A day of IDS (Snort) event data

A day of IDS (Snort) event data

graph software

What tool did you use to create the graph? We have been working with extracts from IDS event logs trying various tools to graph the same fields as you used (event/signature, source, destination) but most tools have choked on the tens of thousands of rows we try to feed.

It was created with

It was created with this:


I had to modify afterglow a bit so that it wouldn't have to chug through all of the data.

This query:

SELECT INET_NTOA(event.src_ip),INET_NTOA(event.dst_ip),signature FROM event WHERE timestamp BETWEEN "2010-04-13 21:00:00" AND "2010-04-14 21:00:00" AND (signature LIKE '%MALWARE%') ORDER BY timestamp DESC;

Returns 3464 rows.

Became this:

SELECT INET_NTOA(event.src_ip), INET_NTOA(event.dst_ip), event.signature, COUNT(event.signature) as hits FROM event WHERE timestamp BETWEEN "2010-04-13 21:00:00" AND "2010-04-14 21:00:00" AND (signature LIKE '%MALWARE%') GROUP BY event.src_ip, event.dst_ip, event.signature ORDER BY hits desc;

Returns 1002 rows.

My "all events" query went from 66,381 -> 11,309!

Data interpretation

Great graph. Can you tell us more what we see? What is the cluster on the top left? What are the things you learned from this? What did you do once you had this graph? What did you learn? Anything interesting?

The results are: Signature,

The results are:

Signature, Source Address, Destination Address, Count

The coloring is based on the following:
color.event="gray90" if ($fields[3]==1);
color.target="gray90" if ($fields[3]==1);
color.event="gray70" if ($fields[3]<=20);
color.target="gray70" if ($fields[3]<=20);
color.event="gray30" if ($fields[3]<=50);
color.target="gray30" if ($fields[3]<=50);
color.event="orangered" if ($fields[3]<=100);
color.target="orangered" if ($fields[3]<=100);
color.event="red" if ($fields[3]<=200);
color.target="red" if ($fields[3]<=200);

The entire upper half is comprised mostly of P2P. There is a stark difference between UDP (the testicles) and TCP (fanout). The strange mass in the center is web tool bars (Malware). Funwebproducts is the major concentration with the outliers belonging to market score and other 'suspicious' agents. What is interesting is on the brink of this is a tie into the 'compromised hosts' rules; not surprising I guess :). Skype traffic is the clean packed circle just to the right and below of the tool bar mass (single destination, many source).

When I first created this visual there was no depth. In particular, I was having a difficult time 'at a glancing' some policy rules. The addition of the aggregate event counts and subsequent coloring really adds value.