Archive for March 2009
Because I am slowly ripping the house apart, it makes sense to add some CAT5e at the same time. Structured cables require a central location where you can patch them together, and at home I don’t want to dedicate a load of space to a server room. I spent some quality time with the hall cupboard and some MDF.
I mounted the patch panel vertically so all the back-end CAT5 will be hidden. Power is fed to everything from behind the panel (held in with magnetic clips) to keep things tidy.
Snort events and Google Earth Mashup. They say a picture is worth a thousand words, so I guess the below is all I need to show to explain.
Firstly, karma goes to James Tucker for hacking together an early PoC.
I looked into hooking Google Earth into Sourcefire’s Defense Center about a year ago, but ran into issues with finding a good *free* geolocation perl module that I could use. After a chat with Jim a few weeks back, he pointed me to Maxmind and provided a quick sample of plotting a Snorty pig.
I jumped right into making the integration glue for Sourcefire’s real-time event feed (EStreamer), making it plot the location of your current attacker as the events flood in.
The Good: It worked!
The Bad: It made dizzy!
The world would spin way too fast to keep up with all the nasty stuff out there. I finally decided on a more mature approach of parsing either a snort alert file, or a Sourcefire CSV report. This way the user gets more control of the data being rendered.
To see a real example, download and take a look at the below KML file (open in Google Earth). I re-enabled SQL worm detection in my snort config on a publicly accessible device to find out what country is being the slowest to patch. It provided an immediately interesting trend. Well done Europe and America for patching against a 8 year old problem, shame on the rest of you! Open the attached KML file in Google Earth to inspect in detail on your own local system.
Because Sourcefire 3D uses a advanced method of alert prioritization (impact flags), when used with a Sourcefire report you get an output like the below.
Update: The code can be downloaded from Jason’s blog on Snort.org, it’s simple to use and get working, up but Ill knock up some instructions when I get a moment.
Yes, it’s the third time I have had to relocate my blogroll, but I am a victim of technology beyond my control. So I for one welcome my new WordPress.com overlord, and hope that will be kind to my needs.
Old feeds have RewriteRule to the new location (I owe Apache another beer).