# Lab 1

## Introduction
This is a basic introduction to IPython and pandas functionality. <a href="http://pandas.pydata.org/">Pandas</a> (Python Data Analysis Library) "is an open source, BSD-licensed library providing high-performance, easy-to-use data structures and data analysis tools for the Python programming language." It (pandas) provides <a href="http://pandas.pydata.org/pandas-docs/stable/dsintro.html#dataframe">dataframe</a> functionality for reading/accessing/manipulating data in memory. You can think of a data frame as a table of indexed values.

What you're currently looking at is an IPython Notebook, this acts as a way to interactively use the python interpreter as well as a way to display graphs/charts/images/markdown along with code. IPython is commonly used in scientific computing due to its flexibility. Much more information is available on the <a href='http://ipython.org/'>IPython</a> website.

Often data is stored in files, and the first goal is to get that information off of disk and into a dataframe. Since we're working with limited resources in this VM we'll have to use samples of some of the files. Don't worry though, the same techniques apply if you're not sampling the files for exploration.

## Tip
If you ever want to know the various keyboard shortcuts, just click on a (non-code) cell or the text "In []" to the left of the cell, and press the *H* key. Or select *Help* from the menu above, and then *Keyboard Shortcuts*.
___

## Exercises

### File sampling
First off, let's take a look at a log file generated from <a href="http://www.bro.og/">Bro</a> this log is similar to netflow logs as well. However, this log file is rather large and doesn't fit in memory.

As part of the first exercise, figure out what setting the variable **sample_percent** should be in order to read in between 200k and 300k worth of (randomly selected) lines from the file. Change the variable, after doing that either click the *play* button above (it's the arrow) or hit the *[Shift]+[Enter]* keys as the same time.

In [5]:
import random
import os
data_path = os.path.abspath('connection_logs/')
outfile = os.path.join(data_path,'conn_sample.log')
logfile = os.path.join(data_path,'conn.log')

sample_percent = .01
num_lines = sum(1 for line in open(logfile))
slines = set(sorted(random.sample(xrange(num_lines), int(num_lines * sample_percent))))
print "%s lines in %s, using a sample of %s lines" %(num_lines, logfile, len(slines))

22694356 lines in /home/haris/dev/projects/Security-Data-Analysis/connection_logs/conn.log, using a sample of 226943 lines


### File Creation
Awesome! Now that you have a subset of lines to work with, let's write them to another file so we'll have something to practice reading in. Simply hit *[Shift]+[Enter]* below to run the code in the cell and create a new file.

In [6]:
outfile = os.path.join(data_path,'conn_sample.log')

f = open(outfile, 'w+')
i = open(logfile, 'r+')
linecount = 0
for line in i:
    if linecount in slines:
        f.write(line)
    linecount += 1
f.close()
i.close()

### File Input (CSV)
This next cell does a couple of things, first it imports pandas so we can create a dataframe, and then it reads our newly created file from above into memory. You can see the separator is specified to "\t" because Bro produces tab-delimited files by default. In this case we've also specified what we should call the columns in the dataframe.

In [7]:
import pandas as pd
conn_df = pd.read_csv(outfile, sep="\t", header=None, names=['ts','uid','id.orig_h','id.orig_p','id.resp_h','id.resp_p','proto','service','duration','orig_bytes','resp_bytes','conn_state','local_orig','missed_bytes','history','orig_pkts','orig_ip_bytes','resp_pkts','resp_ip_bytes','tunnel_parents','threat','sample'])

### Verifying Input
Now (in theory) the contents of the file should be in a nicely laid-out dataframe.

For this next exercise, experiment with calling the **head()** and **tail()** method to see the values at the beginning and end of the dataframe. You can also pass a number to **head()** and **tail()** to specify the number of lines you want to see. Remember to click *play* or press *[Shift]+[Enter]* to execute the code in the cell after you change it.

