debugMessage(3,"Mindate: "+str(mindate)) try: log_file = open(AUTH_LOG_PATH, 'r') except: debugMessage(1,AUTH_LOG_PATH+" not found, exiting") os.remove(PID_FILE_PATH) exit(0) sources = { } count = 0 for log in log_file: dic = {'raw': log} normalizer.normalize(dic) if dic.get('date')==None: continue dic['date']=dic['date'].replace(year=datetime.datetime.today().year) if dic.get('date') < mindate: continue if dic.get('date') == mindate: if session.query(Event).filter( Event.date == mindate).filter( Event.action == dic.get('action')).filter( Event.user == dic.get('user')).filter( Event.program == dic.get('program')).count() > 0 : continue if dic.get('program') == 'sshd': # Gestione connessioni ssh: il source ip si trova su una action # 'accepted', mentre la connessione viene aperta in 'open'
import numpy as np import matplotlib.pyplot as plt import pylab # color palette from matplotlib import cm from logsparser.lognormalizer import LogNormalizer as LN import GeoIP normalizer = LN('/home/kura//.virtualenvs/ssh-attack-visualisation/share/logsparser/normalizers/') auth_logs = open('/home/kura/workspace/ssh-attack-visualisation/logs/auth.log.combined', 'r') locator = GeoIP.new(GeoIP.GEOIP_MEMORY_CACHE) dataset = {} for log in auth_logs: l = {'raw' : log[:-1] } # remove the ending \n normalizer.normalize(l) if l.get('action') == 'fail': key = str(l['date'].hour).rjust(2,'0') +\ str(l['date'].minute).rjust(2,'0') +\ str(l['date'].second).rjust(2,'0') dataset[key] = dataset.get(key, {}) country_l = locator.country_code_by_addr(l['source_ip']) if country_l: country = country_l else: country = "Unknown" dataset[key][country] = dataset[key].get(country, 0) + 1 from mpl_toolkits.basemap import Basemap def makemap():
debugMessage(3, "Mindate: " + str(mindate)) try: log_file = open(AUTH_LOG_PATH, 'r') except: debugMessage(1, AUTH_LOG_PATH + " not found, exiting") os.remove(PID_FILE_PATH) exit(0) sources = {} count = 0 for log in log_file: dic = {'raw': log} normalizer.normalize(dic) if dic.get('date') == None: continue dic['date'] = dic['date'].replace(year=datetime.datetime.today().year) if dic.get('date') < mindate: continue if dic.get('date') == mindate: if session.query(Event).filter(Event.date == mindate).filter( Event.action == dic.get('action')).filter( Event.user == dic.get('user')).filter( Event.program == dic.get('program')).count() > 0: continue if dic.get('program') == 'sshd': # Gestione connessioni ssh: il source ip si trova su una action # 'accepted', mentre la connessione viene aperta in 'open' if dic.get('action') == 'accept':