Track who scans your firewall.

Here is some small references to track some script kiddies or attacker.

This is not automated and not a really sexy solution but it is useful to include in some management reports.

If you have some other ‘tips’ feel free to share them. I know that Splunk with some GeoIP add-on  is working, but this is not that easy.

1. 1. Collect and correlate

To track the events and correlate them, I use OSSEC.

Firewall -> Syslog-ng -> Ossec.

This should work with Snort too.

2. 2. Aggregate the Events

For that, I focus on the /var/ossec/logs/alerts/alerts.log file.

Sample OSSEC event

I use a Bash script to collect and cleanup all the IP addresses of attackers .

  1. Daily count of events (statistics)
  2. Extract the IP addresses (all, event if coming from the same source) – (See 3.1)
  3. Extract the IP addresses (but unique source) – more relevant for reporting. (See 3.2 )

3. 3. Draw the Picture

1) 3.1. Occurrence

Using wordle, it gives an overview of the weight of each IP addresse.

Wordle Output

Nota :  Wordle is limited to a certain number of ‘words’

2) 3.2. Geo-localisation

Using a good GEO-IP tool (limited to 100 IP entries) , I can draw the localization of the different attackers.

Result

  • 114.205.88.249 : Seoul, Seoul-t’ukpyolsi, Korea, Republic of
  • 116.255.138.95 : Henan, Shanxi, China
  • 118.167.12.109 : Taipei, T’ai-pei, Taiwan
  • 193.12.177.40 : Helsingborg, Skane Lan, Sweden
  • 193.27.68.133 : Kiev, Kyyivs’ka Oblast’, Ukraine
  • 195.210.47.67 : Kazakstan
  • 202.247.216.136 : Ueda, Nagano, Japan
  • 203.85.96.86 : Central District, Hong Kong
  • 205.204.65.216 : Toledo, Ohio, United States
  • 211.157.108.192 : Beijing, China
  • 212.253.65.189 : Istanbul, Turkey
  • 219.136.252.45 : Guangzhou, Guangdong, China
  • 219.235.240.56 : Beijing, China
  • 222.186.27.80 : Beijing, China
  • 222.186.31.214 : Beijing, China
  • 222.186.51.15 : Zhenjiang, Jiangsu, China
  • 222.216.28.66 : Nanning, Guangxi, China
  • 60.28.24.239 : Tianjin, China
  • 61.175.235.27 : Ningbo, Zhejiang, China
  • 61.7.252.242 : Bangkok, Krung Thep, Thailand
  • 62.148.135.64 : Kaluga, Russian Federation
  • 67.225.162.191 : Lansing, Michigan, United States
  • 69.13.6.10 : Kingston, Ontario, Canada
  • 78.160.241.192 : Erzurum, Turkey
  • 78.161.136.85 : Antalya, Turkey
  • 78.167.30.210 : Giresun, Turkey
  • 78.170.203.175 : Ankara, Turkey
  • 78.170.98.26 : Ankara, Turkey
  • 78.173.246.241 : Mugla, Turkey
  • 78.177.94.144 : Bursa, Turkey
  • 78.187.211.25 : Ankara, Turkey
  • 81.19.98.88 : Madrid, Spain
  • 81.25.194.12 : Paris, Ile-de-France, France
  • 86.63.198.69 : Ceska Lipa, Liberecky kraj, Czech Republic
  • 88.241.116.91 : Istanbul, Turkey
  • 88.246.204.197 : Istanbul, Turkey
  • 93.127.15.212 : Dniepropetrovsk, Dnipropetrovs’ka Oblast’, Ukraine
  • 94.233.74.194 : Krasnodar, Russian Federation
  • 95.68.146.140 : Ulyanovsk, Ul’yanovsk, Russian Federation
  • 98.126.132.242 : Orange, California, United States

4. References :

Be the first to comment

Leave a Reply

Your email address will not be published.


*


*