## Working with network protocol logs

Network protocol or layer7 logs provide insight into highlevel application protocol based events.

The following protocols are currently supported:

- dhcp  - Zeek dhcp.log
- dns   - Zeek dns.log
- http  - Zeek http.log
- sip   - Zeek sip.log
- snmp  - Zeek snmp.log
- ssh   - Zeek ssh.log

#### Start with importing some required libraries.

In [1]:
from datetime import datetime, timedelta

import dynamite_sdk
from dynamite_sdk.search import Search

try:
    dynamite_sdk.config.read('/etc/dynamite/dynamite_sdk/config.cfg')
except FileNotFoundError:
    print('Could not locate configuration at /etc/dynamite/dynamite_sdk/config.cfg. Please create it.')

#### Set our initial search window to a 60 minute timeframe.

In [2]:
start = datetime.now() - timedelta(minutes=240)
end = datetime.now()

#### Instantiate our search.Search interface to search all *dhcp* events.

In [3]:
search = Search('dhcp', as_dataframe=True)

In [4]:
search.execute_query(start, end)

In [5]:
search.results.head(5)

Unnamed: 0,event_type,event_time,source_ip_address,destination_ip_address,source_port,destination_port,elasticsearch_index,originating_agent_tag,forwarder_type,node_ip_address,...,client_fqdn,domain,requested_ip_address,assigned_ip_address,lease_time,client_message,server_message,message_types,duration,uids
0,dhcp,2019-11-01 11:58:00.513000+00:00,192.168.53.158,192.168.32.1,,,dhcp-events-2019.11.01,honeypot01,zeek,192.168.53.158,...,,us-west-2.compute.internal,,192.168.53.158,3600.0,,,"[REQUEST, ACK]",4.1e-05,[CPekPVrcIKPmSTtpl]
1,dhcp,2019-11-01 11:30:23.249000+00:00,192.168.53.158,192.168.32.1,,,dhcp-events-2019.11.01,honeypot01,zeek,192.168.53.158,...,,us-west-2.compute.internal,,192.168.53.158,3600.0,,,"[REQUEST, ACK]",4.1e-05,[CXWoOw4hsk2d5JN5l8]
2,dhcp,2019-11-01 11:06:15.680000+00:00,192.168.53.158,192.168.32.1,,,dhcp-events-2019.11.01,honeypot01,zeek,192.168.53.158,...,,us-west-2.compute.internal,,192.168.53.158,3600.0,,,"[REQUEST, ACK]",4.5e-05,[C5Gyzv39JkGPnW1w32]
3,dhcp,2019-11-01 10:37:37.972000+00:00,192.168.53.158,192.168.32.1,,,dhcp-events-2019.11.01,honeypot01,zeek,192.168.53.158,...,,us-west-2.compute.internal,,192.168.53.158,3600.0,,,"[REQUEST, ACK]",4.6e-05,[COQz9I21f6MRpCctll]
4,dhcp,2019-11-01 10:07:59.522000+00:00,192.168.53.158,192.168.32.1,,,dhcp-events-2019.11.01,honeypot01,zeek,192.168.53.158,...,,us-west-2.compute.internal,,192.168.53.158,3600.0,,,"[REQUEST, ACK]",4e-05,[CLbAwM2lKdl6qdsJ09]


#### Instantiate our search.Search interface to search all *dns* events.

In [6]:
search = Search('dns', as_dataframe=True)

In [7]:
search.execute_query(start, end)

4 dns-events** failed to parse.


In [8]:
search.results.head(5)

