{ "cells": [ { "cell_type": "code", "execution_count": 1, "metadata": { "collapsed": true }, "outputs": [], "source": [ "import json\n", "from datetime import datetime, timedelta\n", "import matplotlib.pylab as plot\n", "import numpy as np" ] }, { "cell_type": "code", "execution_count": 2, "metadata": { "collapsed": true }, "outputs": [], "source": [ "# Read data from http Zeek (formerly known as Bro) logs\n", "with open(\"http.log\",'r') as infile:\n", " file_data = infile.read()\n", " \n", "# Split file by newlines\n", "file_data = file_data.split('\\n')\n", "\n", "# Remove comment lines\n", "http_data = []\n", "for line in file_data:\n", " if line[0] is not None and line[0] != \"#\":\n", " http_data.append(line)" ] }, { "cell_type": "code", "execution_count": 3, "metadata": {}, "outputs": [ { "name": "stdout", "output_type": "stream", "text": [ "{\n", " \"/ftv2lastnode.gif\": 2, \n", " \"/ftv2mnode.gif\": 2, \n", " \"/pics/play_button_27x27px.gif\": 4, \n", " \"/led.asp\": 2, \n", " \"/pics/gray_corner_rt_5x50px.gif\": 4, \n", " \"/img/device.gif\": 4, \n", " \"/ RTSP/1.\": 5, \n", " \"/pics/gray_corner_lt_5x50px.gif\": 4, \n", " \"/webserverconfig.asp\": 1, \n", " \"/auth/logo2_516.gif\": 5, \n", " \"/index.htm\": 1, \n", " \"/syslogserverconfig.asp\": 2, \n", " \"/logo2_516.gif\": 1, \n", " \"/neighbor_cache_table.asp\": 2, \n", " \"/generalinst.htm\": 1, \n", " \"/view/temp.shtml\": 2, \n", " \"/img/checkbox_nchk.gif\": 1, \n", " \"/jscript/sysstatus.js\": 1, \n", " \"/SetModSerial.html\": 1, \n", " \"/logo3.gif\": 2, \n", " \"/status.jsp\": 1, \n", " \"/port_setting.asp\": 1, \n", " \"/syslog_message.asp\": 1, \n", " \"/logo2_EDS-508A.gif\": 1, \n", " \"/port_setting_show.asp\": 1, \n", " \"/jscript/statistics.js\": 3, \n", " \"/images/off.gif\": 3, \n", " \"/pics/line_corner_rb_5x5px.gif\": 4, \n", " \"/sysstatus.asp\": 1, \n", " \"/overview.asp\": 4, \n", " \"/jscript/powerconfig.js\": 1, \n", " \"/jscript/login.js\": 4, \n", " \"/mac_address_table_setting.asp\": 4, \n", " \"/.git/HEAD\": 11, \n", " \"/setid.html\": 1, \n", " \"/network_setting_ipv6.asp\": 1, \n", " \"/activate_button.gif\": 10, \n", " \"/goform/svLogin\": 3, \n", " \"/ftv2plastnode.gif\": 1, \n", " \"/ftv2folderopen.gif\": 2, \n", " \"/tasktracker.jsp\": 1, \n", " \"/spconfig.asp\": 4, \n", " \"/pics/line_corner_lt_5x5px.gif\": 4, \n", " \"/pdmonitor.htm\": 1, \n", " \"/settable.html\": 1, \n", " \"/spconnect.asp\": 2, \n", " \"/setdesc.html\": 1, \n", " \"/jscript/ipconfig.js\": 3, \n", " \"/syslogging.asp\": 1, \n", " \"/images/connect.gif\": 2, \n", " \"/jobtracker.jsp\": 1, \n", " \"/ftv2pnode.gif\": 1, \n", " \"/eip_setting.asp\": 1, \n", " \"/ftv2mlastnode.gif\": 2, \n", " \"/garp_timer_setting.asp\": 1, \n", " \"/auth/md5.js\": 13, \n", " \"/incl/activeX.js\": 4, \n", " \"/pics/line_corner_lb_5x5px.gif\": 4, \n", " \"/css/win_ns.css\": 6, \n", " \"/browseDirectory.jsp\": 1, \n", " \"/jscript/spconnect.js\": 