In this article we will show another possible application for the pylogsparser library. We will also discover a simple way to draw and use world maps with python. You should read the previous article in this series if you haven’t done so, since we will use what we have done there as a starting point.
Here at Wallix, we have set up a SSH honeypot for testing and analysis purposes. It always amazes me how often this machine gets randomly attacked on this service, and how the brute-force attacks even started mere minutes after the SSH server was up. In our previous article, we’ve gained insight on the origins of attacks and targeted accounts with a classic pie chart. This time, I would like to have a visual way to represent and understand a typical day of brute force attempts. We could picture that as a world map where a country lights up when an attacker from this country tries to gain access to the honeypot. There will be a world map drawn for every moment of the day, and then the resulting pictures will be aggregated into a timelapse animation.
Before we get to work, here are the elements we need :
- obviously, a ssh log file ! It should span a full day for accuracy.
- the pylogsparser library along with the GeoIP library. Since pylogsparser 0.3, the geoIP conversion has been included in the library so the countries are already tagged when available, if the GeoIP library is installed !
- the matplotlib library, and more specifically the Basemap optional extension that can be found here : http://matplotlib.sourceforge.net/basemap/doc/html/ Follow the installation instructions there, as unfortunately this extension is not always packaged for easy deployment.
- the numpy library, but it is optional as we will use it only with matplotlib’s color maps. It should be installed along matplotlib anyway.
- a shapefile describing countries borders (more on that later). For this article, I am using the one freely available at http://thematicmapping.org/downloads/world_borders.php. It is probably not the most accurate nor up-to-date dataset, but it is more than enough for our project.
- python libraries for manipulating shapefile datasets. In this article, we will use pyshapelib : http://ftp.intevation.de/users/bh/ but there are many other libraries available, as pyshapelib hasn’t been maintained in a little while. See this article’s comments for details : http://www.geophysique.be/2011/01/27/matplotlib-basemap-tutorial-07-shapefiles-unleached/ (incidentally, this article was the inspiration for this work)
- ffmpeg, or anything that can make a timelapse animation out of still pictures.
Now that we’ve got everything, let’s get to work !
