I'm interested to try it on CentOS, any help?

I have noticed that the current code only displays inbound traffic to the headquarters (main location). However, I believe it would be beneficial to also visualize outbound traffic from the headquarters, particularly the traffic that sends data to random IP addresses, such as reverse shell traffic.

Hey guys,

When I install geoip-map-attack everything works fine except the world map display.

Can you help Me Please.

Thanks

Hello

Can you help me with your application.
I try to make it work on a fresh Ubuntu Server 16.04.2 LTS.
Installation successful.

Redis-server is active
sudo service redis-server status
● redis-server.service - Advanced key-value store
Loaded: loaded (/lib/systemd/system/redis-server.service; enabled; vendor preset: enabled)
Active: active (running) since Fri 2017-03-17 18:57:18 MSK; 2 days ago
Docs: http://redis.io/documentation,
man:redis-server(1)
Main PID: 1147 (redis-server)
Tasks: 3
Memory: 2.0M
CPU: 3min 12.186s
CGroup: /system.slice/redis-server.service
└─1147 /usr/bin/redis-server 0.0.0.0:6379

Mar 17 18:57:18 geoip systemd[1]: Starting Advanced key-value store...
Mar 17 18:57:18 geoip run-parts[1085]: run-parts: executing /etc/redis/redis-server.pre-up.d/00_example
Mar 17 18:57:18 geoip run-parts[1148]: run-parts: executing /etc/redis/redis-server.post-up.d/00_example
Mar 17 18:57:18 geoip systemd[1]: Started Advanced key-value store.

1. I start sudo python3 DataServer.py
2. In another session I run ./syslog-gen.sh
3. I see some events in first session with DataServer.py
4. In another new session I start sudo python3 AttackMapServer.py - (see [*] Waiting on browser connections...)
5. Open a browser and open a link of server:8888 - (map is open, I see a hq_point, but no traffic activities)
6. In AttackMapServer.py session - I get an error
   geoip@geoip:/opt/geoip-attack-map/AttackMapServer$ sudo python3 AttackMapServer.py
   [sudo] password for geoip:
   [] Waiting on browser connections...
   [] WebSocketChatHandler opened
   [] Connected to Redis server
   [] Closing connection.
   ERROR:tornado.application:Exception in callback <function wrap..null_wrapper at 0x7f9c17c4d048> for <tornado.concurrent.Future object at 0x7f9c17c945f8>
   Traceback (most recent call last):
   File "/usr/local/lib/python3.5/dist-packages/tornado/concurrent.py", line 322, in _set_done
   cb(self)
   File "/usr/local/lib/python3.5/dist-packages/tornado/stack_context.py", line 275, in null_wrapper
   return fn(*args, **kwargs)
   File "/usr/local/lib/python3.5/dist-packages/tornado/gen.py", line 199, in final_callback
   if future.result() is not None:
   File "/usr/local/lib/python3.5/dist-packages/tornado/concurrent.py", line 237, in result
   raise_exc_info(self._exc_info)
   File "", line 3, in raise_exc_info
   File "/usr/local/lib/python3.5/dist-packages/tornado/gen.py", line 1024, in run
   yielded = self.gen.send(value)
   File "/usr/local/lib/python3.5/dist-packages/tornadoredis/client.py", line 1164, in listen
   callback(result)
   File "AttackMapServer.py", line 234, in on_message
   self.write_message(json.dumps(msg_to_send))
   File "/usr/local/lib/python3.5/dist-packages/tornado/websocket.py", line 210, in write_message
   raise WebSocketClosedError()
   tornado.websocket.WebSocketClosedError
   WARNING:tornado.access:404 GET /favicon.ico (10.21.124.135) 0.98ms

What I do wrong?
I try to check redis connection
redis-cli
127.0.0.1:6379> ping
PONG
127.0.0.1:6379> exit
Seems it work...

How to make it work?

Hi,

This project is really amazing. However, I'm trying to point attack source ip to destination ip on map instead of limiting to headquarters (based on info from syslog). So it would be a great help if you can point me on how to get this done..

Thanks!!

How to log normalization ?

WebSocket connection to 'ws://127.0.0.1:8888/websocket' failed: Error in connection establishment: net::ERR_CONNECTION_REFUSED

I like seeing what percentage of the project is HTML, Python, JavaScript, Bash, etc, so I'm thinking about separating the HTML and JavaScript into separate files (index.html, and index.js).