In [8]:
conn_df.head()

Unnamed: 0,ts,uid,id.orig_h,id.orig_p,id.resp_h,id.resp_p,proto,service,duration,orig_bytes,...,local_orig,missed_bytes,history,orig_pkts,orig_ip_bytes,resp_pkts,resp_ip_bytes,tunnel_parents,threat,sample
0,1331901000.0,CePaYG3VFtbQhgGSBf,192.168.202.79,50520,192.168.229.251,80,tcp,http,0.01,160,...,-,0,ShADfFa,4,376,3,382,(empty),,
1,1331901000.0,COY2SK2SuechnCqLBb,192.168.202.79,50543,192.168.229.251,80,tcp,http,0.01,163,...,-,0,ShADfFa,4,379,3,382,(empty),,
2,1331901000.0,Cim8ojUpVOtFtyvo9,192.168.202.79,46251,192.168.229.254,443,tcp,ssl,0.01,570,...,-,0,ShADadfFr,8,994,13,1744,(empty),,
3,1331901000.0,CxGqwvwe4f2xNb7U,192.168.202.79,46377,192.168.229.254,443,tcp,ssl,0.01,536,...,-,0,ShADadfFr,8,960,13,1744,(empty),,
4,1331901000.0,Ce46avOFG41aJjO2j,192.168.202.79,46385,192.168.229.254,443,tcp,ssl,0.02,538,...,-,0,ShADadfrF,8,962,13,1744,(empty),,


### Data Summarization
Now create a new cell below this one. This can be accomplished by clicking on this cell once, and then clicking the *+* icon towards the top or selecting *Insert* from above and then selecting *Insert Cell Below*. After creating the new cell, it's time to learn about the **describe()** method that can be called on dataframes. This will give you a numeric summarization of all columns that contain numbers.

Try it out!

In [9]:
conn_df.describe()

Unnamed: 0,ts,id.orig_p,id.resp_p,missed_bytes,orig_pkts,orig_ip_bytes,resp_pkts,resp_ip_bytes,threat,sample
count,226943.0,226943.0,226943.0,226943.0,226943.0,226943.0,226943.0,226943.0,0.0,0.0
mean,1331949000.0,42749.861036,20452.332775,0.038706,1.613581,154.71,1.081457,216.8085,,
std,42696.78,15301.530482,20650.59288,18.438854,110.038161,16852.06,114.369096,28403.2,,
min,1331901000.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,,
25%,1331908000.0,36048.0,2121.0,0.0,1.0,44.0,0.0,0.0,,
50%,1331928000.0,44316.0,10222.0,0.0,1.0,48.0,1.0,40.0,,
75%,1331997000.0,54494.5,37869.0,0.0,1.0,60.0,1.0,40.0,,
max,1332018000.0,65535.0,65535.0,8784.0,52268.0,8002518.0,54352.0,13195590.0,,


### Data Types
Wait a second, isn't the ts column supposed to be a timestamp? Perhaps this column would be better suited as a time data type vs. a number.

Run the cell below to see what type of information Python stored in each column.

In [10]:
conn_df.dtypes

ts                float64
uid                object
id.orig_h          object
id.orig_p           int64
id.resp_h          object
id.resp_p           int64
proto              object
service            object
duration           object
orig_bytes         object
resp_bytes         object
conn_state         object
local_orig         object
missed_bytes        int64
history            object
orig_pkts           int64
orig_ip_bytes       int64
resp_pkts           int64
resp_ip_bytes       int64
tunnel_parents     object
threat            float64
sample            float64
dtype: object

### Converting Column Types
Time to change the ts column to a datetime object! We will accomplish that by using a simple function provided called *to_datetime()*. The cell below runs this function on the ts column (what should be a time stamp), and then re-assigns this column back to the dataframe in the same place. A new timestamp column could have been added to the dataframe as well so both the float value and the datetime object columns are present.

Run the cell below to convert the column type.

