Posts Tagged ‘google earth’
The below tool and information has been superceded by Snoge. More info about Snoge is available at here.
Original text included for historical completeness.
Rather than answer to each person separately I thought I would upload some instructions here.
- A Snort fast alert file OR a Sourcefire 3D Intrusion events CSV report (just the table view, with no hidden columns)
- A working perl environment. I run this script on OSX and Debian Linux, I have no idea if works on Windows (If you have this working please let me know)
- The perl module Geo::IP::PurePerl
- A text editor
1) Install Geo::IP::PurePerl. It’s available via CPAN, so I recommend you use it.
[13:03:55]lward@drax~$ cpan cpan shell -- CPAN exploration and modules installation (v1.7602) ReadLine support available (try 'install Bundle::CPAN') cpan> install Geo::IP::PurePerl <snip>
3) Ungzip the file, and save it to /usr/local/share/GeoIP/GeoLiteCity.dat
3) Download the mksfkml.pl script from here and untar (tar -zxvf ./filename.tgz)
4) You’re good to go.
mk_sfkml.pl <options> -m or --mode <plot | attack>. Draw attack lines, or plot sources - Default=plot -i or --input Input filename. -t or --tool <3D | snort> Source tool. (Default = 3D) -h or --help This message -o or --output KML output file. Defaults to /tmp/sfire.kml -s or --snort Place a snort instance at the location of this IP address -3 or --sensor <ip.add.re.ss> Place a 3D sensor at the location of this IP address -d or --dupes Do not show multiple events from a single source location
./mk_sfkml.pl -t snort -m attack -i alert.sql -w /tmp/foo -s rm-rf.co.uk
[*] Reading from alert.sql: Creating /tmp/sfire.kml for google earth [*] Adding a Sensor in York [*] Working on a snort alert file |- Start point 188.8.131.52 in Beijing + Destination point 184.108.40.206 in York |- Start point 220.127.116.11 in Chengdu + Destination point 18.104.22.168 in York |- Start point 22.214.171.124 in Changzhou + Destination point 126.96.36.199 in York |- Start point 188.8.131.52 in Hefei <snip>
And that’s it. Simple eh?