Visualizing blocked traffic
-
Netflow is great for watching passed traffic and works excellent with PRTG for visualization. For blocked traffic though, the only mechanism (as far as I understand) is the firewall syslog. What tools are you using to visualize blocked traffic, if any?
Why visualize blocked traffic? Well I would like to see what type of attempts or attacks are most common, and where they are most often coming from. The firewall logs of blocked traffic are so huge that there is no way to read through them. I am looking for a tool to summarize and/or visualize the data on blocked traffic so that it is more meaningful. Is anyone else doing this?
-
There are lots of people using elk stack with pfsense.. There was a thread awhile back someone went through bringing up a elkstack, I brought up one with all the current versions of elk.. I was going to release it via an OVA for those too lazy to do it themselves, etc. But have not had time to create any visualizations for it, and now got a new toy amazon echo been playing with so not sure when get back to it ;)
Also someone else brought up a monitor tool, that is pretty slick - kind of like dshields and I think he has plans of adding visualizations to that.. The thread is in the general section. You could also send your logs to dshields, I do this and they make graphs for you and send you a nice email daily with totals of ports hit, etc. Graphs don't seem to be currently work? Hmmm
Day: 2016-12-05 Userid: 94 <snipped>For 2016-12-05 you submitted 1669 packets from 1257 sources hitting 1 targets. Port Summary ============ Port | Packets | Sources | Targets | Service | Name ------+-----------+-----------+-----------+--------------------+------------- 23 | 946 | 823 | 1 | telnet | 7547 | 207 | 206 | 1 | TR069 | Router Remote Admin 2323 | 47 | 44 | 1 | 3d-nfsd | 3d-nfsd 22 | 53 | 30 | 1 | ssh | SSH Remote Login Protocol 80 | 37 | 22 | 1 | www | World Wide Web HTTP 3389 | 31 | 21 | 1 | ms-term-services | MS Terminal Services 443 | 18 | 13 | 1 | https | HTTP protocol over TLS SSL 3306 | 9 | 9 | 1 | mysql | MySQL 8080 | 12 | 9 | 1 | http-alt | HTTP Alternate (see port 80) 81 | 10 | 8 | 1 | hosts2-ns | HOSTS2 Name Server 5555 | 7 | 7 | 1 | personal-agent | Personal Agent 3390 | 6 | 5 | 1 | dsc | Distributed Service Coordinator 3128 | 7 | 4 | 1 | squid-http | Proxy Server 8000 | 4 | 4 | 1 | irdmi | iRDMI 2083 | 3 | 3 | 1 | | 9797 | 3 | 3 | 1 | | 9000 | 3 | 3 | 1 | cslistener | CSlistener 9001 | 3 | 3 | 1 | | 1433 | 3 | 3 | 1 | ms-sql-s | Microsoft-SQL-Server 5900 | 3 | 3 | 1 | vnc | Virtual Network Computer Port Scanners ============= source | Ports Scanned | Host Name ---------------+---------------+------------ 185.56.82.30| 59 | 93.174.93.136| 28 | no-reverse-dns-configured.com 208.100.26.228| 16 | ip228.208-100-26.static.steadfastdns.net 94.102.49.174| 14 | mail.picdown.me 80.82.65.90| 10 | no-reverse-dns-configured.com 52.15.160.133| 9 | ec2-52-15-160-133.us-east-2.compute.amazonaws.com 61.240.144.65| 7 | s2.securityresearch.360.cn 61.240.144.66| 4 | s3.securityresearch.360.cn 66.240.236.119| 4 | census6.shodan.io 183.60.48.25| 4 | 198.50.142.76| 3 | 89.248.174.51| 3 | no-reverse-dns-configured.com 132.148.84.66| 3 | ip-132-148-84-66.ip.secureserver.net 71.6.135.131| 3 | census7.shodan.io 5.8.10.202| 3 | 185.70.185.215| 2 | 71.6.146.186| 2 | inspire.census.shodan.io 114.129.108.30| 2 | 77.43.146.13| 2 | pppoe.77.43.146.13.ccl.perm.ru 116.98.216.63| 2 | 89.248.172.16| 2 | no-reverse-dns-configured.com 173.212.201.61| 2 | vmi94094.contabo.host 104.37.212.53| 2 | 94.102.49.190| 2 | no-reverse-dns-configured.com 125.43.80.100| 2 | hn.kd.ny.adsl 66.240.192.138| 2 | census8.shodan.io 95.211.102.183| 2 | cpanel11-nl.temok.com 14.215.156.100| 2 | 63.143.57.26| 2 | 26-57-143-63.static.reverse.lstn.net 46.228.8.45| 2 | 183.9.186.26| 2 | 122.224.8.105| 2 | 218.161.97.114| 2 | 218-161-97-114.HINET-IP.hinet.net 216.243.31.2| 2 | 12.205.81.238| 2 | 238-81-205-12-static.centennialpr.ne.81.205.12.in-addr.arpa 189.59.193.95| 2 | 189.59.193.95.static.host.gvt.net.br 115.202.18.148| 2 | 71.6.146.185| 2 | pirate.census.shodan.io 94.102.49.7| 2 | towing.carsmemo.com 111.58.80.91| 2 | 185.2.81.32| 2 | abuser.elva-listverify.com 14.152.59.11| 2 | 89.248.167.131| 2 | no-reverse-dns-configured.com Source Summary ============== source | hostname |packets|targets| all pkts | all trgs | first seen ---------------+-----------+-------+-------+----------+----------+----------- 185.56.82.30| | 59 | 1 | 481317 | 2569 | 11-15-2016 93.174.93.136|figured.com| 31 | 1 | 184980 | 282 | 07-28-2016 218.161.97.114|P.hinet.net| 25 | 1 | 61 | 19 | 11-27-2016 208.100.26.228|fastdns.net| 16 | 1 | 111309 | 19396 | 03-29-2016 114.129.108.30| | 15 | 1 | 3533 | 1064 | 11-12-2016 94.102.49.174|.picdown.me| 14 | 1 | 80386 | 278 | 06-13-2016 80.82.65.90|figured.com| 10 | 1 | 80896 | 2029 | 11-12-2016 52.15.160.133|azonaws.com| 9 | 1 | 77 | 10 | 11-30-2016 70.19.28.116|verizon.net| 7 | 1 | 790 | 171 | 08-10-2016 173.212.201.61|ontabo.host| 7 | 1 | 12176 | 1812 | 12-03-2016 61.240.144.65|arch.360.cn| 7 | 1 | 359361 | 52695 | 10-10-2015 124.106.161.249| | 6 | 1 | 288 | 68 | 06-21-2016 221.229.204.203| | 5 | 1 | 136573 | 41897 | 11-27-2016 186.16.11.75|ecel.com.py| 5 | 1 | 97 | 75 | 06-10-2016 183.60.48.25| | 5 | 1 | 645309 | 51431 | 10-08-2015 197.44.49.22|.tedata.net| 5 | 1 | 89 | 57 | 09-25-2016 185.159.37.21| | 4 | 1 | 43088 | 29331 | 11-26-2016 24.116.21.242|ableone.net| 4 | 1 | 527 | 453 | 10-10-2016 61.240.144.66|arch.360.cn| 4 | 1 | 186755 | 5919 | 05-26-2016 77.43.146.13|ccl.perm.ru| 4 | 1 | 2299 | 1055 | 11-07-2016</snipped>