Picviz::Dshield
By Sebastien Tricaud on Wednesday, August 20 2008, 19:51 - Permalink
I have written a Perl module to access to Dshield data. The idea behind that is to do some special reactions to stuff dshield sees for Picviz, such as coloring lines in red it they match.
To use the class you simply tell perl to use the class, create a new object like this:
This will actually download the list of IP and port trends from my daily updated wallinfire.net mirror (to avoid bothering dshield.org).
Then, to check wether an IP match a dshield data or not, you can call:
So without any knowledge of how dshield works etc, you can easily embed and script with perl a connection to it.
After that, I modified the ssh authentication script to see wether my server was attacked by IP addresses in Dshield, and I produced to following graph:
As you can see, there is a red line, showing that I've got SSH scanned by one IP address at different times, with (hopefully!) failed authentication, on the root login.
All this is available in the tools/ directory of the latest Picviz trunk. To install the Dshield perl module, simply type:
and you can test your ssh connections using the ssh connection script in tools/auth/ :
To use the class you simply tell perl to use the class, create a new object like this:
use Picviz::Dshield;
$dshield = Picviz::Dshield->new();This will actually download the list of IP and port trends from my daily updated wallinfire.net mirror (to avoid bothering dshield.org).
Then, to check wether an IP match a dshield data or not, you can call:
if ($dshield->ip_check("192.168.1.42")) {
print "The IP address is in the Dshield database";
} else {
print "The IP address is not in the Dshield database";
}So without any knowledge of how dshield works etc, you can easily embed and script with perl a connection to it.
After that, I modified the ssh authentication script to see wether my server was attacked by IP addresses in Dshield, and I produced to following graph:
As you can see, there is a red line, showing that I've got SSH scanned by one IP address at different times, with (hopefully!) failed authentication, on the root login.All this is available in the tools/ directory of the latest Picviz trunk. To install the Dshield perl module, simply type:
$ cd trunk/tools/Picviz-Dshield
$ perl Makefile.PL
$ make
$ sudo make installand you can test your ssh connections using the ssh connection script in tools/auth/ :
$ perl ssh-authdshielded2pcv.pl /var/log/auth.log > auth.pcv
$ picviz-gui auth.pcv
Comments
I'm using perl 5.8.8 instead of 5.10.0 just removed the: use 5.010000;
in Makefile.PL and blib/lib/Picviz/Dshield.pm and it's working OK.
problems compiling the picviz svn code:
[ 70%] Building C object src/libpicviz/CMakeFiles/picviz.dir/filters/filter-lexer.o cc1: warnings being treated as errors /root/Desktop/picviz/src/libpicviz/filters/filter-lexer.c: In function 'yy_get_next_buffer': /root/Desktop/picviz/src/libpicviz/filters/filter-lexer.c:1128: warning: comparison between signed and unsigned make[3]: *** [src/libpicviz/CMakeFiles/picviz.dir/filters/filter-lexer.o] Error 1
Seems the version of flex you are using generates warnings. Since picviz code is written to be strict I treat warnings as errors not to let a warning go.
As a result, either upgrade to a more recent flex version... if it solves the problem, report the bug to the flex program or, remove the following lines in CMakeLists.txt:
set(CMAKE_C_FLAGS "-Wall -Wextra -Werror") set(CMAKE_C_FLAGS_DEBUG "-Wall -Wextra -Werror -O0 -ggdb")