PicViz pour des logs SourceFire

Installation avec Debian

Télécharger l'archive
Installer les pré-requis

apt-get install flex bison python-dev python-qt4 cmake cairo-dock gcc libpcre3 libpcre3-dbg libpcre3-dev

Compiler et Installer

tar xvjf picviz-latest.tar.bz2
cd picviz-latest/libpicviz
mv build/CMakeCache.txt build/CMakeCache.old
 
# Install
make 
make install
 
# To build bindings
cd src/bindings/python/
python ./setup.py install
 
# To build the frontend
cd src/frontend/
python ./setup.py install

Parseur pour les logs SourceFire

#!/usr/bin/perl
 
print "header {\n";
print "    title = \"SourceFire picviz analysis\";\n";
print "}\n";
 
print "axes {\n";
#print "    enum     jour [label=\"Jour\"];\n"; # Time
#print "    timeline time [label=\"Time\", relative=\"true\"];\n"; # 
#print "    enum time [label=\"Time\"];\n"; #enum pour une meillieur répartition sur l'axe
#print "    ipv4     sip [label=\"Source IP\", relative=\"true\"];\n"; # Machine
#print "    integer  sport [label=\"Source PORT\", print=\"false\"];\n";
#print "    ipv4     dip [label=\"Destination IP\", relative=\"true\"];\n"; # Application
#print "    integer  dport [label=\"Destination PORT\", print=\"false\"];\n";
#print "    enum     signature_name [label=\"Siganture Name\"];\n";
#print "    enum     signature_impact [label=\"Siganture Impact\", print=\"false\"];\n";
 
print "    enum     jour [label=\"Jour\"];\n"; # Time
print "    enum     time [label=\"Time\"];\n"; #enum pour une meilleur répartition sur l'axe
print "    enum     sip [label=\"Source IP\"];\n"; # Machine / enum pour une meilleur répartition sur l'axe
print "    enum     dip [label=\"Destination IP\"];\n"; # Application
print "    enum     signature_name [label=\"Siganture Name\"];\n";
 
print "}\n";
 
print "data {\n";
 
while (my $line = <>) {
        chomp;
 
	# chaine
	#Aug 23 22:16:18 SF-MGMT01 SFIMS: [1:1394:15] "INDICATOR-SHELLCODE x86 inc ecx NOOP" [Impact: Potentially Vulnerable] From "NEPI-SND01-SOC" at Sat Aug 23 22:16:18 2014 UTC [Classification: Executable Code was Detected] [Priority: 1] {tcp} 10.1.2.3:4148->192.168.1.10:80
 
        $line =~ s/\"//g; # We escape our quotes
 
	if ($line =~ /(\w+\s+\d{1,2})\s+(\d\d:\d\d:\d\d)\s+([a-zA-Z0-9-]+)\s+([SFIMS:]{1,6})\s+(\[\d+:\d+:\d+\]\s+)([\w-:\s]+)(\[Impact:\s+[\w\s]+\])\s+From\s+[\w-]+\s+[\w\s:]+\s+([\[\w-:\s]+\])\s+([\[\w-:\s]+\])\s+\{(\w+)\}\s+(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\:(\d{1,5})->(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\:(\d{1,5})/)
 
	{
        	($jour,$heure,$signature_id,$signature_name,$signature_impact,$protocol,$src_ip,$src_port,$dst_ip,$dst_port) = ($1,$2,$5,$6,$7,$10,$11,$12,$13,$14);
	}
 
        print "    jour=\"$jour\", time=\"$heure\", sip=\"$src_ip\", sport=\"$src_port\", dip=\"$dst_ip\", dport=\"$dst_port\", signature_name=\"$signature_name\", signature_impact=\"$signature_impact\";\n";
	next;
}
 
print "}\n";

utilisation de PicViz

# Transformation du log SourceFire au format PGDL
./sf2picviz.pl log1.no_ssh > log1.no_ssh2.pcv
 
# Génération du graphe
pcv -Tpngcairo -rrrrra log1.no_ssh.pcv -o log1.no_ssh.png -Rheatline

 
asr/sys/picviz.txt · Dernière modification: 2016/03/29 23:33 (édition externe)
 
Recent changes RSS feed Donate Powered by PHP Valid XHTML 1.0 Valid CSS Driven by DokuWiki