I never stop being fascinated by the fact that web admins have boxes online that anyone in the world can reach out and touch. Visualizing this activity is enthralling to me, as visualization often highlights answers to existing questions while exposing new ones.
Geolocated firewall drops within the last 4 hours
[ Fullsize image. ]
Splunk excels at this task, and if you haven’t used it yet I suggest you get a copy (free) and install it immediately (or sooner). Splunk lets you search pretty much any type of log data in a very Unixy way: you can do basic searches, pipe them to additional filters, and pipe those to various types of output. It’s quite stunning. As an example, the map above was created with the following syntax:
firewall drop | geoip SRC
That command (result shown above) just piped all your firewall drops into a command called
geoip, which is used by Google Maps — one of the applications that you can install (free) on Splunk. It takes any IP information as input, runs it through the GeoIP database, and maps it onto, well, a Google Map. If you don’t think that’s über, then stop reading and attack yourself. Using Splunk combined with GeoIP information, you can ask some wicked-cool questions like:
- what countries are hitting the drop rule on my firewall?
- what cities are triggering firewall drops on TCP 1433?
- show me everyone requesting any of the directories denied in robots.txt
- what country hits my time server the most?
- what passwords are people guessing against my SSH server?
- who’s sending me SQL commands in HTTP traffic?
- give me a list of all user-agents that hit me from Australia
Etc, etc. It’s whatever you can come up with, and it depends on the types of things you’re hosting and curious about. So let’s play a bit more. Let’s look at firewall drops, by destination port, coming from China, in the last 24 hours:
Firewall drops from china, by port
[ Fullsize image. ]
Boom: sorted list of ports that they tried to touch. Oh, and you can do another pipe and create a graph on the fly if you wanted to. And then the questions: what are these ports that they’re trying to hit, and why? Should we check some malware lists, perhaps?
Let’s pivot by city (yes, you can pull city data too) and see if there are any universities in those towns.
A list of Chinese cities hitting my firewall
You’re limited only by your creativity with this. Go get a copy of Splunk and load up a couple of apps. Everything I’ve shown here is free — both Splunk itself and the Google Maps application. And they have tons more apps as well: some that very attractively display your Cisco logs, Unix logs, Windows logs, and a myriad of others.
Have fun with it, and hit me up with some cool ideas for search queries.