Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/matthewclarkmay/geoip-attack-map

Cyber security geoip attack map that follows syslog and parses IPs/port numbers to visualize attackers in real time.
https://github.com/matthewclarkmay/geoip-attack-map

Last synced: 11 days ago
JSON representation

Cyber security geoip attack map that follows syslog and parses IPs/port numbers to visualize attackers in real time.

Host: GitHub
URL: https://github.com/matthewclarkmay/geoip-attack-map
Owner: MatthewClarkMay
License: apache-2.0
Created: 2016-03-19T16:34:36.000Z (over 8 years ago)
Default Branch: master
Last Pushed: 2023-09-26T03:29:09.000Z (about 1 year ago)
Last Synced: 2024-08-08T23:24:16.127Z (3 months ago)
Language: Python
Size: 162 KB
Stars: 347
Watchers: 38
Forks: 200
Open Issues: 19
Metadata Files:
- Readme: README.md
- License: LICENSE

Awesome Lists containing this project

README

### First and Foremost
I do not have much time in my life right now to maintain this project. I undertook this challenge as a means to learn JavaScript, and to improve upon the Python I already knew. I'm sure there are several things I could have done differently in my implementation, and I won't be offended if I receive constructive criticism from someone who downloads and views my code. I know I learned a ton when working on this, and I hope the open source community will continue to teach me things :)

NOTE: Because I don't maintain this project there are a few features that probably don't work out the box, for example, the map probably won't display because I don't pay for a legitimate MapBox API key. To fix this you will probably have to create your own MapBox account and use your own key.

### Cyber Security GeoIP Attack Map Visualization
This geoip attack map visualizer was developed to display network attacks on your organization in real time. The data server follows a syslog file, and parses out source IP, destination IP, source port, and destination port. Protocols are determined via common ports, and the visualizations vary in color based on protocol type. [CLICK HERE](https://www.youtube.com/watch?v=zTvLJjTzJnU) for a demo video. This project would not be possible if it weren't for Sam Cappella, who created a cyber defense competition network traffic visualizer for the 2015 Palmetto Cyber Defense Competition. I mainly used his code as a reference, but I did borrow a few functions while creating the display server, and visual aspects of the webapp. I would also like to give special thanks to [Dylan Madisetti](http://www.dylanmadisetti.com/) as well for giving me advice about certain aspects of my implementation.

### Important
This program relies entirely on syslog, and because all appliances format logs differently, you will need to customize the log parsing function(s). If your organization uses a security information and event management system (SIEM), it can probably normalize logs to save you a ton of time writing regex.
1. Send all syslog to SIEM.
2. Use SIEM to normalize logs.
3. Send normalized logs to the box (any Linux machine running syslog-ng will work) running this software so the data server can parse them.

### Configs
1. Make sure in **/etc/redis/redis.conf** to change **bind 127.0.0.1** to **bind 0.0.0.0** if you plan on running the DataServer on a different machine than the AttackMapServer.
2. Make sure that the WebSocket address in **/AttackMapServer/index.html** points back to the IP address of the **AttackMapServer** so the browser knows the address of the WebSocket.
3. Download the MaxMind GeoLite2 database, and change the db_path variable in **DataServer.py** to the wherever you store the database.
* ./db-dl.sh
4. Add headquarters latitude/longitude to hqLatLng variable in **index.html**
5. Use syslog-gen.py, or syslog-gen.sh to simulate dummy traffic "out of the box."
6. **IMPORTANT: Remember, this code will only run correctly in a production environment after personalizing the parsing functions. The default parsing function is only written to parse ./syslog-gen.sh traffic.**

### Bugs, Feedback, and Questions
If you find any errors or bugs, please let me know. Questions and feedback are also welcome, and can be sent to [email protected], or open an issue in this repository.

### Deploy example
Tested on Ubuntu 16.04 LTS.

* Clone the application:

```sh
git clone https://github.com/matthewclarkmay/geoip-attack-map.git
```

* Install system dependencies:

```sh
sudo apt install python3-pip redis-server

```

* Install python requirements:

```sh
cd geoip-attack-map
sudo pip3 install -U -r requirements.txt

```

* Start Redis Server:

```sh
redis-server

```
* Configure the Data Server DB:

```sh
cd DataServerDB
./db-dl.sh
cd ..

```
* Start the Data Server:

```sh
cd DataServer
sudo python3 DataServer.py

```

* Start the Syslog Gen Script, inside DataServer directory:

* Open a new terminal tab (Ctrl+Shift+T, on Ubuntu).

```sh
./syslog-gen.py
./syslog-gen.sh
```

* Configure the Attack Map Server, extract the flags to the right place:

* Open a new terminal tab (Ctrl+Shift+T, on Ubuntu).

```sh
cd AttackMapServer/
unzip static/flags.zip
```

* Start the Attack Map Server:

```sh
sudo python3 AttackMapServer.py
```

* Access the Attack Map Server from browser:

* [http://localhost:8888/](http://localhost:8888/) or [http://127.0.0.1:8888/](http://127.0.0.1:8888/)

* To access via browser on another computer, use the external IP of the machine running the AttackMapServer.

* Edit the IP Address in the file "/static/map.js" at "AttackMapServer" directory. From:

```javascript
var webSock = new WebSocket("ws:/127.0.0.1:8888/websocket");
```
* To, for example:

```javascript
var webSock = new WebSocket("ws:/192.168.1.100:8888/websocket");
```
* Restart the Attack Map Server:

```sh
sudo python3 AttackMapServer.py
```
* On the other computer, points the browser to:

```sh
http://192.168.1.100:8888/
```