├── AssetDiscoveryTree.sh
├── FlowPlotterD3
├── README
├── data
│ ├── data.csv
│ ├── data.tsv
│ ├── ms.csv
│ └── sensordata.csv
├── flowplotter.sh
├── mslinechart.html
├── notes
├── output.file
└── templates
│ ├── jquery.tipsy.js
│ ├── linechart.html
│ ├── linechart.html.bak
│ ├── mslinechart.html
│ └── stylesheet.css
├── LICENSE.md
├── README.md
├── d3chart
├── forceopacity.html
└── treeasset.html
├── flowplotter.sh
├── googlechart
├── barchart.html
├── bubblechart.html
├── columnchart.html
├── geomap.html
├── histogram.html
├── linechart.html
├── orgchart.html
├── piechart.html
├── tablechart.html
├── timeline.html
└── treemap.html
└── scripts
└── AssetDiscoveryTree.sh
/AssetDiscoveryTree.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 |
3 | #Generates an Asset List using a pre-existing filter file.
4 | #Based on a combination of works from Applied Network Security Monitoring and http://www.sei.cmu.edu/reports/12tr006.pdf
5 |
6 | #Usage
7 | # Obtain a filter file with a large amount of network data, representative of all hosts on your network
8 | # $ rwfilter --start-date=2014/05/13 --proto=0- --type=all --pass=sample.rw
9 |
10 | # Run AssetDiscoveryTree.sh against the file and send to an output html file
11 | # $ ./AssetDiscoveryTree.sh /home/jason/sample.rw > /home/jason/assetlist.html
12 |
13 | # By default, you will be generating data for servers making up greater than 1 percent of all "server" traffic for a given service.
14 | # If instead you want a static number threshold, you can specify --count=50 to display the top 50 talkers for a service.
15 | # $ ./AssetDiscoveryTree.sh /home/jason/sample.rw --count=50 > /home/jason/assetlistTOP50.html
16 |
17 | # If instead you want to threshold by byte size, you can specify --threshold=75000000 to display the services with greater than 75000000 bytes outbound.
18 | # $ ./AssetDiscoveryTree.sh /home/jason/sample.rw --threshold=75000000 > /home/jason/assetlistBYTETHRESHOLD.html
19 |
20 | limitvalue=$2
21 | if [ -z "${limitvalue}" ]; then
22 | limitvalue="--percentage=1"
23 | fi
24 |
25 | echo '{ "name": "Assets","children": [ ' > flare.temp.json
26 |
27 | rwfilter $1 --type=outweb --sport=80,443,8080 --protocol=6 --packets=4- --ack-flag=1 --pass=stdout|rwstats --fields=sip $limitvalue --bytes --no-titles|cut -f 1 -d "|"|rwsetbuild > web_servers.set
28 | rwfilter $1 --type=outweb --sport=80,443,8080 --protocol=6 --packets=4- --ack-flag=1 --sipset=web_servers.set --pass=stdout|rwuniq --fields=sip --bytes --sort-output --no-titles --delimited=,|sed 's/^\([0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\),\([0-9]\{1,\}\)$/\t{"name": "\1", "size": \2},/g' |sed '$s/,$//g' | sed '1s/^/\{"name": "Web Servers",\n"children": [/' | sed '$s/$/\n\]},/' >> flare.temp.json
29 |
30 | rwfilter $1 --type=out --sport=25,465,110,995,143,993 --protocol=6 --packets=4- --ack-flag=1 --pass=stdout|rwset --sip-file=smtpservers.set
31 | rwfilter $1 --type=out --sport=25,465,110,995,143,993 --sipset=smtpservers.set --protocol=6 --packets=4- --ack-flag=1 --pass=stdout|rwuniq --fields=sip --bytes --sort-output --no-titles --delimited=,|sed 's/^\([0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\),\([0-9]\{1,\}\)$/\t{"name": "\1", "size": \2},/g' |sed '$s/,$//g' | sed '1s/^/\{"name": "SMTP Servers",\n"children": [/' | sed '$s/$/\n\]},/' >>flare.temp.json
32 |