2, \n", " \"/modbus_setting.asp\": 1, \n", " \"/master.jsp\": 1, \n", " \"/hwinstall.htm\": 1, \n", " \"/md5.js\": 3, \n", " \"/snmpconfig.asp\": 3, \n", " \"/bg.gif\": 2, \n", " \"/url/ups1.scc\": 1, \n", " \"/\": 187, \n", " \"/rs-status\": 1, \n", " \"/home.asp\": 10, \n", " \"/bus_configuration.htm\": 1, \n", " \"/pics/line_t_100x5px.gif\": 4, \n", " \"/jscript/nfsserverconfig.js\": 1, \n", " \"/setip.html\": 1, \n", " \"/img/pxclogo.gif\": 20, \n", " \"/robots.txt\": 11, \n", " \"/port_setting726.asp\": 2, \n", " \"/name.asp\": 2, \n", " \"/dip_switch_setting.asp\": 1, \n", " \"/jscript/powerunitmanage.js\": 1, \n", " \"/jscript/syslogserverconfig.js\": 2, \n", " \"/local_diagnostics.htm\": 1, \n", " \"/jscript/slidemenu.js\": 6, \n", " \"/powermanage.asp\": 1, \n", " \"/ipconfig.asp\": 3, \n", " \"/jscript/util.js\": 4, \n", " \"/deviceinfo.htm\": 2, \n", " \"/auth/led_auth.asp\": 13, \n", " \"/images/ws_button3.gif\": 4, \n", " \"/flumemaster.jsp\": 1, \n", " \"/goform/EventLogList\": 2, \n", " \"/settimeouts.html\": 1, \n", " \"/tagbase_vlan_setting_show.asp\": 1, \n", " \"12.1.2\": 2, \n", " \"/img/device_s.gif\": 20, \n", " \"/ftv2folderclosed.gif\": 2, \n", " \"/favicon.ico\": 81, \n", " \"/showstatus.html\": 1, \n", " \"/techdata.htm\": 2, \n", " \"/pics/blank.gif\": 4, \n", " \"/dfshealth.jsp\": 1, \n", " \"/images/block.gif\": 3, \n", " \"/css/common.css\": 6, \n", " \"/ftv2vertline.gif\": 2, \n", " \"/stserial.asp\": 80, \n", " \"/nice ports,/Trinity.txt.bak\": 8, \n", " \"/port_setting_show726.asp\": 2, \n", " \"/userloggedonlist.asp\": 1, \n", " \"/reset_button.gif\": 2, \n", " \"/login.asp\": 5, \n", " \"/monitor_statistic_cnt_show.asp\": 2, \n", " \"/getstatus.html\": 4737, \n", " \"/ups1.scc\": 1, \n", " \"/auth/topplan_auth.asp\": 15, \n", " \"/pics/logo_70x29px.gif\": 4, \n", " \"/view\": 1, \n", " \"/ws_button3.gif\": 2, \n", " \"sip:nm SIP/2.\": 4, \n", " \"/pics/space.gif\": 4, \n", " \"/jscript/rhostaccessctrl.js\": 2, \n", " \"/powerconfig.asp\": 1, \n", " \"/tagbase_vlan_setting.asp\": 1, \n", " \"/ftv2node.gif\": 2, \n", " \"/remote_diagnostics.htm\": 1, \n", " \"/images/on.gif\": 2, \n", " \"/jscript/webserverconfig.js\": 1, \n", " \"/auth/loginin.gif\": 13, \n", " \"/left_down_logo.asp\": 2, \n", " \"/auth/accountpassword.asp\": 13, \n", " \"/ftv2blank.gif\": 2, \n", " \"/logo1.gif\": 2, \n", " \"/images/logo.gif\": 4, \n", " \"/rhostaccessctrl.asp\": 2, \n", " \"/ipconfig.htm\": 2, \n", " \"/auth/logo1.gif\": 13, \n", " \"/view/index.shtml\": 7, \n", " \"/ddnsconfig.asp\": 2, \n", " \"/tcpserviceconfig.asp\": 1, \n", " \"/auth/logo2_EDS-508A.gif\": 8, \n", " \"/auth/name_auth.asp\": 13, \n", " \"/monitor_port.asp\": 2, \n", " \"/css/digistyle.css\": 4, \n", " \"/pics/stop_button_27x27px.gif\": 4, \n", " \"/pcp_configuration.htm\": 1, \n", " \"/pics/line_b_100x5px.gif\": 4, \n", " \"-\": 45, \n", " \"/img/checkbox_chk.gif\": 1, \n", " \"/view/view.shtml\": 