Visualizing sshd brute-force attempts
Trying out with some interesting results...
1.---
This one is a Splunk query, run over the span of the last 7 days:
sourcetype="ossec_alerts" rule_number="5710"|
rex field=_raw "Invalid user (?<userid>[^ ]+) from"|
fields + src_ip,userid|fields - _*|
dedup src_ip userid|
outputcsv ssh-atk-attempts-userid-ip
2.---
Then some data massaging on the csv file...
[edit: this is not needed...just output the csv file with the fields in the order you want...and read the next post for better options with 2-column csv inputs]
cat ssh-atk-attempts-userid-ip.csv | \
sed 's/^.*$/&,server/' > ssh-atk-attempts-userid-ip2.csv
3.---
Then running it thru Afterglow and GraphViz's neato...
cat ssh-atk-attempts-userid-ip2.csv | \
./afterglow.pl | neato -Tgif -o ssh-atk-ip-userid.gif
Seems like very little overlap in the userids that were attempted (with the exception of the few favourites like root, guest, test). A coordinated/distributed attack perhaps? Haven't dug more into the IPs in question, but I'm pretty sure that they'd be broadband addresses, meaning that they are bots.
Of course we could try with a larger timespan, but the result isn't really readable... The resulting 1MB file (1813 x 1704 px) for over all time in Splunk only looks pretty, and not readable.
[edit: there're better results in the next post!]
Getting additional (IP/network/location) info along with your Splunk searches
Chanced upon some of the info by accident (smack at the bottom of one part of the Splunk documentation...), but I can't find it now. Going to share here anyway 
Some (or probably most/all) of your searches might involve public IP addresses, and more often than not we would want to have additional info along with the IP address to work with.
Three of the things that we could do in Splunk automatically would be to get IP-location info, or to reverse lookup an IP to a domain, or to lookup a domain to an IP.
Fun with Splunk: SSHD
Thought I'd share a bit on the tip of the iceberg, on what can be done with Splunk. Linux command line tools are still much needed for raw log analysis (since we can't have the luxury of having a Splunk installation around and ready whenever we need it), but if setup and running properly, Splunk can be pretty helpful (and not to mention faster) for some things.
(This post is pretty unpolished, partly because I can't be bothered to fiddle around with fitting the search strings into the width of the post, etc. Nonetheless, comments/discussions are always welcome heh)
One of my favourite tasks with log analysis is to get information on those people/bots which are brute forcing SSHD, so let's start with SSH attacks as an example.