33 | rwfilter $1 --type=out --sport=53 --protocol=17 --pass=stdout|rwstats --fields=sip $limitvalue --packets --no-titles|cut -f 1 -d "|"| rwsetbuild > dnsservers.set
34 | rwfilter $1 --type=out --sport=53 --protocol=17 --sipset=dnsservers.set --pass=stdout | rwuniq --fields=sip --bytes --sort-output --no-titles --delimited=,|sed 's/^\([0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\),\([0-9]\{1,\}\)$/\t{"name": "\1", "size": \2},/g' |sed '$s/,$//g' | sed '1s/^/\{"name": "DNS Servers",\n"children": [/' | sed '$s/$/\n\]},/' >>flare.temp.json
35 |
36 | rwfilter $1 --type=out --protocol=47,50,51 --pass=stdout|rwuniq --fields=sip --no-titles|cut -f 1 -d "|" |rwsetbuild > vpn.set
37 | rwfilter $1 --type=out --sipset=vpn.set --pass=stdout|rwuniq --fields=sip --bytes --sort-output --no-titles --delimited=,|sed 's/^\([0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\),\([0-9]\{1,\}\)$/\t{"name": "\1", "size": \2},/g' |sed '$s/,$//g' | sed '1s/^/\{"name": "VPN Servers",\n"children": [/' | sed '$s/$/\n\]},/' >>flare.temp.json
38 |
39 | rwfilter $1 --type=out --protocol=6 --packets=4- --ack-flag=1 --sport=21 --pass=stdout|rwstats --fields=sip $limitvalue --bytes --no-titles|cut -f 1 -d "|"|rwsetbuild > ftpservers.set
40 | rwfilter $1 --type=out --sipset=ftpservers.set --sport=20 --flags-initial=S/SAFR --pass=stdout|rwuniq --fields=sip --bytes --sort-output --no-titles --delimited=,|sed 's/^\([0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\),\([0-9]\{1,\}\)$/\t{"name": "\1", "size": \2},/g' |sed '$s/,$//g' | sed '1s/^/\{"name": "FTP Servers",\n"children": [/' | sed '$s/$/\n\]},/' >>flare.temp.json
41 |
42 | rwfilter $1 --type=out --protocol=6 --packets=4- --ack-flag=1 --sport=22 --pass=stdout|rwstats --fields=sip $limitvalue --bytes --no-titles|cut -f 1 -d "|"|rwsetbuild>sshservers.set
43 | rwfilter $1 --type=out --protocol=6 --packets=4- --ack-flag=1 --sipset=sshservers.set --sport=22 --pass=stdout | rwuniq --fields=sip --bytes --sort-output --no-titles --delimited=,|sed 's/^\([0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\),\([0-9]\{1,\}\)$/\t{"name": "\1", "size": \2},/g' |sed '$s/,$//g' | sed '1s/^/\{"name": "SSH Servers",\n"children": [/' | sed '$s/$/\n\]},/' >>flare.temp.json
44 |
45 | rwfilter $1 --type=out --protocol=6 --packets=4- --ack-flag=1 --sport=23 --pass=stdout|rwstats --fields=sip $limitvalue --bytes --no-titles|cut -f 1 -d "|"|rwsetbuild > telnetservers.set
46 | rwfilter $1 --type=out --protocol=6 --packets=4- --ack-flag=1 --sipset=telnetservers.set --sport=23 --pass=stdout|rwuniq --fields=sip --bytes --sort-output --no-titles --delimited=,|sed 's/^\([0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\),\([0-9]\{1,\}\)$/\t{"name": "\1", "size": \2},/g' |sed '$s/,$//g' | sed '1s/^/\{"name": "Telnet Servers",\n"children": [/' | sed '$s/$/\n\]},/' >>flare.temp.json
47 |
48 | cat flare.temp.json | sed '$s/,$/\n/' | sed '$s/$/\]\}/' | tr '\n' ' ' | sed "s/^/var myjson = '/"| sed "s/$/';/" > assets.json
49 |
50 | sed '/dataplaceholder/{
51 | s/dataplaceholder//g
52 | r assets.json
53 | }' d3chart/treeasset.html
54 |
55 | rm *.set
56 | rm flare.temp.json
57 | rm assets.json
58 |
--------------------------------------------------------------------------------
/FlowPlotterD3/README:
--------------------------------------------------------------------------------
1 | This is just a test directory for converting all of the old FlowPlotter to newer D3 versions with more capability.