In [11]:
from datetime import datetime
conn_df['ts'] = [datetime.fromtimestamp(float(date)) for date in conn_df['ts'].values]

In [12]:
conn_df.dtypes

ts                datetime64[ns]
uid                       object
id.orig_h                 object
id.orig_p                  int64
id.resp_h                 object
id.resp_p                  int64
proto                     object
service                   object
duration                  object
orig_bytes                object
resp_bytes                object
conn_state                object
local_orig                object
missed_bytes               int64
history                   object
orig_pkts                  int64
orig_ip_bytes              int64
resp_pkts                  int64
resp_ip_bytes              int64
tunnel_parents            object
threat                   float64
sample                   float64
dtype: object

### Data Value Exploration
Verify that the conversion was successful. What is the datatype of the column now?

Scroll back up the page and note where you ran the **describe()** function. You'll see under the threat and sample columns there is likely the value of *NaN*. This stands for Not a Number and is a special value assigned to empty column values. There are a few ways to explore what values a column has. Two of these are **value_counts()** and **unique()**. 

Try them below on different columns. You can create new cells or if you want to get more than the last command worth of output you can put a print statement in front. 

What happens when you run them on a column with IPs (*id.orig_h, id.resp_h*)? What about sample or threat?

In [13]:
conn_df['sample'].unique()

array([ nan])

### Remove Columns
Another useful operation on a dataframe is removing and adding columns.  Since the threat and sample columns contain only *NaNs*, we can safely remove them and not impact any analysis that may be performed. 

Below the sample column is removed (dropped), add a similar line to drop the *threat* column and use a method from above to verify they are no longer in the dataframe.

In [14]:
conn_df.drop('sample', axis=1, inplace=True)

Can you think of other columns to remove? Select a few and remove them as well. What does your dataframe look like now? (Insert additional cells as needed)

In [15]:
conn_df.drop('threat', axis=1, inplace=True)

### Row Selection

You can use column values to select rows from the dataframes (and even only view specific columns). First, select all rows that contain *SSL* traffic by running the cell below.

In [16]:
conn_df[conn_df['service'] == 'ssl'].head()

Unnamed: 0,ts,uid,id.orig_h,id.orig_p,id.resp_h,id.resp_p,proto,service,duration,orig_bytes,resp_bytes,conn_state,local_orig,missed_bytes,history,orig_pkts,orig_ip_bytes,resp_pkts,resp_ip_bytes,tunnel_parents
2,2012-03-16 14:30:00.870,Cim8ojUpVOtFtyvo9,192.168.202.79,46251,192.168.229.254,443,tcp,ssl,0.01,570,1060,SF,-,0,ShADadfFr,8,994,13,1744,(empty)
3,2012-03-16 14:30:01.830,CxGqwvwe4f2xNb7U,192.168.202.79,46377,192.168.229.254,443,tcp,ssl,0.01,536,1060,SF,-,0,ShADadfFr,8,960,13,1744,(empty)
4,2012-03-16 14:30:01.880,Ce46avOFG41aJjO2j,192.168.202.79,46385,192.168.229.254,443,tcp,ssl,0.02,538,1060,SF,-,0,ShADadfrF,8,962,13,1744,(empty)
5,2012-03-16 14:30:02.900,CLdTrb1hFB5nlX8l27,192.168.202.79,46432,192.168.229.254,443,tcp,ssl,0.01,537,1060,SF,-,0,ShADadfFr,9,1013,13,1744,(empty)
6,2012-03-16 14:30:03.030,CYkmmz1tXphn5Lp5V5,192.168.202.79,46442,192.168.229.254,443,tcp,ssl,0.01,537,1060,SF,-,0,ShADadfFr,8,961,13,1744,(empty)


Next we can assign that result to a dataframe, and then look at all all the *SSL* connections that happen over ports other than 443.

In [None]:
ssl_df = conn_df[conn_df['service'] == 'ssl']
ssl_df[ssl_df['id.resp_p'] != 443].head()

You can see the individual column selections above eg: *conn_df['service']*, and *ssl_df['id.resp_p']* respectively. You can use these to view output of specific columns. 

For example, run the cell below to see all the individual values of originator bytes associated with a *SSL* connection over port 443.

In [None]:
ssl_df[ssl_df['id.resp_p'] == 443][['orig_bytes','proto']].head()

## Final Exercise
Use all of the techniques above to display the unique ports and originator IPs (bonus points for the number of connections of each) associated with all *HTTP* connections **NOT** over port 80. (Hint, create a new dataframe for easier manipulation)