Let me start by saying that I understand, to us (IT people), maps are a joke. The Norse Map is notorious for freaking people out, but showing things that might or might not be attacks. Typically I avoid such things since it tends to cause me headaches, but their effectiveness cannot be understated.
The Director of my agnecy loves to get upset when a pindrop map (Google Map with pins that drop when people connect), made by an outside vendor, stops working. Typically it is just a matter of refreshing the page, but it always grinds my gears when I get a call about it. Each time I'd explain that it doesn't mean activity has stopped and in the grand scheme of everything we display it is the least important. Yet, I'd still get calls about it.
One day I was speaking with the Director of my agency and what he said summed up perfectly why it is "important". He said, "Listen I know that map isn't important and that when it stops working it doesn't mean activity is 0. But, unfortunately for you, it is the thing that people talk about constantly during and after tours. When I travel, people come up to me and specifically talk about seeing the map when they are in town. To them it displays that we have some semblance of an idea of what we are doing." I don't think anyone could put it better. After that he told me I had an unlimited budget for which to use to put up more screens and have things to display.
Of course I thought, "I'm collecting all of this data on networks some of which is clearly attacks so I should show it". Writing it from scratch isn't an option so I figured there has to be an open source project that I could modify for my use. I stumbled across PewPew (
https://github.com/hrbrmstr/pewpew) and thought I finally had what I'm looking for! But, alas, it was for not. It is setup as a "joke" to poke fun at the stupidity of these maps, but it's decently done. As I looked at the code I noted that it utilizes randomly generated IP addresses. Since I have IP's I want to work to with, I decided to modify it and it was proving difficult. My coworker noted that under the "Issues" tab someone had suggested allowing the use of real data and another had wrote something.
https://github.com/joshftx/maps - this one was modified to allow you to send an IP to it and it would perform the look up then plot it. I thought perfect and went about deploying it (fairly simple). It requires you registering with a company and obtaining an API key (free) to perform the look ups. I did this, but low and behold they never sent me the key (been 36 hours now with no reply). So I thought, well I could write my own software to do the lookup and feed the JSON to the map. As I began to write the code (in Python) I thought maybe I should look to see if there is a company providing the look up (why reinvent the wheel).
So I look and I come across FreeGeoIP.net, which allows for up to 10000 queries per hour and returns the results in JSON format. Also, they provide the source code so you can deploy your own server to do the look ups and not deal with the 10000 query limit. So I modified the code in two spots and bam I have a working map. Last piece is to write a program to pull out the data from Elasticsearch in real time so I can plot it.
I was showing some coworkers the work I had done and our HR person walks in. He asked what it was and I said they represent all of the places that are actively attack some of the systems. Fear instantly set it and he stayed for 30 minutes to talk about what was happening. Effective