2 | Old FlowPlotter will remain as it is, but this will serve as the newer "better" FlowPlotter once it is complete.
3 |
--------------------------------------------------------------------------------
/FlowPlotterD3/data/data.csv:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/automayt/FlowPlotter/a184bb9d8151b500f95e2482e975c1c5e5cc0f5d/FlowPlotterD3/data/data.csv
--------------------------------------------------------------------------------
/FlowPlotterD3/data/data.tsv:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/automayt/FlowPlotter/a184bb9d8151b500f95e2482e975c1c5e5cc0f5d/FlowPlotterD3/data/data.tsv
--------------------------------------------------------------------------------
/FlowPlotterD3/data/ms.csv:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/automayt/FlowPlotter/a184bb9d8151b500f95e2482e975c1c5e5cc0f5d/FlowPlotterD3/data/ms.csv
--------------------------------------------------------------------------------
/FlowPlotterD3/data/sensordata.csv:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/automayt/FlowPlotter/a184bb9d8151b500f95e2482e975c1c5e5cc0f5d/FlowPlotterD3/data/sensordata.csv
--------------------------------------------------------------------------------
/FlowPlotterD3/flowplotter.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 |
3 | #FlowPlotter is a script that allows for the "easy" integration of SiLK results into various Google Visualization Chart APIs.
4 |
5 | #GEOMAPGEOMAPGEOMAPGEOMAPGEOMAPGEOMAPGEOMAPGEOMAPGEOMAPGEOMAPGEOMAPGEOMAPGEOMAPGEOMAPGEOMAPGEOMAP
6 | geomap () {
7 | #Variable Creation
8 | #independent variable is a string
9 | #value is a string
10 | title="$1 by $2"
11 | independent="$1"
12 | value="$2"
13 | graphtitle="$independent by $value"
14 | ######################
15 | rwstats --top --count=275 --fields=$independent --value=$value --delimited=, |\
16 | grep ","| grep -v -- "--"| grep -v "a1" | grep -v "a2" | grep -v "us"| grep -v "o1" | cut -d "," -f1,2 |\
17 | sed "1 s/\([A-Za-z]\{1,20\}\),\([A-Za-z]\{1,20\}\)/['\1', '\2'],/g"|sed "s/\([a-z]\{2\}\),\([0-9]\{1,50\}\)/['\1', \2],/g"|sed '$s/,$//' > temp.test
18 |
19 | sed '/dataplaceholder/{
20 | s/dataplaceholder//g
21 | r temp.test
22 | }' googlechart/geomap.html
23 | rm temp.test
24 | }
25 | #GEOMAPGEOMAPGEOMAPGEOMAPGEOMAPGEOMAPGEOMAPGEOMAPGEOMAPGEOMAPGEOMAPGEOMAPGEOMAPGEOMAPGEOMAPGEOMAP
26 |
27 |
28 | #mslinechartmslinechartmslinechartmslinechartmslinechartmslinechartmslinechartmslinechartmslinechartmslinechartmslinechart
29 | mslinechart () {
30 | #Variable Creation
31 | #independent variable is a string
32 | #value is an string
33 | title="$1 in $2 second bins per $3"
34 | resolution="$1"
35 | value="$2"
36 | series="$3"
37 | number_of_values=$(echo $(( $(grep -o ',' <<<"$value" | grep -c .) + 2)))
38 | valuelist=$(seq $number_of_values | tr '\n' ',' | sed 's/,$//g')
39 |
40 | if [ "$1" -eq "$1" ] 2>/dev/null; then
41 | resolution="$1"
42 | else
43 | echo "The resolution you selected is invalid. Your first argument to mslinechart should be an integer value in seconds"
44 | exit
45 | fi
46 |
47 | graphtitle="$valuename in $resolution second bins per $series"
48 | #awk '!/date/'
49 | rwuniq --bin-time=$resolution --fields=$series,stime --values=$value --delimited=, | sed 's/sTime/date/' | sort -k2n > data/test.csv
50 | cat <(grep 'date' data/test.csv) <(grep -v 'date' data/test.csv) | sed -e '1s/\(.*\)/\L\1/' > data/ms.csv
51 | rm data/test.csv
52 | #optionlist=$(cat data/ms.csv | awk -F, '{print $1}' | tail -n +2 | uniq | sed 's/^/