Visualización gráfica datos GeoIP con Argus, ra y Afterglow.

Ya vimos sobre Geolocalización GeoIP con Argus Auditing Network Activity la forma de mostrar este tipo de datos. También las muchas formas que tenemos de mostrar cualquier tipo de dato Argus de forma gráfica usando AfterGlow.

En esta ocasión vamos a mostrar gráficas Argus /Afterglow con datos GeoIP.

Preparando los datos.

Partimos de una archivo de captura, del laboratorio,  ya convertido a un fichero de datos Argus (050608.out).

Podemos ordenar antes los datos según el criterío que, en cada momento necesitemos. Yo voy a usar racluster para agrupar (lo hemos visto en otros capítulos) y rasort para ordenar:

alfon@alfonubuntu:~$ racluster -m saddr daddr -r 050608.out -w – | rasort -m saddr daddr -w final.out

Ahora, como ya hemos visto aquí sobre Argus y GeoIP, extraemos los datos con información GeoIP y volcamos a un archivo .csv. Para pasar los datos a .csv debemos indicar la opción (-c,):

alfon@alfonubuntu:~$ ra -c, -r final.out -s saddr:15 bytes +label:70 -N50 > final.csv

Creando la gráfica Afterglow.

Ya tenemos nuestro fichero .csv, ahora parseamos con Afterglow:

alfon@alfonubuntu:~$ cat final.csv | perl afterglow/src/perl/graph/afterglow.pl -c afterglow/src/perl/graph/color.properties > final.dot
Verbose mode is on.
Skipping 0 lines.
Reading a maximum of 999999 lines.
Split mode for events is 0.
Threshold 0.
Source Threshold 0.
Target Threshold 0.
Event Threshold 0.
Maximum Node Size 0.2.

