An alchemists view from the bar

Network Security Alchemy

Posts Tagged ‘google earth

How to use the Snort – Google Earth KML report tool

leave a comment »

The below tool and information has been superceded by Snoge.  More info about Snoge is available at here.

Original text included for historical completeness.

A couple of people have asked me how to use my Snort / Sourcefire 3D events -> Google Earth KML report too I wrote a while back (download) (more info).

Rather than answer to each person separately I thought I would upload some instructions here.

Required:

  • A Snort fast alert file OR a Sourcefire 3D Intrusion events CSV report (just the table view, with no hidden columns)
  • A working perl environment. I run this script on OSX and Debian Linux, I have no idea if works on Windows (If you have this working please let me know)
  • The perl module Geo::IP::PurePerl
  • A text editor

1) Install Geo::IP::PurePerl. It’s available via CPAN, so I recommend you use it.

[13:03:55]lward@drax~$ cpan
cpan shell -- CPAN exploration and modules installation (v1.7602)
ReadLine support available (try 'install Bundle::CPAN')

cpan> install Geo::IP::PurePerl
<snip>

2) Download the DB required for Geo::IP from Maxmind . It can be found here .

3) Ungzip the file, and save it to /usr/local/share/GeoIP/GeoLiteCity.dat

3) Download the mksfkml.pl script from here and untar (tar -zxvf ./filename.tgz)

4) You’re good to go.

mk_sfkml.pl <options>
-m  or --mode   <plot | attack>. Draw attack lines, or plot sources - Default=plot
-i  or --input   Input filename.
-t  or --tool   <3D | snort> Source tool.  (Default = 3D)
-h  or --help   This message
-o  or --output  KML output file. Defaults to /tmp/sfire.kml
-s  or --snort   Place a snort instance at the location of this IP address
-3  or --sensor <ip.add.re.ss> Place a 3D sensor at the location of this IP address
-d  or --dupes  Do not show multiple events from a single source location

For example:

./mk_sfkml.pl -t snort -m attack -i alert.sql -w /tmp/foo -s rm-rf.co.uk
[*] Reading from alert.sql: Creating /tmp/sfire.kml for google earth
[*] Adding a Sensor in York
[*] Working on a snort alert file |- Start point 121.232.246.147 in Beijing
  + Destination point 80.68.89.43 in York
 |- Start point 61.139.54.94 in Chengdu
  + Destination point 80.68.89.43 in York
 |- Start point 58.241.69.52 in Changzhou
  + Destination point 80.68.89.43 in York
 |- Start point 220.178.31.154 in Hefei
<snip>

And that’s it. Simple eh?

-Leon

Written by leonward

April 1, 2009 at 12:25 pm