Unnamed: 0,event_type,event_time,source_ip_address,destination_ip_address,source_port,destination_port,elasticsearch_index,originating_agent_tag,forwarder_type,node_ip_address,...,answers,query_type,query_type_name,query_class,query_class_name,query,response_code,response_code_name,transaction_id,round_trip_time
0,dns,2019-11-01 12:05:58.375000+00:00,192.168.53.158,192.168.0.2,41804,53,dns-events-2019.11.01,honeypot01,zeek,192.168.53.158,...,,12,PTR,1,C_INTERNET,129.194.40.45.in-addr.arpa,3,NXDOMAIN,64143,
1,dns,2019-11-01 12:00:03.018000+00:00,192.168.53.158,192.168.0.2,54097,53,dns-events-2019.11.01,honeypot01,zeek,192.168.53.158,...,,12,PTR,1,C_INTERNET,150.45.22.81.in-addr.arpa,3,NXDOMAIN,49750,
2,dns,2019-11-01 12:00:01.970000+00:00,192.168.53.158,192.168.0.2,33768,53,dns-events-2019.11.01,honeypot01,zeek,192.168.53.158,...,,12,PTR,1,C_INTERNET,110.27.176.185.in-addr.arpa,3,NXDOMAIN,44664,
3,dns,2019-11-01 12:00:01.777000+00:00,192.168.53.158,192.168.0.2,50820,53,dns-events-2019.11.01,honeypot01,zeek,192.168.53.158,...,[h140-112.fcsrv.net],12,PTR,1,C_INTERNET,140.112.28.194.in-addr.arpa,0,NOERROR,32991,0.18617
4,dns,2019-11-01 11:53:15.716000+00:00,192.168.53.158,192.168.0.2,46783,53,dns-events-2019.11.01,honeypot01,zeek,192.168.53.158,...,,1,A,1,C_INTERNET,97-68-93-237.biz.bhn.net.us-west-2.compute.int...,3,NXDOMAIN,10767,


#### Instantiate our search.Search interface to search all *http* events.

In [9]:
search = Search('http', as_dataframe=True)

In [10]:
search.execute_query(start, end)

In [11]:
search.results.head(5)

Unnamed: 0,event_type,event_time,source_ip_address,destination_ip_address,source_port,destination_port,elasticsearch_index,originating_agent_tag,forwarder_type,node_ip_address,...,originating_fuids,originating_filenames,originating_mime_types,recipient_fuids,recipient_filenames,recipient_mime_types,client_header_names,server_header_names,cookie_variables,uri_variables
0,http,2019-11-01 12:01:44.500000+00:00,192.168.53.158,169.254.169.254,50972,80,http-events-2019.11.01,honeypot01,zeek,192.168.53.158,...,,,,[FxA22o1v0uBIS4opc7],,[text/html],"[HOST, USER-AGENT, ACCEPT-ENCODING]",,,
1,http,2019-11-01 11:58:00.795000+00:00,192.168.53.158,169.254.169.254,50970,80,http-events-2019.11.01,honeypot01,zeek,192.168.53.158,...,,,,[FKM5eM18mBfFylctt4],,[text/plain],"[HOST, USER-AGENT, ACCEPT]",,,
2,http,2019-11-01 11:30:23.520000+00:00,192.168.53.158,169.254.169.254,50968,80,http-events-2019.11.01,honeypot01,zeek,192.168.53.158,...,,,,[Fwqw2A1MsSjb3owrYb],,[text/plain],"[HOST, USER-AGENT, ACCEPT]",,,
3,http,2019-11-01 11:06:15.951000+00:00,192.168.53.158,169.254.169.254,50966,80,http-events-2019.11.01,honeypot01,zeek,192.168.53.158,...,,,,[FOr8mE3kLIdkzRZgb5],,[text/plain],"[HOST, USER-AGENT, ACCEPT]",,,
4,http,2019-11-01 11:01:44.499000+00:00,192.168.53.158,169.254.169.254,50964,80,http-events-2019.11.01,honeypot01,zeek,192.168.53.158,...,,,,[FL3dRO1Mp22qK0zOef],,[text/html],"[HOST, USER-AGENT, ACCEPT-ENCODING]",,,


#### Instantiate our search.Search interface to search all *sip* events.

In [12]:
search = Search('sip', as_dataframe=True)

In [13]:
search.execute_query(start, end)

In [14]:
search.results.head(10)

Unnamed: 0,event_type,event_time,source_ip_address,destination_ip_address,source_port,destination_port,elasticsearch_index,originating_agent_tag,forwarder_type,node_ip_address,...,subject,request_path,response_path,user_agent,status_code,status_message,warning,request_body_length,response_body_length,content_type
0,sip,2019-11-01 11:32:07.038000+00:00,77.247.110.61,192.168.53.158,5081,5060,sip-events-2019.11.01,honeypot01,zeek,192.168.53.158,...,,[SIP/2.0/UDP 77.247.110.61:5081],[],friendly-scanner,,,,0,,
1,sip,2019-11-01 11:22:04.802000+00:00,183.2.202.41,192.168.53.158,5061,5060,sip-events-2019.11.01,honeypot01,zeek,192.168.53.158,...,,[SIP/2.0/UDP 192.168.0.42:5061],[],friendly-scanner,,,,0,,
2,sip,2019-11-01 10:00:19.257000+00:00,77.247.110.162,192.168.53.158,5256,15061,sip-events-2019.11.01,honeypot01,zeek,192.168.53.158,...,,[SIP/2.0/UDP 77.247.110.162:5256],[],eyeBeam,,,,0,,
3,sip,2019-11-01 09:38:27.481000+00:00,77.247.108.162,192.168.53.158,5077,1028,sip-events-2019.11.01,honeypot01,zeek,192.168.53.158,...,,[SIP/2.0/UDP 77.247.108.162:5077],[],friendly-scanner,,,,0,,
4,sip,2019-11-01 09:31:50.381000+00:00,183.2.202.41,192.168.53.158,5061,5060,sip-events-2019.11.01,honeypot01,zeek,192.168.53.158,...,,[SIP/2.0/UDP 192.168.0.42:5061],[],friendly-scanner,,,,0,,


