How we built the CyberSift Attack Map

Recently we launched a small site called the “CyberSift Attack Map” hosted at http://attack-map.cybersift.ioAny one involved in the InfoSec industry will be instantly familiar with the site:


Screenshot from 2017-10-12 12-36-06

It’s basically a map of attacks which either trip some rule in a signature based IPS such as SNORT, or land in a honeypot. In this article we’ll list some of the libraries and techniques we used to build the site for any devs out there who are interested.


We used the python Flask microframework, work in unison with Gevents. This was a relatively straightforward operation, with the major point of note being our inclusion of support for HTML5 server side events [SSE]. SSE are WebSocket’s smaller brother. Whereas websockets allow for bi-directional communication between browser and server, SSE only allow for unidirectional communication from server to browser. This suited our needs perfectly since we don’t really need the browser to get back to our server, but we do need real-time updates to flow from our server back down to the browser to populate the attack details, gauges and so on. We based our SSE Flask implementation off the extremely useful snippet from Oskar Blom you can find here:

If you are going to go down this road, make sure you add some sort of “heartbeat” which instructs Flask to remove inactive clients from the subscriptions. As soon as our honeypot or twitter microservice got wind of a new attack, it’s pushed  as a message via SSE and updates the client browser in realtime


It’s amazing to see just how quickly you can build a useful site because of the incredible hard work of other talented devs… In this case we used the following libraries to build the site:

If the site really catches on, we would need to consider re-writing the frontend with something like ReactJS to improve rendering performance


Nugget Post: Insert an alert / rule name in emails sent from ElastAlert

ElastAlert is a fantastic python module that makes it easy to setup near – realtime alerts and responses to entries of interest. A quick piece of information  which I didnt find clearly documented was how to insert an alert name into a custom subject line sending email alerts. 

A typical custom email alert rule file would include something similar to the following:

alert_subject: “My Alert: {0} triggered”
– name

The “name” variable is basically a “reserved keyword” that will be substituted with the alert name, internally the code is making a lookup in a dictionary:

if ‘alert_subject_args’ in self.rule:
alert_subject_args = self.rule[‘alert_subject_args’]

Looking at other parts of the code reveals that “self.rule” is a dictionary, which has an element called “name” containing the alert name defined in the rule file