search

MatthewClarkMay / geoip-attack-map

Cyber security geoip attack map that follows syslog and parses IPs/port numbers to visualize attackers in real time.
Apache License 2.0
353 stars 203 forks source link

OSSIM to geoip-attack-map #25

Open aungdin opened 6 years ago

aungdin commented 6 years ago

How to log normalization ?

diegodblr commented 5 years ago

Hi, I do the normalization using the OSSIM Alien Vault log and a shell script with the swatch tool to put the log in the format of the attack map.

suhiherazeN1N commented 5 years ago

Can you please elaborate the process @diegodblr

diegodblr commented 5 years ago

Ok, the all process is:

1 - enable fast log in /etc/suricata/suricata.yaml. 2- configure a shell script to read the fast log and write the log formatted to DataServer.py. The shell script result is: echo "$IP,$IP2,$PORT1,$PORT2,$TYPE,$CVE" > /var/log/suricata.log

You can use the software SWATCH to read the fast log. This is the mask to read the fast log with SWATCH: watchfor /\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3}/

Em seg, 12 de ago de 2019 às 08:22, suhiherazeN1N notifications@github.com escreveu:

Can you please elaborate the process @diegodblr https://github.com/diegodblr

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/MatthewClarkMay/geoip-attack-map/issues/25?email_source=notifications&email_token=AFIJCLQLYLBMAL72SUEZL2TQEFBVVA5CNFSM4EXLLX22YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD4CHM4Q#issuecomment-520386162, or mute the thread https://github.com/notifications/unsubscribe-auth/AFIJCLXGUFVANIGDYF4U2YLQEFBVVANCNFSM4EXLLX2Q .

suhiherazeN1N commented 5 years ago

Thanks !

But what to do to parse the Cowrie and glastopf honeypot log into the map? Please help I am very much new to this area. @diegodblr

diegodblr commented 5 years ago

Sorry, but I don't know these softwares. Here I work with IDS Suricata.

suhiherazeN1N commented 5 years ago

Ok. Then can you please elaborate the OSSIM Alien Vault process of Log Normalization? @diegodblr

diegodblr commented 5 years ago

Ok, the all process is:

1 - enable fast log in /etc/suricata/suricata.yaml. 2- configure a shell script to read the fast log and write the log formatted to DataServer.py. The shell script result is: echo "$IP,$IP2,$PORT1,$PORT2,$TYPE,$CVE" > /var/log/suricata.log

You can use the software SWATCH to read the fast log. This is the mask to read the fast log with SWATCH: watchfor /\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3}/