04/19/2014 by h
PSAD attacks in a picture
I’ve been playing around with PSAD for a little while testing stuff with it (setup psad and combine with ipset) and now I started to look at a really interesting feature that combine PSAD with some other tools that can give you an overview of the attacks in a picture! It uses Afteglow to plot the data into an image.
1 – Download Afterglow and extract it on a folder
2 – Use PSAD to convert the log data to CSV and pipe that to the Afterglow.pl script
psad --CSV -m /var/log/your_logfile.log --CSV-fields "src dst dp" --CSV-max 1000 | perl /afterglow/src/perl/graph/afterglow.pl -c /afterglow/src/perl/parsers/color.properties | neato -Tgif -o plot_data.gif
#--CSVfields can be use to specified an destination IP, port number, etc
#You can modify the color.properties file to use different colors
3 – I just move the file to my web server folder to be able to look at it on the browser
mv plot_data.gif /var/www/default/
This one below is an example of data plotted by Afterglow on a vps I use, I just grabbed an old log file and used the filter dp:5900 so this shows the connection attempts where an external IP tried to connect to port 5900 on my server. I did not modify the color.properties so everything is red but you can play with it and make your host look yellow or any color you like.
This is the generated image:
Why is it useful to have that in a picture? I personally think that it gives me a better understanding of what’s happening in the background and since I’m a very visual person I can easily gather from picture some common patterns (for example if you’re been “attacked” by a botnet you could see the IP addresses trying to make the connections and maybe spot some similarities, things like IPs from the same networks, countries, or even a company)
Here you have some links to the official psad website Psad plot examples and also to the Afterglow site. At the time the only problem I found is a perl issue when using the CSV-fields of src:220.127.116.11 or dst:18.104.22.168, any IP I use won’t produce any graphics even though I know they’re on the log file but I think it’s because I’m using an older version of psad, or maybe the version of Pearl I’m using is not the right one for the job, either way I might dig into this at a later point since I’m happy with the results I have now.
Comments? contactm e (a t_)dr 0u.co m
Use this under your own risk