4, \n", " \"/img/hw_installation.gif\": 1, \n", " \"/jscript/spconfig.js\": 3, \n", " \"/jscript/snmpconfig.js\": 3, \n", " \"/view/\": 9, \n", " \"/vlan_set.asp\": 1, \n", " \"/mjpg/video.mjpg\": 7, \n", " \"/log_setting.asp\": 2, \n", " \"/smtpconfig.asp\": 1, \n", " \"/jscript/validation.js\": 4, \n", " \"/clear_button.gif\": 2, \n", " \"/phoenix_fl.js\": 20, \n", " \"/jscript/smtpconfig.js\": 1, \n", " \"/services.htm\": 3, \n", " \"/pics/line_corner_rt_5x5px.gif\": 4, \n", " \"/phoenix_fl.css\": 20, \n", " \"/nfsserverconfig.asp\": 1, \n", " \"/jscript/syslogging.js\": 1, \n", " \"/auth/logo3.gif\": 13, \n", " \"/stnetwork.asp\": 1, \n", " \"/pics/gray_t_5x50px.gif\": 4, \n", " \"/auth/auth.asp\": 23, \n", " \"/jscript/default.js\": 4, \n", " \"/d4-43.js\": 2, \n", " \"/left.asp\": 2, \n", " \"/jscript/ddnsconfig.js\": 2, \n", " \"/img/sel.gif\": 16, \n", " \"/ethernetconfig.asp\": 1\n", "}\n" ] } ], "source": [ "# Let's stack uris\n", "uris = {}\n", "for line in http_data:\n", " if len(line.split('\\t')) > 9:\n", " uri = line.split('\\t')[9].split('?')[0].split('&')[0]\n", " if uri not in uris.keys():\n", " uris[uri] = 1\n", " else:\n", " uris[uri] += 1\n", "\n", "print(json.dumps(uris,indent=2))" ] }, { "cell_type": "code", "execution_count": 4, "metadata": {}, "outputs": [ { "name": "stdout", "output_type": "stream", "text": [ "{\n", " \"Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:39.0) Gecko/20100101 Firefox/39.0\": 327, \n", " \"Mozilla/5.0 (compatible; Nmap Scripting Engine; http://nmap.org/book/nse.html)\": 171, \n", " \"-\": 103, \n", " \"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.64 Safari/537.36\": 5045, \n", " \"Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:28.0) Gecko/20100101 Firefox/28.0\": 12, \n", " \"Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:41.0) Gecko/20100101 Firefox/41.0\": 99, \n", " \"Wget/1.16.1 (linux-gnu)\": 1\n", "}\n" ] } ], "source": [ "# Let's stack user agents\n", "user_agents = {}\n", "for line in http_data:\n", " if len(line.split('\\t')) > 12:\n", " user_agent = line.split('\\t')[11]\n", " if user_agent not in user_agents.keys():\n", " user_agents[user_agent] = 1\n", " else:\n", " user_agents[user_agent] += 1\n", "\n", "print(json.dumps(user_agents,indent=2))" ] }, { "cell_type": "code", "execution_count": 5, "metadata": {}, "outputs": [ { "name": "stdout", "output_type": "stream", "text": [ "{\n", " \"192.168.2.42\": {\n", " \"192.168.88.115\": {\n", " \"1445425464.684730\": 1, \n", " \"1445425489.066291\": 1, \n", " \"1445425456.492019\": 1, \n", " \"1445425472.897110\": 1, \n", " \"1445425505.330748\": 1, \n", " \"1445425497.221008\": 1, \n", " \"1445425472.798104\": 1, \n", " \"1445425464.734434\": 1, \n", " \"1445425489.264708\": 1, \n", " \"1445425481.058994\": 1, \n", " \"1445425456.491738\": 1, \n", " \"1445425456.492152\": 1, \n", " \"1445425464.684854\": 1, \n", " \"1445425521.550031\": 1, \n", " \"1445425456.491596\": 