# Lesson

### Imports

In [1]:
import pandas as pd
import numpy as np
import matplotlib.pyplot as plt
import env
import seaborn as sns

In [2]:
def parse_log_entry(entry):
    parts = entry.split()
    output = {}
    output['ip'] = parts[0]
    output['timestamp'] = parts[3][1:].replace(':', ' ', 1)
    output['request_method'] = parts[5][1:]
    output['request_path'] = parts[6]
    output['http_version'] = parts[7][:-1]
    output['status_code'] = parts[8]
    output['size'] = int(parts[9])
    output['user_agent'] = ' '.join(parts[11:]).replace('"', '')
    return pd.Series(output)

url = f'mysql+pymysql://{env.user}:{env.password}@{env.host}/logs'   
df = pd.read_sql('SELECT * FROM api_access', url)
# df = pd.concat([df.entry, df.entry.apply(parse_log_entry)], axis=1)
df = df.entry.apply(parse_log_entry)

In [3]:
df

Unnamed: 0,ip,timestamp,request_method,request_path,http_version,status_code,size,user_agent
0,97.105.19.58,16/Apr/2019 19:34:42,GET,/api/v1/sales?page=81,HTTP/1.1,200,512495,python-requests/2.21.0
1,97.105.19.58,16/Apr/2019 19:34:42,GET,/api/v1/items,HTTP/1.1,200,3561,python-requests/2.21.0
2,97.105.19.58,16/Apr/2019 19:34:44,GET,/api/v1/sales?page=82,HTTP/1.1,200,510103,python-requests/2.21.0
3,97.105.19.58,16/Apr/2019 19:34:46,GET,/api/v1/sales?page=83,HTTP/1.1,200,510003,python-requests/2.21.0
4,97.105.19.58,16/Apr/2019 19:34:48,GET,/api/v1/sales?page=84,HTTP/1.1,200,511963,python-requests/2.21.0
...,...,...,...,...,...,...,...,...
13969,97.105.19.58,17/Apr/2019 12:55:12,GET,/api/v1/sales?page=62,HTTP/1.1,200,511544,python-requests/2.21.0
13970,97.105.19.58,17/Apr/2019 12:55:12,GET,/api/v1/sales?page=65,HTTP/1.1,200,511201,python-requests/2.21.0
13971,97.105.19.58,17/Apr/2019 12:55:13,GET,/api/v1/sales?page=73,HTTP/1.1,200,511781,python-requests/2.21.0
13972,97.105.19.58,17/Apr/2019 12:55:13,GET,/api/v1/sales?page=69,HTTP/1.1,200,510136,python-requests/2.21.0


In [4]:
new = pd.DataFrame([
    ["95.31.18.119", "21/Apr/2019 10:02:41", "GET", "/api/v1/items/", "HTTP/1.1", '200', 1153005, "python-requests/2.21.0"],
    ["95.31.16.121", "17/Apr/2019 19:36:41", "GET", "/api/v1/sales?page=79/", "HTTP/1.1", '301', 1005, "python-requests/2.21.0"],
    ["97.105.15.120", "18/Apr/2019 19:42:41", "GET", "/api/v1/sales?page=79/", "HTTP/1.1", '301', 2560, "python-requests/2.21.0"],
    ["97.105.19.58", "19/Apr/2019 19:42:41", "GET", "/api/v1/sales?page=79/", "HTTP/1.1", '200', 2056327, "python-requests/2.21.0"],
], columns=df.columns)

df = pd.concat([df,new])

In [5]:
df['size_mb'] = df['size'] / 1024 / 1024
df.timestamp = pd.to_datetime(df.timestamp)
df = df.set_index('timestamp')

In [6]:
def value_counts_and_frequencies(s: pd.Series, dropna=True) -> pd.DataFrame:
    return pd.merge(
        s.value_counts(dropna=False).rename('count'),
        s.value_counts(dropna=False, normalize=True).rename('proba'),
        left_index=True,
        right_index=True,
    )

In [7]:
ip_df = value_counts_and_frequencies(df.ip)
ip_df.head()

Unnamed: 0_level_0,count,proba
ip,Unnamed: 1_level_1,Unnamed: 2_level_1
97.105.19.58,11999,0.85842
173.173.113.51,1059,0.075762
72.181.113.170,613,0.043855
72.181.105.81,246,0.017599
68.201.219.223,21,0.001502


In [8]:
status_given_ip = (
    df.groupby('ip')
    .status_code.value_counts(normalize=True)
    .rename('proba_status_given_ip')
    .reset_index()
)
status_given_ip.head()

Unnamed: 0,ip,status_code,proba_status_given_ip
0,173.173.113.51,200,1.0
1,24.26.242.9,200,1.0
2,3.88.129.158,200,1.0
3,3.92.201.136,200,1.0
4,34.207.64.242,200,1.0


In [9]:
status_given_ip[status_given_ip.status_code != '200']

Unnamed: 0,ip,status_code,proba_status_given_ip
18,72.181.113.170,499,0.003263
19,95.31.16.121,301,1.0
21,97.105.15.120,301,1.0
23,97.105.19.58,499,0.001167


