An alchemists view from the bar

Network Security Alchemy

Geographic Representation of Intrusion Events

with 4 comments

Snort events and Google Earth Mashup. They say a picture is worth a thousand words, so I guess the below is all I need to show to explain.

SQL Worms represented in Google EarthSQL Worms represented in Google Earth

Firstly, karma goes to James Tucker for hacking together an early PoC.

I looked into hooking Google Earth into Sourcefire’s Defense Center about a year ago, but ran into issues with finding a good *free* geolocation perl module that I could use.  After a chat with Jim a few weeks back, he pointed me to Maxmind and provided a quick sample of plotting a Snorty pig.

I jumped right into making the integration glue for Sourcefire’s real-time event feed (EStreamer), making it plot the location of your current attacker as the events flood in.

The Good: It worked!

The Bad: It made dizzy!

The world would spin way too fast to keep up with all the nasty stuff out there.  I finally decided on a more mature approach of parsing either a snort alert file, or a Sourcefire CSV report.  This way the user gets more control of  the data being rendered.

To see a real example, download and take a look at the below KML file (open in Google Earth). I re-enabled SQL worm detection in my snort config on a publicly accessible device to find out what country is being the slowest to patch.  It provided an immediately interesting trend. Well done Europe and America for patching against a 8 year old problem,  shame on the rest of you!  Open the attached KML file in Google Earth to inspect in detail on your own local system.

Download SQL Worm KML file

Because Sourcefire 3D uses a advanced method of alert prioritization (impact flags), when used with a Sourcefire report you get an output like the below.

Impact Flag based events

Impact Flag based events

Update: The code can be downloaded from Jason’s blog on, it’s simple to use and get working, up but Ill knock up some instructions when I get a moment.



Written by leonward

March 15, 2009 at 11:37 am

Posted in Security, Sourcefire

Tagged with , ,

4 Responses

Subscribe to comments with RSS.

  1. Nicely done Leon. You and Jim deserve a big pat on the back. I am definitely going to recommend this for a couple of my customers who need the “eye candy” but who no longer can use “THE VISUALIZER!”.


    March 24, 2009 at 1:12 pm

  2. […] leave a comment » A couple of people have asked me how to use my Snort / Sourcefire 3D events -> Google Earth KML report too I wrote a while back (download) (more info). […]

  3. Interesting – we had the same idea around the same time:

    Thanks – Tobias


    April 17, 2009 at 11:32 am

    • Hi,

      They say that great minds think alike!
      When I first googled, I was shocked that I couldn’t find any code that did this already.

      I have since improved things so it integrates with our (Sourcefire’s) eStreamer API. Ill post a screenshot or two in a few days after doing a little bit of polishing before Infosecurity London next week. I think it will be running on our stand as some eye-candy.


      April 22, 2009 at 5:33 pm

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: