Visualizing blocked traffic



  • Netflow is great for watching passed traffic and works excellent with PRTG for visualization. For blocked traffic though, the only mechanism (as far as I understand) is the firewall syslog. What tools are you using to visualize blocked traffic, if any?

    Why visualize blocked traffic? Well I would like to see what type of attempts or attacks are most common, and where they are most often coming from. The firewall logs of blocked traffic are so huge that there is no way to read through them. I am looking for a tool to summarize and/or visualize the data on blocked traffic so that it is more meaningful. Is anyone else doing this?


  • LAYER 8 Global Moderator

    There are lots of people using elk stack with pfsense.. There was a thread awhile back someone went through bringing up a elkstack, I brought up one with all the current versions of elk.. I was going to release it via an OVA for those too lazy to do it themselves, etc.  But have not had time to create any visualizations for it, and now got a new toy amazon echo been playing with so not sure when get back to it ;)

    Also someone else brought up a monitor tool, that is pretty slick - kind of like dshields and I think he has plans of adding visualizations to that.. The thread is in the general section.  You could also send your logs to dshields, I do this and they make graphs for you and send you a nice email daily with totals of ports hit, etc.  Graphs don't seem to be currently work? Hmmm

    
       Day: 2016-12-05
    Userid: 94 <snipped>For 2016-12-05 you submitted 1669 packets from 1257 sources hitting 1 targets.
    
    Port Summary
    ============
    
    Port  |  Packets  |  Sources  |  Targets  |      Service       |  Name
    ------+-----------+-----------+-----------+--------------------+-------------
       23 |       946 |       823 |         1 |             telnet |
     7547 |       207 |       206 |         1 |              TR069 | Router Remote Admin
     2323 |        47 |        44 |         1 |            3d-nfsd | 3d-nfsd
       22 |        53 |        30 |         1 |                ssh | SSH Remote Login Protocol
       80 |        37 |        22 |         1 |                www | World Wide Web HTTP
     3389 |        31 |        21 |         1 |   ms-term-services | MS Terminal Services
      443 |        18 |        13 |         1 |              https | HTTP protocol over TLS SSL
     3306 |         9 |         9 |         1 |              mysql | MySQL
     8080 |        12 |         9 |         1 |           http-alt | HTTP Alternate (see port 80)
       81 |        10 |         8 |         1 |          hosts2-ns | HOSTS2 Name Server
     5555 |         7 |         7 |         1 |     personal-agent | Personal Agent
     3390 |         6 |         5 |         1 |                dsc | Distributed Service Coordinator
     3128 |         7 |         4 |         1 |         squid-http | Proxy Server
     8000 |         4 |         4 |         1 |              irdmi | iRDMI
     2083 |         3 |         3 |         1 |                    |
     9797 |         3 |         3 |         1 |                    |
     9000 |         3 |         3 |         1 |         cslistener | CSlistener
     9001 |         3 |         3 |         1 |                    |
     1433 |         3 |         3 |         1 |           ms-sql-s | Microsoft-SQL-Server
     5900 |         3 |         3 |         1 |                vnc | Virtual Network Computer
    