#### Instantiate our search.Search interface to search all *snmp* events.

In [15]:
search = Search('snmp', as_dataframe=True)

In [16]:
search.execute_query(start, end)

In [17]:
search.results.head(5)

Unnamed: 0,event_type,event_time,source_ip_address,destination_ip_address,source_port,destination_port,elasticsearch_index,originating_agent_tag,forwarder_type,node_ip_address,node_hostname,duration,version,community_string,get_requests,get_bulk_requests,get_responses,set_requests,display_string,up_since
0,snmp,2019-11-01 08:19:45.957000+00:00,185.94.111.1,192.168.53.158,50613,161,snmp-events-2019.11.01,honeypot01,zeek,192.168.53.158,ip-192-168-53-158.us-west-2.compute.internal,0.0,2c,public,0,1,0,0,,


#### Instantiate our search.Search interface to search all *ssh* events.

In [18]:
search = Search('ssh', as_dataframe=True)

In [19]:
search.execute_query(start, end)

In [20]:
search.results.head(5)

Unnamed: 0,event_type,event_time,source_ip_address,destination_ip_address,source_port,destination_port,elasticsearch_index,originating_agent_tag,forwarder_type,node_ip_address,...,authentication_attempts,direction,client_version_string,server_version_string,cipher_algorithm,mac_algorithm,compression_algorithm,key_algorithm,host_key_algorithm,host_key
0,ssh,2019-11-01 12:05:55.311000+00:00,45.40.194.129,192.168.53.158,46602,22,ssh-events-2019.11.01,honeypot01,zeek,192.168.53.158,...,0,INBOUND,-HSS2.0-libssh-0.6.3,SSH-2.0-OpenSSH_7.4,,,,,,
1,ssh,2019-11-01 12:02:48.949000+00:00,138.186.62.138,192.168.53.158,53378,22,ssh-events-2019.11.01,honeypot01,zeek,192.168.53.158,...,0,INBOUND,SSH-2.0-libssh-0.6.3,SSH-2.0-OpenSSH_7.4,,,,,,
2,ssh,2019-11-01 11:53:14.987000+00:00,97.68.93.237,192.168.53.158,49468,22,ssh-events-2019.11.01,honeypot01,zeek,192.168.53.158,...,0,INBOUND,SSH-2.0-libssh-0.6.3,SSH-2.0-OpenSSH_7.4,aes256-ctr,hmac-sha1,none,,ecdsa-sha2-nistp256,0d:90:76:bf:3b:89:6e:fc:7c:6e:a9:ba:71:26:8a:4d
3,ssh,2019-11-01 11:40:12.243000+00:00,49.234.116.13,192.168.53.158,47720,22,ssh-events-2019.11.01,honeypot01,zeek,192.168.53.158,...,0,INBOUND,-HSS2.0-libssh-0.6.3,SSH-2.0-OpenSSH_7.4,aes256-ctr,hmac-sha1,none,,ecdsa-sha2-nistp256,0d:90:76:bf:3b:89:6e:fc:7c:6e:a9:ba:71:26:8a:4d
4,ssh,2019-11-01 11:36:45.194000+00:00,132.232.43.115,192.168.53.158,57760,22,ssh-events-2019.11.01,honeypot01,zeek,192.168.53.158,...,0,INBOUND,SSH-2.0-libssh-0.6.3,SSH-2.0-OpenSSH_7.4,aes256-ctr,hmac-sha1,none,,ecdsa-sha2-nistp256,0d:90:76:bf:3b:89:6e:fc:7c:6e:a9:ba:71:26:8a:4d
