For those of you who have been following, I have been experimenting with using netstat and other Linux command line utilities to enrich objects in a graph, visualized using D3.js and a modified version of netjsongraph.js. Here is link to some of these examples on YouTube.
In this next example (see YT video in this post), I have used the Snort IDS as a software sensor and parsed the Snort alerts using PHP to create a JSON file. This JSON file is visualized using my modified netjsongraph.js code. This visualization represents about 2 hours of raw alert data from an instance of Snort using the D3.js force layout construct provided by netjsongraph.js. Personially, I think this visualization would work better as an D3 interactive collapsible tree layout; however, this force layout was a good first “baby step” D3 visualization as a proof of concept.
Basically, I paint the basenode black, and then aggregate all the IP addresses based on geoip country code. Then I cluster the IP addresses in each country based on Snort ID (sid). The country_nodes are blue. The ip_nodes are green; and the sid nodes are either red, orange, yellow or pale yellow based on the Snort alert priority.
So far, there is no sensor fusion to speak of, as this a first “baby step” example created only from the basic Snort alerts, enriched slightly with geoip information, clustered and illustrated as a force layout D3 graph. More to come later ….