Monday, December 12, 2016

HOWTO : Traffic and Attack Map for Suricata

"Traffic & Attack Map for Suricata" is forked from Matthew May's Attack Map at GitHub

"Traffic & Attack Map for Suricata" is modified to work with Suricata's eve.json file. It shows the inbound traffic only which includes normal and attack traffic. It is designed for Python 3 and Ubuntu Server 16.04 LTS. It is also designed to install on the box of Suricata.

The map shows "DROP" or "ALERT" when the traffic is dropped or alerted by Suricata. Meanwhile, other traffic will be shown as its nature (Event Type), such as DNS, TLS, FILEINFO and etc.

License

"Traffic & Attack Map for Suricata" is released under GPLv3 by Samiux.




Requirements

(1) Working Suricata dedicate server as IDPS on Ubuntu Server
(2) Python 3.x
(3) Web server with websocket function
(4) Redis server

Package

sha256sum fda369bd246048ce883fabb16e085caa022a492a7e188b4f0c99f37ea4bc8bdb attack-map-0.0.1.tar.gz

Installation

Step 1 :

sudo apt-get install python3-pip redis-server
sudo pip3 install tornado tornado-redis redis maxminddb


sudo nano /etc/redis/redis.conf

Change from :
bind 127.0.0.1

To :
bind 0.0.0.0

Step 2 :

wget https://www.infosec-ninjas.com/files/attack-map-0.0.1.tar.gz
tar -xvzf attack-map-0.0.1.tar.gz
cd attack-map/geoip-attack-map
./db-dl.sh

cd ..
sudo cp -R geoip-attack-map /var/www


Step 3 :

cd ..
sudo cp attackmap.service /lib/systemd/system/
sudo cp dataserver.service /lib/systemd/system/

sudo systemctl enable attackmap.service
sudo systemctl enable dataserver.service


Step 4 :

cd /var/www/geoip-attack-map/DataServer
sudo nano DataServer.py


Go to :
hq_ip = '8.8.8.8' replace "hq_ip" with your external IP address.

cd /var/www/geoip-attack-map/AttackMap
sudo nano trafficline.js


Go to :
var webSock = new WebSocket("ws://192.168.20.180:8888/websocket");

replace the "192.168.20.180" with your Suricata IP.

Go to :
var hqLatLng = new L.LatLng(33.936051, -81.048565);

replace the value of L.LatLng with your location. You can go to http://latitudelongitude.org to find your Latitude and Longitude values.

Then configure your web server to point the root directory to "/var/www/geoip-attack-map/AttackMap". Make sure you have enabled "websocket" module or function on your web server. Meanwhile, the port for the websocket is 8888 by default.

*** Setting up web server to work with this project is out of scope of this guide.

Step 5 :

Since Redis server requires this setting to avoid performance issue, you need to edit the boot parameter in Grub.

sudo nano /etc/default/grub
GRUB_CMDLINE_LINUX_DEFAULT="transparent_hugepage=never"

sudo update-grub

sudo reboot


Step 6 :

Once boot up, you can point your browser to the IP address that you entered in the above steps.

Troubleshooting

If there is no traffic on the map, it is properly the DataServer.py not working. Restart it is required.

sudo systemctl restart dataserver

*** Please note that it needs time to read the eve.json file from the beginning of the file on every restart.

Please also note that do not refresh or reload the page as it will corrupt the map. You need to restart the browser.

REFERENCE

Traffic and Attack Map for Suricata

That's all! See you!