Tag Archives: sed

Visualizing sshd brute-force attempts (part 2)

It’s always better to Read The Fine Manual (or run perl afterglow.pl -h for the more updated helpfile)…though it’s not really that well documented 😛  Afterglow allows for two column inputs, rather than us having to do weird tricks to make them 3-column.

(Note to self: get the raw data with fields in the order that you want where possible/faster, rather than pumping it through sed.  Makes for good practice though.)

Using the csv file containing userids (visualized in yellow) and IPs (visualized in green) over the past few months from Splunk, here’re the results of some of the experiments.

Oh, for the Windows users, you can use type instead of cat 😉

First test using GraphViz’s neato to layout:

perl afterglow.pl -b 1 -i <infile> -c color.properties -t | neato -Tgif -o output.gif

Huge, but better visualized with -e 5 option (Resulting image for that is too huge to upload though :P). Note the single IP in the middle (the yellow explosion) that had been trying a LOT of userids to date.

Second test using fdp:

perl afterglow.pl -b 1 -i <infile> -c color.properties -t | fdp -Tgif -o output.gif

fdp doesn't seem to be well suited for this

Third test using sfdp:

No command here, you should have noticed the pattern from the first two…

_even_ less suited for this type of data...

Last test using twopi:

According to the GraphViz site, twopi’s more suited for visualizing stuff like telecommunications flows.


Visualizing sshd brute-force attempts

Trying out with some interesting results…


This one is a Splunk query, run over the span of the last 7 days:

sourcetype="ossec_alerts" rule_number="5710"|
rex field=_raw "Invalid user (?<userid>[^ ]+) from"|
fields + src_ip,userid|fields - _*|
dedup src_ip userid|
outputcsv ssh-atk-attempts-userid-ip


Then some data massaging on the csv file…

[edit: this is not needed…just output the csv file with the fields in the order you want…and read the next post for better options with 2-column csv inputs]

cat ssh-atk-attempts-userid-ip.csv | 
sed 's/^.*$/&,server/' > ssh-atk-attempts-userid-ip2.csv


Then running it thru Afterglow and GraphViz’s neato…

cat ssh-atk-attempts-userid-ip2.csv | 
./afterglow.pl | neato -Tgif -o ssh-atk-ip-userid.gif

Seems like very little overlap in the userids that were attempted (with the exception of the few favourites like root, guest, test).  A coordinated/distributed attack perhaps?  Haven’t dug more into the IPs in question, but I’m pretty sure that they’d be broadband addresses, meaning that they are bots.

Of course we could try with a larger timespan, but the result isn’t really readable… The resulting 1MB file (1813 x 1704 px) for over all time in Splunk only looks pretty, and not readable.

[edit: there’re better results in the next post!]