1, \n", " \"1445425456.492557\": 1, \n", " \"1445425513.438493\": 1, \n", " \"1445425480.908743\": 1\n", " }\n", " }, \n", " \"192.168.2.64\": {\n", " \"192.168.88.25\": {\n", " \"1445422296.875484\": 1, \n", " \"1445422290.967679\": 1, \n", " \"1445422289.381463\": 1, \n", " \"1445422289.591706\": 1, \n", " \"1445422290.459930\": 1, \n", " \"1445422323.002866\": 1, \n", " \"1445422289.808332\": 1, \n", " \"1445422291.185004\": 1, \n", " \"1445422290.239258\": 1, \n", " \"1445422296.668006\": 1, \n", " \"1445422290.239120\": 1, \n", " \"1445422292.854650\": 1, \n", " \"1445422290.678547\": 1, \n", " \"1445422290.020238\": 1, \n", " \"1445422314.053171\": 1, \n", " \"1445422313.799369\": 1, \n", " \"1445422291.184861\": 1, \n", " \"1445422300.715145\": 1\n", " }, \n", " \"192.168.88.115\": {\n", " \"1445422321.290313\": 1, \n", " \"1445422300.766784\": 1, \n", " \"1445422320.650723\": 1, \n", " \"1445422321.503861\": 1, \n", " \"1445422300.184951\": 1, \n", " \"1445422321.928420\": 1, \n", " \"1445422320.867814\": 1, \n", " \"1445422291.938518\": 1, \n", " \"1445422322.355297\": 1, \n", " \"1445422292.693354\": 1, \n", " \"1445422321.713691\": 1, \n", " \"1445422316.046787\": 1, \n", " \"1445422322.142027\": 1, \n", " \"1445422321.077807\": 1, \n", " \"1445422291.454377\": 1\n", " }, \n", " \"192.168.88.20\": {\n", " \"1445422298.992223\": 1, \n", " \"1445422291.885333\": 1, \n", " \"1445422302.855427\": 1, \n", " \"1445422300.497165\": 1, \n", " \"1445422299.414991\": 1, \n", " \"1445422315.698055\": 1, \n", " \"1445422300.287326\": 1, \n", " \"1445422290.968135\": 1, \n", " \"1445422299.207919\": 1, \n", " \"1445422299.839276\": 1, \n", " \"1445422298.777344\": 1, \n", " \"1445422300.078390\": 1, \n", " \"1445422313.532961\": 1, \n", " \"1445422299.628075\": 1\n", " }, \n", " \"192.168.88.100\": {\n", " \"1445422308.102295\": 1, \n", " \"1445422289.380025\": 1, \n", " \"1445422290.915620\": 1, \n", " \"1445422297.138751\": 1, \n", " \"1445422290.513640\": 1\n", " }, \n", " \"192.168.88.51\": {\n", " \"1445422295.870961\": 1, \n", " \"1445422300.023159\": 1, \n", " \"1445422320.920019\": 1, \n", " \"1445422303.707740\": 1, \n", " \"1445422296.667868\": 1, \n", " \"1445422289.754808\": 1, \n", " \"1445422299.364282\": 1, \n", " \"1445422297.667609\": 1, \n", " \"1445422292.639583\": 1, \n", " \"1445422298.789861\": 1, \n", " \"1445422289.381938\": 1, \n", " \"1445422290.520664\": 1, \n", " \"1445422296.027733\": 1, \n", " \"1445422300.212852\": 1, \n", " \"1445422292.587508\": 1, \n", " \"1445422300.341810\": 1, \n", " \"1445422295.554722\": 1, \n", " \"1445422299.694729\": 1, \n", " \"1445422295.714594\": 1, \n", " \"1445422300.498336\": 1, \n", " \"1445422293.066879\": 1, \n", " \"1445422292.476080\": 1, \n", " \"1445422299.696478\": 1, \n", " \"1445422289.592098\": 1, \n", " \"1445422303.873797\": 1, \n", " \"1445422300.660455\": 1, \n", " \"1445422290.349694\": 1, \n", " \"1445422299.260279\": 