GEO Tagging Attacks

I am working on a Parser that transforms any kind of ASCII input log file into KML files used in Google Earth/Maps.

What does it do?

1. Reads the log
1a. Extracts an IP (column or Regex based)
1b. Extracts a node name (column or Regex based)
1c. Extracts a description (column or Regex based)
2. Retrieves a longitude and latitude to the given IP address
3. Writes a KML file for Google Earth


Well I was recently analyzing a big set of IDS events with abut 99% of false positives. Most of them originated from partners of the company located in England and France. Only a few of them - the real positives - originated from countries like Iran, Pakistan, Brazil, Russia and China.
That way it was really smooth to determine the real attacks and leave the false positives aside.

The picture is an animated GIF. Hope this format comes through. :)
It shows an analysis of a mod_security log file.

I'll provide a download link for the script soon. (the sticking point is the GeoIP database; most of them are commercial ones; currently I use TOR network and a GEO IP web service to determine the LAT and LON parameters. That should not be the final solution, right?!)

---- Update -----
I use a local database now which makes it very - Very - fast. It parses 8500 mod_security events in 10 secs. The resulting KML file has 5 MB. I generated a new picture set showing all events of 9 month placed in a world map. And I have to say ... "bad - bad bad Italy!". I am quite sure that this was the spreading of the MPack Malware Kit this spring.

--- Update 2 ---
I advanced the script with an option to define a source and target IP address to draw lines in the world map. Nice, isn't it? Now it is possible to parse log files with source and target to determine the connections between the nodes. Targets are marked with different icons.

I have done the same thing here but it shows the wicked IP logged by packet filter.

It's really quite good to visualize and geolocalize our attacks.

Now that is a project that really have been interested. I would really enjoy being able to utilize your project. I think this would be very helpful for quick visual scanning of IP address. Please put a link and keep us updated!

Is this available for people

Is this available for people to have a look yet?

Sphere of influence

Have you looked at my site
take a look at the demo of sphere of soon as i recoup costs i will open source it.

A windows version is coming online soon...I also have the world map with the geolocational data...that should be implemented soon enough...
At present im using snort as my ids base, but hopefully will include windows and honeynet...

Also a "correlation" window will be coming soon that you can mathematically define a series of events that will trigger an alert...

Creating KML files based on Kismet data using a DB.

This is really cool! You might also be interested in something I recently posted about, for converting Kismet data into KML files. The software uses a SQLite database to store the data which allows users to build KML maps based on their queries.

Let me know what you think. I'm going to add more documentation soon.