Overblog Suivre ce blog
Editer l'article Administration Créer mon blog
12 janvier 2014 7 12 /01 /janvier /2014 21:36

We'll see here how  to have B.A.S.E. display that Alert World Map that really do add some glitter to BASE.

 

S6a

( nothing implied in the choice of the countries displayed on this map. Actually countries I like ;-)                       )

 

This is tested on Debian 7.5 / Edited June 03 2014

( Does not seem to work with Ubuntu 14.04 LTS )

 

1. BASE WORLDMAP install

 

 

World Pictures Install :

 

We first have to find the PEAR directory :

 

pear config-show

 

we go to the PEAR directory ( usually /usr/share/php )

and to the subdir :

Image/Graph/Images/Maps/

 

 

we need to copy here these two files :

 

world_map6.png
world_map6.txt

they are located in /var/www/base/ and /usr/src/base-1.4.5/

ie :

sudo cp /var/www/base/world*.* /usr/share/php/Image/Graph/Images/Maps

 

 

binaries install :

 

sudo apt-get install geoip-bin
sudo apt-get install libgeo-ip-perl
sudo apt-get install libgeo-ipfree-perl


sudo find / -name "GeoIP.dat"
( note : case sensitive )
here it's at : /usr/share/GeoIP/GeoIP.dat

we cd in :

 

cd /usr/share/GeoIP/

 


sudo perl -MCPAN -e 'install Geography::Countries'

( Answer to the questions : yes / yes )

sudo perl -MCPAN -e 'install IP::Country'

sudo leafpad /var/www/base/base_conf.php

near the end of the .conf file, uncomment " $IP2CC..." and correct the ip2cc path ( if needed ) :

//$IP2CC = "/usr/bin/ip2cc";         becomes     $IP2CC = "/usr/local/bin/ip2cc";              



cd /usr/lib/perl5/Geo

explore the website http://cpansearch.perl.org/src/BRICAS/ to find the right version )

sudo wget  http://cpansearch.perl.org/src/BRICAS/Geo-IPfree-1.140470/misc/ipct2txt.pl
sudo cp /usr/share/perl5/Geo/ipscountry.dat ./

sudo perl ipct2txt.pl ./ipscountry.dat /var/www/base/ips-ascii.txt


fix font problem :

There is a font display problem in BASE. The easiest way to fix it is this :

 

sudo leafpad /var/www/base/base_conf.php

comment all font names and uncomment $graph_font_name = "", ie :

font choice :
           // $graph_font_name = "Verdana";
           // $graph_font_name = "DejaVuSans";
           // $graph_font_name = "Image_Graph_Font";
           $graph_font_name = "";



2. World Map Display Test

 

The Worldmap alert display will bug if there is ONLY private IPs in the recorded alerts... We will use local.rules to trigger

some alerts with public IPs. Ex :

 

--------------------------------------------------------------------------------------------------------------------------------------------------------------------

alert tcp any any -> $EXTERNAL_NET 80 (msg:"HTTP Request Outbound NOW!!!"; classtype:not-suspicious; sid:1000003; rev:1;)

alert tcp any 80 -> $HOME_NET any (msg:"HTTP Reply Inbound NOW!!!"; classtype:not-suspicious; sid:1000004; rev:1;)
---------------------------------------------------------------------------------------------------------------------------------------------------------------------

( We update the sid-msg.map if needed )

 

We restart SNORT:

 

sudo service snort restart

 

and browse the web to trigger many alerts with Public IPs.

 

 

Using the Worldmap Display

 

We use the BASE menu Graph Alert Data :

 

S6c

 

 


What do you want to know : source countries vs number of alerts on a world map

S6b

 

We hit the 'Graph Alerts' Button :

 

S6d

 

And voila ! :

 

S6a

 

 

NB2 : The World Map Display won't autorefresh.


 

 

- SNORT® is a registered trademark  of Sourcefire, Inc. -

Partager cet article

Repost 0
Published by computer outlines - dans NIDS
commenter cet article

commentaires

Présentation

  • : Computer Outlines Blog
  • : Blog mainly focused over IPv6, Windows Server, and Networking in general.
  • Contact

Recherche

Liens