----------- Property File:
----------- Done Reading Properties

Lines read so far: 1. Skipped: 0. Processed: 1====> Processing: 62.43.206.126 -> 46100760 -> scity=Valencia
Lines read so far: 2. Skipped: 0. Processed: 2====> Processing: 195.235.188.81 -> 328036650 -> scity=San Fernando
Lines read so far: 3. Skipped: 0. Processed: 3====> Processing: 192.168.1.224 -> 23050380 -> dcity=Valencia
Lines read so far: 4. Skipped: 0. Processed: 4====> Processing: 192.168.101.240 -> 164019783 -> dcity=San Fernando
Lines read so far: 5. Skipped: 0. Processed: 5====> Processing: 192.168.101.240 -> 4979568 -> dcity=(null)
Lines read so far: 6. Skipped: 0. Processed: 6====> Processing: 192.168.101.240 -> 14920770 -> dcity=(null)
Lines read so far: 7. Skipped: 0. Processed: 7====> Processing: 80.58.61.250 -> 2489784 -> scity=(null)
Lines read so far: 8. Skipped: 0. Processed: 8====> Processing: 192.168.1.11 -> 10699554 -> dcity=(null)
Lines read so far: 9. Skipped: 0. Processed: 9====> Processing: 192.168.101.240 -> 10438476 -> dcity=(null)
Lines read so far: 10. Skipped: 0. Processed: 10====> Processing:  ->  ->
Lines read so far: 11. Skipped: 0. Processed: 11====> Processing:  ->  ->
Lines read so far: 12. Skipped: 0. Processed: 12====> Processing: 192.168.101.240 -> 10230186 -> dcity=Mountain View
Lines read so far: 13. Skipped: 0. Processed: 13====> Processing: 217.76.130.116 -> 7460385 -> scity=(null)
Lines read so far: 14. Skipped: 0. Processed: 14====> Processing: 192.168.101.240 -> 10363986 -> dcity=Mountain View
Lines read so far: 15. Skipped: 0. Processed: 15====> Processing: 192.168.101.240 -> 9167040 -> dcity=(null)
Lines read so far: 16. Skipped: 0. Processed: 16====> Processing: 192.168.101.240 -> 10190376 -> dcity=(null)
Lines read so far: 17. Skipped: 0. Processed: 17====> Processing: 192.168.100.241 -> 9626100 -> dcity=San Fernando
Lines read so far: 18. Skipped: 0. Processed: 18====> Processing: 192.168.101.240 -> 9184074 -> dcity=(null)
Lines read so far: 19. Skipped: 0. Processed: 19====> Processing: 192.168.101.240 -> 7606644 -> dcity=(null)
Lines read so far: 20. Skipped: 0. Processed: 20====> Processing: 195.76.110.84 -> 5349777 -> scity=(null)
Lines read so far: 21. Skipped: 0. Processed: 21====> Processing: 192.168.101.240 -> 6389856 -> dcity=Sunnyvale
Lines read so far: 22. Skipped: 0. Processed: 22====> Processing: 192.168.101.240 -> 5981544 -> dcity=Plano
Lines read so far: 23. Skipped: 0. Processed: 23====> Processing: 81.93.209.50 -> 5219238 -> scity=(null)
Lines read so far: 24. Skipped: 0. Processed: 24====> Processing:  ->  ->
Lines read so far: 25. Skipped: 0. Processed: 25====> Processing:  ->  ->
Lines read so far: 26. Skipped: 0. Processed: 26====> Processing: 212.81.197.9 -> 7054578 -> scity=(null)
Lines read so far: 27. Skipped: 0. Processed: 27====> Processing: 192.168.101.240 -> 5570526 -> dcity=Madrid
Lines read so far: 28. Skipped: 0. Processed: 28====> Processing: 216.9.253.4 -> 1778478 -> scity=(null)
Lines read so far: 29. Skipped: 0. Processed: 29====> Processing: 72.14.247.91 -> 5115093 -> scity=Mountain View
Lines read so far: 30. Skipped: 0. Processed: 30====> Processing: 192.168.101.240 -> 3935802 -> dcity=Madrid
Lines read so far: 31. Skipped: 0. Processed: 31====> Processing: 72.14.247.104 -> 5181993 -> scity=Mountain View
Lines read so far: 32. Skipped: 0. Processed: 32====> Processing: 192.168.101.240 -> 2835048 -> dcity=(null)
Lines read so far: 33. Skipped: 0. Processed: 33====> Processing: 192.168.101.240 -> 4283580 -> dcity=(null)
Lines read so far: 34. Skipped: 0. Processed: 34====> Processing: 212.170.233.87 -> 4583520 -> scity=(null)
Lines read so far: 35. Skipped: 0. Processed: 35====> Processing: 192.168.101.240 -> 4441572 -> dcity=Madrid
Lines read so far: 36. Skipped: 0. Processed: 36====> Processing: 192.168.100.241 -> 686364 -> dcity=(null)
Lines read so far: 37. Skipped: 0. Processed: 37====> Processing: 192.168.101.240 -> 3908682 -> dcity=(null)
Lines read so far: 38. Skipped: 0. Processed: 38====> Processing: 89.202.149.42 -> 5095188 -> scity=(null)
Lines read so far: 39. Skipped: 0. Processed: 39====> Processing: 195.235.188.81 -> 4813050 -> scity=San Fernando
Lines read so far: 40. Skipped: 0. Processed: 40====> Processing:  ->  ->
Lines read so far: 41. Skipped: 0. Processed: 41====> Processing: 192.168.101.240 -> 3777882 -> dcity=(null)
Lines read so far: 42. Skipped: 0. Processed: 42====> Processing: 213.190.9.238 -> 4592037 -> scity=(null)
Lines read so far: 43. Skipped: 0. Processed: 43====> Processing: 86.109.103.232 -> 3803322 -> scity=(null)
Lines read so far: 44. Skipped: 0. Processed: 44====> Processing: 194.179.126.157 -> 4753638 -> scity=Arroyomolinos
Lines read so far: 45. Skipped: 0. Processed: 45====> Processing: 192.168.101.240 -> 3075432 -> dcity=(null)
Lines read so far: 46. Skipped: 0. Processed: 46====> Processing: 66.218.77.68 -> 3194928 -> scity=Sunnyvale
Lines read so far: 47. Skipped: 0. Processed: 47====> Processing: 72.233.5.202 -> 2990772 -> scity=Plano
Lines read so far: 48. Skipped: 0. Processed: 48====> Processing: 192.168.101.240 -> 2430942 -> dcity=Mountain View
Lines read so far: 49. Skipped: 0. Processed: 49====> Processing: 192.168.101.240 -> 2357316 -> dcity=San Diego
Lines read so far: 50. Skipped: 0. Processed: 50====> Processing: 84.122.86.45 -> 2181966 -> scity=San Fernando

All over, buster.

Ahora con neato, fdp, o cualquier herramienta Graphviz:

alfon@alfonubuntu:~$ fdp -Tpng -o final.png final.dot

El resultado (parte de el):

Relacionado:

• Argus. Auditando el tráfico de red. Parte 4. Generación de gráficas con AfterGlow.
• Argus. Auditando el tráfico de red. Parte 5. Auditoría de host remoto.
• Argus. Auditando el tráfico de red. Parte I
• Argus. Auditando el tráfico de red. Parte 2
• Argus. Auditando el tráfico de red. Parte 3. Generación de gráficas con ragraph.
• Visualización gráfica Nmap / Scapy Scan con Afterglow / Argus racluster. Clustering y gráficas fdp. Parte 1
• Argus. Auditando el tráfico de red. Parte 6. Argus y Geolocalización con GeoIP

========================================

Y hasta aquí por hoy. Hasta la próxima.

========================================