[SecViz] Print node labels only after threshold

[Michel Ferreira]

No, its from a Juniper Netscreen firewall, I've created a parser based
on the pf2csv.pl and I intend to release it here so if you want you
can include it along with the others. Since I've never programmed with
Perl I'm still trying to make some adjusts on the regex and the code
before I release it, just some simple tweaks, all I need now is time
to do it :P

On Wed, Apr 14, 2010 at 12:42 PM, Raffael Marty <raffy at raffy.ch> wrote:

> Nice! How did you get the session table out? (iptables -L -n -v?)

>

> If you use "afterglow -e 1.5 ..." you might get a bit of a tighter graph. The default edge length of 3 is generally a bit big.

>

> Thx for posting!

>

>  Raffael

>

> --

> Raffael Marty,                               Founder @ Loggly

> @zrlram                                         raffy.ch/blog

>

> On Apr 14, 2010, at 4:05 AM, Michel Ferreira wrote:

>

>> Thanks Raffy, worked like a charm =)

>>

>> Here's my properties file, for anyone who wants to reproduce. The

>> input is a session table of a firewall.

>>

>> # AfterGlow Color Property File

>> #

>> # @fields is the array containing the parsed values

>> # color.source is the color for source nodes

>> # color.event is the color for event nodes

>> # color.target is the color for target nodes

>> #

>> # The first match wins

>> #

>>

>> color.source="yellow" if ($fields[0]=~/^192\.168\..*/);

>> color.source="greenyellow" if ($fields[0]=~/^10\..*/);

>> color.source="lightyellow4" if ($fields[0]=~/^172\..*/);

>> color.source="red"

>>

>> color.event="blue" if ($fields[1]<1024)

>> color.event="lightblue"

>>

>> color.target="yellow" if ($fields[2]=~/^192\.168\..*/);

>> color.target="greenyellow" if ($fields[2]=~/^10\..*/);

>> color.target="lightyellow4" if ($fields[2]=~/^172\..*/);

>> color.target="red"

>>

>> # Changing node labels:

>> #label=substr(field(),0,10)

>> label=field() if ($fields[0] > 100)

>>

>> # URL for nodes (used for graphviz to enable image map functionality)

>> # This is an exampel of how to use AfterGlow with Splunk

>> url=http://localhost:8000/?q=\N%20starthoursago%3A%3A24

>>

>> # Using node sizes:

>> #size.source=1;

>> #size.target=200

>> #maxNodeSize=0.2

>>

>> I've attached the resulting file.

>>

>> Regards,

>> Michel

>>

>> On Tue, Apr 13, 2010 at 7:48 PM, Raffael Marty <raffy at raffy.ch> wrote:

>>> You can do that.... You will have to do something like:

>>>

>>> label=field() if ($foo)

>>>

>>> in the property file. $foo is your condition. The threshold you get through $targetCount{$targetName}...

>>>

>>> label=field() if ($targetCount{$targetName} > 10)

>>>

>>> I haven't tried this, but this is I think how you can do it. Let me know if that works.

>>>

>>>  Raffy

>>>

>>> --

>>> Raffael Marty,                               Founder @ Loggly

>>> @zrlram                                         raffy.ch/blog

>>>

>>> On Apr 13, 2010, at 1:16 PM, Michel Ferreira wrote:

>>>

>>>> On afterglow is there any way to print the labels only after certain threshold ?

>>>>

>>>> Regards,

>>>>

>>>> Michel

>>>> _______________________________________________

>>>> SecViz-Visualization mailing list

>>>> SecViz-Visualization at secviz.org

>>>> http://eight.pairlist.net/mailman/listinfo/secviz-visualization

>>>

>>>

>> <print_14-04-2010 08.01.11.png>_______________________________________________

>> SecViz-Visualization mailing list

>> SecViz-Visualization at secviz.org

>> http://eight.pairlist.net/mailman/listinfo/secviz-visualization

>

>