1, \n", " \"1445422299.840329\": 1, \n", " \"1445422289.385586\": 1, \n", " \"1445422296.188602\": 1, \n", " \"1445422299.518622\": 1, \n", " \"1445422298.727806\": 1, \n", " \"1445422320.466621\": 1, \n", " \"1445422296.506938\": 1, \n", " \"1445422296.349914\": 1, \n", " \"1445422323.263679\": 1, \n", " \"1445422296.824060\": 1, \n", " \"1445422303.927905\": 1\n", " }, \n", " \"192.168.88.49\": {\n", " \"1445422302.534936\": 1, \n", " \"1445422292.047762\": 1, \n", " \"1445422289.380561\": 1, \n", " \"1445422302.965697\": 1, \n", " \"1445422302.746772\": 1, \n", " \"1445422291.619375\": 1, \n", " \"1445422303.183484\": 1, \n", " \"1445422307.565998\": 1, \n", " \"1445422301.635377\": 1, \n", " \"1445422313.849169\": 1, \n", " \"1445422302.111056\": 1, \n", " \"1445422303.397388\": 1, \n", " \"1445422302.325429\": 1, \n", " \"1445422301.899644\": 1\n", " }, \n", " \"192.168.88.60\": {\n", " \"1445422289.865632\": 1, \n", " \"1445422289.591967\": 1, \n", " \"1445422291.235170\": 1, \n", " \"1445422291.885204\": 1, \n", " \"1445422289.381938\": 1, \n", " \"1445422291.018922\": 1, \n", " \"1445422306.307627\": 1, \n", " \"1445422290.565864\": 1, \n", " \"1445422292.319808\": 1, \n", " \"1445422299.890418\": 1, \n", " \"1445422292.100843\": 1, \n", " \"1445422289.381132\": 1, \n", " \"1445422298.992366\": 1, \n", " \"1445422291.454248\": 1, \n", " \"1445422289.379891\": 1, \n", " \"1445422289.865921\": 1, \n", " \"1445422298.777468\": 1\n", " }, \n", " \"192.168.88.61\": {\n", " \"1445422300.131605\": 1, \n", " \"1445422289.591833\": 1, \n", " \"1445422300.988103\": 1, \n", " \"1445422292.798306\": 1, \n", " \"1445422289.866199\": 1, \n", " \"1445422290.915767\": 1, \n", " \"1445422299.679622\": 1, \n", " \"1445422297.244478\": 1, \n", " \"1445422300.766659\": 1, \n", " \"1445422301.201058\": 1, \n", " \"1445422299.466633\": 1, \n", " \"1445422293.119720\": 1, \n", " \"1445422300.548608\": 1, \n", " \"1445422299.890145\": 1, \n", " \"1445422300.339324\": 1\n", " }, \n", " \"192.168.88.95\": {\n", " \"1445422289.380290\": 1, \n", " \"1445422344.783066\": 1, \n", " \"1445422352.905377\": 1, \n", " \"1445422317.744378\": 1, \n", " \"1445422321.022581\": 1, \n", " \"1445422320.387407\": 1, \n", " \"1445422295.370559\": 1, \n", " \"1445422309.529967\": 1, \n", " \"1445422336.568033\": 1, \n", " \"1445422320.490386\": 1, \n", " \"1445422301.580724\": 1, \n", " \"1445422337.822249\": 1, \n", " \"1445422305.513430\": 1, \n", " \"1445422348.751232\": 1, \n", " \"1445422290.347162\": 1, \n", " \"1445422289.380169\": 1\n", " }\n", " }\n", "}\n" ] } ], "source": [ "# Let's search for the nmap user agent\n", "suspicious_user_agents = ['Mozilla/5.0 (compatible; Nmap Scripting Engine; http://nmap.org/book/nse.html)']\n", "nmap_scanned_hosts = {}\n", "for line in http_data:\n", " if len(line.split('\\t')) > 12:\n", " timestamp = line.split('\\t')[0]\n", " client = line.split('\\t')[2]\n", " server = line.split('\\t')[4]\n", " user_agent = line.split('\\t')[11]\n", " if user_agent in suspicious_user_agents:\n", " if client not in nmap_scanned_hosts.keys():\n", " nmap_scanned_hosts[client] = {server:{timestamp:1}}\n", " elif server not in nmap_scanned_hosts[client].keys():\n", " nmap_scanned_hosts[client][server] = {timestamp: 1}\n", " elif timestamp not in nmap_scanned_hosts[client][server].keys():\n", " nmap_scanned_hosts[client][server][timestamp] = 1\n", " else:\n", " nmap_scanned_hosts[client][server][timestamp] += 1\n", "\n", "print(json.dumps(nmap_scanned_hosts,indent=2))" ] }, { "cell_type": "code", "execution_count": 6, "metadata": {}, "outputs": [ { "name": "stdout", "output_type": "stream", "text": [ "client ip,server ip,num requests\n", "192.168.2.42,192.168.88.115,18\n", "192.168.2.64,192.168.88.100,5\n", "192.168.2.64,192.168.88.115,15\n", "192.168.2.64,192.168.88.20,14\n", "192.168.2.64,192.168.88.25,18\n", "192.168.2.64,192.168.88.49,14\n", "192.168.2.64,192.168.88.51,39\n", "192.168.2.64,192.168.88.60,17\n", "192.168.2.64,192.168.88.61,15\n", "192.168.2.64,192.168.88.95,16\n" ] } ], "source": [ "# Add up the number of requests the client made to the server\n", "print(\"client ip,server ip,num requests\")\n", "suspicious_hosts = {}\n", "for client in sorted(nmap_scanned_hosts.keys()):\n", " for server in sorted(nmap_scanned_hosts[client].keys()):\n", " print(client + \",\" + server + \",\" + str(len(nmap_scanned_hosts[client][server])))\n", " if client not in suspicious_hosts.keys():\n", " suspicious_hosts[client] = [server]\n", " else:\n", " suspicious_hosts[client].append(server)" ] }, { "cell_type": "code", "execution_count": 7, "metadata": { "collapsed": true }, "outputs": [], "source": [ "# Write CSV file out for display/distribution in excel\n", "with open('suspicious_http_records.csv','w') as outfile:\n", " outfile.write(\"ts,uid,id.orig_h,id.orig_p,id.resp_h,id.resp_p,trans_depth,method,host,uri,referrer,user_agent,request_body_len,response_body_len,status_code,status_msg,info_code,info_msg,filename,tags,username,password,proxied,orig_fuids,orig_mime_types,resp_fuids,resp_mime_types\\n\")\n", " for line in http_data:\n", " if len(line.split('\\t')) > 12:\n", " timestamp = line.split('\\t')[0]\n", " client = line.split('\\t')[2]\n", " server = line.split('\\t')[4]\n", " user_agent = line.split('\\t')[11]\n", " uri = line.split('\\t')[9]\n", " if client in suspicious_hosts.keys():\n", " if server in suspicious_hosts[client]:\n", " outfile.write(\"\\\"\" + line.replace(\"\\t\",\"\\\",\\\"\") + \"\\\"\\n\")\n" ] } ], "metadata": { "kernelspec": { "display_name": "Python 2", "language": "python", "name": "python2" }, "language_info": { "codemirror_mode": { "name": "ipython", "version": 2 }, "file_extension": ".py", "mimetype": "text/x-python", "name": "python", "nbconvert_exporter": "python", "pygments_lexer": "ipython2", "version": "2.7.13" } }, "nbformat": 4, "nbformat_minor": 2 }