the output html looks like: >>> >>> >>> >>> <https://lh3.googleusercontent.com/-wbPYWRLZ-94/VeJLuN6rU7I/AAAAAAAABFo/thlpjlAmiBU/s1600/Screenshot%2B2015-08-30%2B01.29.51.png> >>> >>> >>> By clicking the toggle button, you'll see the list of all unique, >>> geolocalized attackers IPs found in your OSSEC database, sorted by the >>> number of attaks (actually the times they appear in the DB) they ran on >>> you. Something like this: >>> >>> 157 attacks : 1.2.3.4 (*Russia*) >>> 140 attacks : 5.6.7.8 (*China*) >>> etc. >>> >>> If anybody is interested, the script is attached. Feel free to modify it >>> in any way you please. Make sure you read the notes at the beginning and >>> change the appropriate values in the configuration section. >>> >>> Disclaimer: I wrote this script quickly and in my spare time, just to >>> get some insight on the attack sources on my infrastructure. The HTML >>> output is probably fugly by today's standards, there's very little sanity >>> checking, and next to no code optimization or cleanup in here, so if you >>> feel so inclined, improve or rewrite it in a faster language and share it >>> for others to enjoy it. >>> >>> Hope you find it useful. >>> >>> Take care, >>> nitefood >>> >>> -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
