Event Data Visualization


About

If you are using Snort and Sguil you can use this tool to quickly create link graphs with Afterglow. It will create the necessary HTML, scaled (albeit quite large) thumbnails and the links so that you can navigate the originals.
All you need to do is provide a list of filters so that it knows what to generate.

If you aren't using Sguil, it shouldn't be too tough to modify it to suit your needs. It is currently controlled by Cron or the command line.
See the setup section below for more info.






Download

http://sites.google.com/site/interrupt0x13h/files/edv.tgz


Setup

1) You will require a PHP (with CLI) enabled web server, and afterglow.

2) Extract edv.tgz to the web root.

3) Edit .inc/config.inc. It is pretty straight forward.

4) Take a look at .inc/filters.inc. Remove or add to taste (info inside). You need at
least 1 entry because this is what is used to build the web sections.

5) gen.php is intended to be called via cron. It simply iterates through the filter
array and calls glow.php, the main program.

~$ ./gen.php
Usage: ./gen.php <start date> <start time> <end date> <end time> <record count>

if its only argument is "go" it will generate all of your graphs for that day.

My cron entry looks like this:

*/30       *     *       *       *       /usr/local/www/edv/gen.php go

6) You can also call glow.php directly. With no arguments it will show you which filters
are available:

~$ ./glow.php
Usage: ./glow.php <filter> <start date> <start time> <end date> <end time> <record count>
Available filters are:

All Events
Campus Network
Student VLAN
Trojan Activity
Scans
P2P Activity
Pornography
Malware
Test

Ex: ~$./glow.php "Trojan Activity" 2010-03-01 00:00:00 2010-03-02 00:00:00 100

The events are ordered by date so you would retrieve the 100 most recent records for this day.
Feeding it a "0" for record count will return all records for that constraint.

7) edv.php handles the web stuff. Once you generate anything, it takes care of the rest.
Simply visit with your browser. At any time you can generate things in the past. To find them
just look for their <start date> on the calendar.

8) Don't get too crazy with long spans and/or lots of results; you will quickly exhaust system memory.
If things are failing, take a peek at your httpd-error.log. You may also need to increase your "memory_limit"
in php.ini.

9) This is Beta, beta, beta. I have a bit of work to do yet but it is usable; and kinda neat.