We will create images showing the correlation of attacker-host, vulnerability, malware.
Basically, image will look like this:

I had to cheat to get the image to a valid size … But, you may have much more data, so images may look like this:

this is a rescaled version of the real image, here is a link to the large one.

First, extract the data we need from the sqlite database, the query takes all downloads during the last 14 days into account.

SELECT
	root.remote_host,
	root.connection_protocol || '::' || dcerpcservice_name  || '::' ||dcerpcserviceop_name ,
	downloads.download_md5_hash
FROM 
	downloads
	NATURAL JOIN connections
	JOIN connections AS root ON (connections.connection_root = root.connection)
	JOIN dcerpcbinds AS binds ON (root.connection = binds.connection)
	JOIN dcerpcrequests ON(root.connection = dcerpcrequests.connection AND binds.dcerpcbind_uuid = dcerpcrequest_uuid)
	JOIN dcerpcservices ON (dcerpcservice_uuid = binds.dcerpcbind_uuid)
	JOIN dcerpcserviceops ON (dcerpcserviceops.dcerpcservice = dcerpcservices.dcerpcservice AND dcerpcserviceop_opnum = dcerpcrequests.dcerpcrequest_opnum)
WHERE
	root.connection_timestamp > strftime('%s','now') - 14*24*3600
;

afterglow-malware-hosts.sql

As afterglows thresholds did not do any good for me, I bruteforced all, I decided to limit the images size in a way I expected to work - limiting the input data size.

        JOIN (
                SELECT
                        COUNT(*) AS download_count,
                        download_md5_hash
                FROM
                        downloads
                        NATURAL JOIN connections AS iconnections
                        JOIN connections AS iroot ON (iconnections.connection_root = iroot.connection)
                WHERE
                        iroot.connection_timestamp > strftime('%s','now') - 21*24*3600
                GROUP BY
                        download_md5_hash
                ) AS download_counts ON (download_counts.download_md5_hash = downloads.download_md5_hash)

add this join

WHERE
        root.connection_timestamp > strftime('%s','now') - 21*24*3600
        AND download_count > 27

add the download_count filter clause

sqlite> .separator ","
sqlite> .output /tmp/afterglow-malware-hosts.csv
sqlite> .read afterglow-malware-hosts.sql

Replace all host addresses with 10/8 addresses. ipstrip did not really survive the git migration, here is a copy.

cat /tmp/afterglow-malware-hosts.csv | ipstrip.py -l -s mysecret > /tmp/afterglow-malware-hosts-sanatized.csv

Afterglow will get the sanatized csv file, and create a dot file for us.

color.source="yellow"
color.event="green"
color.target="red"

afterglow-malware-hosts.conf

src/perl/graph/afterglow.pl -d -p 2 -i /tmp/afterglow-malware-hosts-sanatized.csv  -w /tmp/afterglow-malware-hosts.dot -c /tmp/afterglow-malware-hosts.conf

To reduce image size, I changed the node shape to box, and set the edge len to 1.5 in the resulting dot file.

...
node [shape=box, style=filled, fontsize=10, width=0.2, height=0.2, fontcolor=black ];
edge [len=1.5];
...

head of /tmp/afterglow-malware-hosts.dot

The dot file created by afterflow is fed into neato, neato creates the image.

neato -Tpng -o /tmp/afterglow-malware-hosts.png /tmp/afterglow-malware-hosts.dot

The large version can be found here.