InfoSec Ninjas 資安忍者

Traffic & Attack Map for Suricata



"Traffic & Attack Map for Suricata" is forked from Matthew May's Attack Map at GitHub

"Traffic & Attack Map for Suricata" is modified to work with Suricata's eve.json file. It shows the inbound traffic only which includes normal and attack traffic. It is designed for Python 3 and Ubuntu Server 16.04 LTS. It is also designed to install on the box of Suricata.

The map shows "DROP" or "ALERT" when the traffic is dropped or alerted by Suricata. Meanwhile, other traffic will be shown as its nature (Event Type), such as DNS, TLS, FILEINFO and etc.

License

"Traffic & Attack Map for Suricata" is released under GPLv3 by Samiux.




Requirements

(1) Working Suricata dedicate server as IDPS on Ubuntu Server
(2) Python 3.x
(3) Web server with websocket function
(4) Redis server

Package

sha256sum 15172fdf72a22c7738382330a399c8338fc0723b1eaa495014a1087d530b27eb attack-map-0.0.2.tar.gz

ChangeLog

Version 0.0.1 - Dec 12, 2016
[+] First release under GPLv3

Version 0.0.2 - Jan 4, 2017
[+] Read eve.json from the EOF instead of the beginning

Installation

Step 1 :

sudo apt-get install python3-pip redis-server
sudo pip3 install tornado tornado-redis redis maxminddb


sudo nano /etc/redis/redis.conf

Change from :
bind 127.0.0.1

To :
bind 0.0.0.0

Step 2 :

wget https://www.infosec-ninjas.com/files/attack-map-0.0.2.tar.gz
tar -xvzf attack-map-0.0.2.tar.gz
cd attack-map/geoip-attack-map
sudo sh ./db-dl.sh

cd ..
sudo cp -R geoip-attack-map /var/www


Step 3 :

sudo cp attackmap.service /lib/systemd/system/
sudo cp dataserver.service /lib/systemd/system/

sudo systemctl enable attackmap.service
sudo systemctl enable dataserver.service

Step 4 :

cd /var/www/geoip-attack-map/DataServer
sudo nano DataServer.py


Go to :
hq_ip = '8.8.8.8' replace "hq_ip" with your external IP address.

cd /var/www/geoip-attack-map/AttackMap
sudo nano trafficline.js


Go to :
var webSock = new WebSocket("ws://192.168.20.180:8888/websocket");

replace the "192.168.20.180" with your Suricata IP.

Go to :
var hqLatLng = new L.LatLng(33.936051, -81.048565);

replace the value of L.LatLng with your location. You can go to http://latitudelongitude.org to find your Latitude and Longitude values.

Then configure your web server to point the root directory to "/var/www/geoip-attack-map/AttackMap". Make sure you have enabled "websocket" module or function on your web server. Meanwhile, the port for the websocket is 8888 by default.

*** Setting up web server to work with this project is out of scope of this guide.

Step 5 :

Since Redis server requires this setting to avoid performance issue, you need to edit the boot parameter in Grub.

sudo nano /etc/default/grub
GRUB_CMDLINE_LINUX_DEFAULT="transparent_hugepage=never"

sudo update-grub

sudo reboot


Step 6 :

Once boot up, you can point your browser to the IP address that you entered in the above steps.

Troubleshooting

If there is no traffic on the map, it is properly the DataServer.py not working. Restart it is required. Logrotate will cause this problem.

sudo systemctl restart dataserver

*** Please note that it needs time to read the eve.json file from the beginning of the file on every restart.

Please also note that do not refresh or reload the page as it will corrupt the map. You need to restart the browser.