    Port Scanners
    =============
    
        source     | Ports Scanned | Host Name
    ---------------+---------------+------------
       185.56.82.30|          59   |
      93.174.93.136|          28   | no-reverse-dns-configured.com
     208.100.26.228|          16   | ip228.208-100-26.static.steadfastdns.net
      94.102.49.174|          14   | mail.picdown.me
        80.82.65.90|          10   | no-reverse-dns-configured.com
      52.15.160.133|           9   | ec2-52-15-160-133.us-east-2.compute.amazonaws.com
      61.240.144.65|           7   | s2.securityresearch.360.cn
      61.240.144.66|           4   | s3.securityresearch.360.cn
     66.240.236.119|           4   | census6.shodan.io
       183.60.48.25|           4   |
      198.50.142.76|           3   |
      89.248.174.51|           3   | no-reverse-dns-configured.com
      132.148.84.66|           3   | ip-132-148-84-66.ip.secureserver.net
       71.6.135.131|           3   | census7.shodan.io
         5.8.10.202|           3   |
     185.70.185.215|           2   |
       71.6.146.186|           2   | inspire.census.shodan.io
     114.129.108.30|           2   |
       77.43.146.13|           2   | pppoe.77.43.146.13.ccl.perm.ru
      116.98.216.63|           2   |
      89.248.172.16|           2   | no-reverse-dns-configured.com
     173.212.201.61|           2   | vmi94094.contabo.host
      104.37.212.53|           2   |
      94.102.49.190|           2   | no-reverse-dns-configured.com
      125.43.80.100|           2   | hn.kd.ny.adsl
     66.240.192.138|           2   | census8.shodan.io
     95.211.102.183|           2   | cpanel11-nl.temok.com
     14.215.156.100|           2   |
       63.143.57.26|           2   | 26-57-143-63.static.reverse.lstn.net
        46.228.8.45|           2   |
       183.9.186.26|           2   |
      122.224.8.105|           2   |
     218.161.97.114|           2   | 218-161-97-114.HINET-IP.hinet.net
       216.243.31.2|           2   |
      12.205.81.238|           2   | 238-81-205-12-static.centennialpr.ne.81.205.12.in-addr.arpa
      189.59.193.95|           2   | 189.59.193.95.static.host.gvt.net.br
     115.202.18.148|           2   |
       71.6.146.185|           2   | pirate.census.shodan.io
        94.102.49.7|           2   | towing.carsmemo.com
       111.58.80.91|           2   |
        185.2.81.32|           2   | abuser.elva-listverify.com
       14.152.59.11|           2   |
     89.248.167.131|           2   | no-reverse-dns-configured.com
    
    Source Summary
    ==============
    
        source     | hostname  |packets|targets| all pkts | all trgs | first seen
    ---------------+-----------+-------+-------+----------+----------+-----------
       185.56.82.30|           |    59 |     1 |   481317 |     2569 | 11-15-2016
      93.174.93.136|figured.com|    31 |     1 |   184980 |      282 | 07-28-2016
     218.161.97.114|P.hinet.net|    25 |     1 |       61 |       19 | 11-27-2016
     208.100.26.228|fastdns.net|    16 |     1 |   111309 |    19396 | 03-29-2016
     114.129.108.30|           |    15 |     1 |     3533 |     1064 | 11-12-2016
      94.102.49.174|.picdown.me|    14 |     1 |    80386 |      278 | 06-13-2016
        80.82.65.90|figured.com|    10 |     1 |    80896 |     2029 | 11-12-2016
      52.15.160.133|azonaws.com|     9 |     1 |       77 |       10 | 11-30-2016
       70.19.28.116|verizon.net|     7 |     1 |      790 |      171 | 08-10-2016
     173.212.201.61|ontabo.host|     7 |     1 |    12176 |     1812 | 12-03-2016
      61.240.144.65|arch.360.cn|     7 |     1 |   359361 |    52695 | 10-10-2015
    124.106.161.249|           |     6 |     1 |      288 |       68 | 06-21-2016
    221.229.204.203|           |     5 |     1 |   136573 |    41897 | 11-27-2016
       186.16.11.75|ecel.com.py|     5 |     1 |       97 |       75 | 06-10-2016
       183.60.48.25|           |     5 |     1 |   645309 |    51431 | 10-08-2015
       197.44.49.22|.tedata.net|     5 |     1 |       89 |       57 | 09-25-2016
      185.159.37.21|           |     4 |     1 |    43088 |    29331 | 11-26-2016
      24.116.21.242|ableone.net|     4 |     1 |      527 |      453 | 10-10-2016
      61.240.144.66|arch.360.cn|     4 |     1 |   186755 |     5919 | 05-26-2016
       77.43.146.13|ccl.perm.ru|     4 |     1 |     2299 |     1055 | 11-07-2016</snipped> 
    



Log in to reply