"In a previous blog, we showed off some heatmaps that were supposed to help answer the question "Where does SPAM come from?". The problem with these maps, is that they are the combination of months of data without any respect to time.
So I set out to show the same information in a video to help answer a broader question "When and Where does SPAM come from?". Each red flash represents a moment in time that a point on the earth sent us some spam.
Without further ado, here is a video of about a week's worth of SPAM on the planet Earth......"
Note, I learnt about the logster tool here on the secviz blog first :)
Watch the vid on the blog, Here is a snapshot picture.
As promised once I managed to get 2.0 out I would make 1.0 a free download. 2.0 we've added the world map, timeline and organizational data. What was interesting was we started to look for "soft" targets, home users, colleges etc. The places that hackers tend to "train" on...( I know that some colleges and home users are built like fort Knox : )
When we started to use the filters on the timeline, specifically looking for universites it opened up a whole new avenue for exploration. I found a couple of systems with possible "interesting" traffic not detected by my snort, Cisco IPS or symantec software. We're in the process of adding an hourly report. I wanted this to be similar to the hourly wrap conducted by most organizations..ie looking for "strange" traffic (low port to low port, multiple connections to new ip addresses but source port remaining the same etc etc...anything that we would consider "crafted" or maybe unusual.) I think the timeline gives an interesting filter approach to visually looking at the data...we have some other stuff up our sleeve (especially with the timeline...but also about displaying the hourly datasets....I thought about a "virus" like approach with "cells" representing events, but turning darker and mutating if they meet preconditions...i know it sounds strange but in my head it seems to work :) )
you can download the free "lite" version (no timeline, no world map, no organizational data etc but should give you an idea how easy it is to set up)
and yes we will update the demo page to include the new stuff.....:)
In the snapshot above, the administrator has created a "Top Peers" statistics based on filtered log entries and decided to view the outcome as a Geolocation Map. You can monitor network traffic with the help of Geolocation Maps in real-time too. Here is a video that describes more closely how StoneGate Management Center's Geolocation feature works in practice: http://stoneblog.stonesoft.com/2009/07/smc-videos-geolocations/.
Mainly as a bit of fun, I thought it would be interesting to sort some of our SPAM into distinct groups and make some wordclouds, or more specifically SPAMclouds from the content of the spam.
Attached is the cloud for SPAM attempting to recruit Money Mules.
You can see the Phishing and Advance Fee Fraud (AFF) clouds and the full story here http://honeynet.org.au/?q=spamclouds
I have captured few examples for visualization to show internet distribution of OS X threat. This has been discussed here.
Some time ago F-Secure collected a bunch of log data on about 700 000 botnet IRC channel joins. They then asked us to visualize the joins as a time lapse on a world map using geomapping. The results are available here: https://www.clarifiednetworks.com/Blog/2009-01-01%2018-15.