Monday, June 9, 2014

Snort alert count on Google Earth

Requirement

For a long time I wanted to know how could I plot the alerts which each snort sensor is generating on a Google Earth based on geographic location.  If this could be done I could see from which location on the globe am I getting lots of alerts from.

Solution

The solution to my problem was all in the power of KML file.


Pre-requisites

1. Have snort running on many places.
2. Have barnyard to log your alerts (Optional if you are using old version of snort).
3. The last three characters of your sensors should be named after the airport code. (For example: Chennai sensor name "SensorMAA").  If you are wondering how to get all airport codes stick around.
4. View the snort generated alerts using BASE (Since my mysql query will work only on the BASE generated mysql schema).
5. Be able to run my bash script on the server which runs your mysql server.
6. Of-course Google Earth.

Making

Follow along there are a few steps.

1. Download the script and the support files as a zip from here.  The flow chart for creating the script is here.
2. Edit the file "GoogleEarth/Project/conf/mysql.cnf" to contain your IDS mysql credentials.
3. Run the file "GoogleEarth/Project/bash.sh" like ./bash.sh
4. Now Open the file "GoogleEarth/Project/Alerts.kml"
5. You could add bash.sh to a cron job which runs every 5 minutes so that the bar height on Google Earth would get updated automatically.



If you think I am forgetting something you bet your correct, you can get all the airport codes from the file you downloaded. "GoogleEarth/Project/resource/airport_codes.csv"



















No comments:

Post a Comment