Thoughts/Ideas?

I created a new feature. I removed the first table, the one that shows the colors and the protocols, and added a new one in which the quantity and the target ip appear. Thus it is possible to know which network ips are more and / or less attacked.

Hi,

It seems that you included your own apikey for mapbox. So it seems you have run out of api calls. I registered my own account on mapbox however my account doesn't have the map that is being used ("mmay601.p9if994e") Is there any way you can share it or explain how to create the map that is currently used?

Thank you in advanced.

All data is processed normally, but the mapbox background map is not rendered to web page as shown on the screen in attach. I've tried to generate a new access token - that did solve the 401 error code issue, but now I get the 404 when JS is trying to access the mapbox url.

If there are residual logs in /var/log/syslog, they will all be processed by DataServer.py when initialized. I would prefer if it only processed real time events.

Two options:

1. Truncate /var/log/syslog when DataServer.py is initialized.
2. Start reading from end of /var/log/syslog.

Thoughts/Ideas?

Hello,

Hope you doing well.
How can i configure geoIP-attack-map with my Arcsight ESM.
Can you please help out for this issue.

Thanking you.
Devang Raval.

Please share some handy free normalization techniques that sweets for this map

Please Help on how to show the attacks on multiple destination IPs. Please share the codes if anyone solved it already !

Hello, i just recently set up my geoip-attack-map, everything works fine when am using dummy traffic, i have a SIEM that has been configured to send logs to the Attackmap server but whenever i run Dataserver.py it shows NOT A VALID LOG. Is there a solution for this??

To facilitate the task of stopping and starting the process, follow the process I did:

OS: Debian

cd /etc/systemd/system/

nano geoipattack1.service

[Unit]
Description = Geoip Attack Snort LOG
After = syslog.target network.target

[Service]
Type = simple
ExecStart = / home/user/geoip-attack-map/AttackMapServer/AttackMapServer.py

[Install]
WantedBy = multi-user.target

nano geoipattack2.service

[Unit]
Description = Geoip Attack Snort LOG DATA
After = syslog.target network.target

[Service]
Type = simple
ExecStart = /home/ user/geoip-attack-map/DataServer/DataServer.py

[Install]
WantedBy = multi-user.target

systemctl daemon-reload

systemctl start geoipattack1

systemctl start geoipattack2

systemctl stop geoipattack1

systemctl stop geoipattack2

One of the big issues with DataServer.py is that memory is constantly consumed. Variables are ever growing, and this needs to change, so maybe we should use a database? I'm thinking we incorporate mongodb, and track metrics there. That way variables aren't tracking metrics the entire time, and we save on memory space.

Thoughts/Ideas?

Why can't my map be displayed?
Everything else is right that the map is black.
@MatthewClarkMay

There are currently several constant variable included in DataServer.py and AttackMapServer.py. Should we add these to one file and import them?

Thoughts/Ideas?

I build the map in my server some days.
But yesterday,I find the token have some problems.
It seems the token is out of time.
How can I use Mapbox and get a map same as yours with my own token.
Thanks!

Please can this be done on a raspberry pi 3....
Thanks

Hello,

First off I love this map. It's a nice KISS (Keep It Simple Stupid) approach which I've been looking for. Thank you for developing it.

I've been able to feed the map from our SIEM without an issue. One thing I've noticed is the is seems to plot from src_ip -> hqLatLng (from the static/map.js). We have multiple sites around the county and it would be useful for it to plot from src_ip -> dst_ip.

Is this possible with the current code? It seems to take the dst_ip from the feed but I don't see where it actually uses it along with the maxmind data to plot from src -> dst.

If it does not, I'll see what I can kludge together. Thank you again.

How to slow down the speed of simulate dummy traffic？The lines on the map are very messy.

Has happened to give error in the application when the amount of logs is very great and very fast. I have checked that the java script toLowerCase () function used to put flag images is to blame. I have adopted a simple solution here:

// var path = 'flags /' + args [i] .toLowerCase () + '.png';
Var path = 'flags /' + args [i] + '.png';

I removed toLowerCase () and used a shell script function to rename by capitalizing the acronyms of countries in the flags directory. Resolved for me.