Monday, September 5, 2011

Viz: Apache Log File visualization using the tool glTail developed using ruby

I found this interesting article which kind of tries to log the Apache access_log file data on the number of attempts made to reach a server(VOIP in this case) by an attacker.

Visualizing a cyber attack on a VOIP server from Ben Reardon, Dataviz Australia on Vimeo.

“The imagery shown is based on real data from a real attack. The ‘balls’ on the right represent some hacker attempting to crack a VOIP server. The balls on the left represent the server’s response to the attack. The balls crash into each other and fight it out in the middle of the battlefield. The good balls do better, in this case. Although the attack is relentless and fast-paced, the volume of data from this one attack on a single IP/port (here UDP 5060 for SIP sessions) is really a drop in the ocean in terms of the wider internet. The visualization is created via a Ruby-based tool called “gltail”, which is specifically designed to visualize Apache web server logs in real-time.
With highly automated and blindingly fast scripting tools, crooks scan the internet looking for these VOIP servers. When found, the tool cracks the passwords on the extensions. Calls can then be made using these passwords. Victims only notice something is wrong when the next phone bill arrives, so there is a 1-2 month window in which the cracked address can be sold and used for illegitimate international calls.”

Info via Infosthetics

As seen in the video the left side data gives honeypot data, viz. - the total number sites scanned and the status of number of referrals per minute while also faking out the number of users. On the right side is the attacker who tries to scan the sites with a large number of referrals.

The tool glTail uses OpenGL and ruby to visualize the events taking place in log files in real time. The script uses net-ssh to connect to a server and then libopengl-ruby to output the graphics. Parsers are included for processing Apache, Rails, IIS and Postfix log files. Nice work! I believe!!! More details on this tool can be found here