Zombie network activity representation by Dorothy

Zombie network activity representation by Dorothy

This graph is automatically generated by the Dorothy framework anytime a new malware is analyzed.
It aggregates three different kind of information : 1) the network activity 2) the dns host resolutions 3) the GET / POST resquest
In this way, we can be able to easily define certain activity related to botnet communications.
A quick legend :
Colors :
Green = Services / hostnames
Red = General target
Purple Red = Known C&C ( in this example there isn't any)
Purple = C&C Web target
Light blue = private network host

Circle = Target
Triangle = Source

The shape's dimension represent the network activity related to that node.

object sizes


I'm looking for some tips on how to get the objects to be automatically resized depending on their frequency.

The background for this is I'm implementing afterglow with Splunk, to analyse our IDP logs.
I want the "attack" and the source and destination IP's to be made bigger the more frequently occur, but can't seem to work it out.

I think its with the size.event and size.source?

Any ideas?


Got It!

Hi Again,

I found it in the end.

I bought the Applied Security Visualization book, and it was all in there.

One thing I'm still having issues with is getting my AfterGlow link maps with minimal or no overlaps, so they are more readable.

any thoughts on this?