In [10]:
df[df.ip == '173.173.113.51'].head(1)

Unnamed: 0_level_0,ip,request_method,request_path,http_version,status_code,size,user_agent,size_mb
timestamp,Unnamed: 1_level_1,Unnamed: 2_level_1,Unnamed: 3_level_1,Unnamed: 4_level_1,Unnamed: 5_level_1,Unnamed: 6_level_1,Unnamed: 7_level_1,Unnamed: 8_level_1
2019-04-17 01:31:30,173.173.113.51,GET,/api/v1/sales,HTTP/1.1,200,493905,python-requests/2.21.0,0.471025


In [11]:
df[df.ip == '24.26.242.9'].head(1)

Unnamed: 0_level_0,ip,request_method,request_path,http_version,status_code,size,user_agent,size_mb
timestamp,Unnamed: 1_level_1,Unnamed: 2_level_1,Unnamed: 3_level_1,Unnamed: 4_level_1,Unnamed: 5_level_1,Unnamed: 6_level_1,Unnamed: 7_level_1,Unnamed: 8_level_1
2019-04-17 05:50:21,24.26.242.9,GET,/api/v1/items?page=1,HTTP/1.1,200,3561,python-requests/2.21.0,0.003396


In [12]:
df[df.ip == '95.31.16.121']

Unnamed: 0_level_0,ip,request_method,request_path,http_version,status_code,size,user_agent,size_mb
timestamp,Unnamed: 1_level_1,Unnamed: 2_level_1,Unnamed: 3_level_1,Unnamed: 4_level_1,Unnamed: 5_level_1,Unnamed: 6_level_1,Unnamed: 7_level_1,Unnamed: 8_level_1
2019-04-17 19:36:41,95.31.16.121,GET,/api/v1/sales?page=79/,HTTP/1.1,301,1005,python-requests/2.21.0,0.000958


In [13]:
df[df.ip == '97.105.15.120']

Unnamed: 0_level_0,ip,request_method,request_path,http_version,status_code,size,user_agent,size_mb
timestamp,Unnamed: 1_level_1,Unnamed: 2_level_1,Unnamed: 3_level_1,Unnamed: 4_level_1,Unnamed: 5_level_1,Unnamed: 6_level_1,Unnamed: 7_level_1,Unnamed: 8_level_1
2019-04-18 19:42:41,97.105.15.120,GET,/api/v1/sales?page=79/,HTTP/1.1,301,2560,python-requests/2.21.0,0.002441


In [14]:
status_given_ip[status_given_ip.proba_status_given_ip < 1]

Unnamed: 0,ip,status_code,proba_status_given_ip
17,72.181.113.170,200,0.996737
18,72.181.113.170,499,0.003263
22,97.105.19.58,200,0.998833
23,97.105.19.58,499,0.001167


# Exercises

In [15]:
df

Unnamed: 0_level_0,ip,request_method,request_path,http_version,status_code,size,user_agent,size_mb
timestamp,Unnamed: 1_level_1,Unnamed: 2_level_1,Unnamed: 3_level_1,Unnamed: 4_level_1,Unnamed: 5_level_1,Unnamed: 6_level_1,Unnamed: 7_level_1,Unnamed: 8_level_1
2019-04-16 19:34:42,97.105.19.58,GET,/api/v1/sales?page=81,HTTP/1.1,200,512495,python-requests/2.21.0,0.488753
2019-04-16 19:34:42,97.105.19.58,GET,/api/v1/items,HTTP/1.1,200,3561,python-requests/2.21.0,0.003396
2019-04-16 19:34:44,97.105.19.58,GET,/api/v1/sales?page=82,HTTP/1.1,200,510103,python-requests/2.21.0,0.486472
2019-04-16 19:34:46,97.105.19.58,GET,/api/v1/sales?page=83,HTTP/1.1,200,510003,python-requests/2.21.0,0.486377
2019-04-16 19:34:48,97.105.19.58,GET,/api/v1/sales?page=84,HTTP/1.1,200,511963,python-requests/2.21.0,0.488246
...,...,...,...,...,...,...,...,...
2019-04-17 12:55:14,97.105.19.58,GET,/api/v1/sales?page=71,HTTP/1.1,200,510166,python-requests/2.21.0,0.486532
2019-04-21 10:02:41,95.31.18.119,GET,/api/v1/items/,HTTP/1.1,200,1153005,python-requests/2.21.0,1.099591
2019-04-17 19:36:41,95.31.16.121,GET,/api/v1/sales?page=79/,HTTP/1.1,301,1005,python-requests/2.21.0,0.000958
2019-04-18 19:42:41,97.105.15.120,GET,/api/v1/sales?page=79/,HTTP/1.1,301,2560,python-requests/2.21.0,0.002441


In [16]:
df.columns[1:]

Index(['request_method', 'request_path', 'http_version', 'status_code', 'size',
       'user_agent', 'size_mb'],
      dtype='object')

In [17]:
rp = value_counts_and_frequencies(df.request_path)
http = value_counts_and_frequencies(df.http_version)
status = value_counts_and_frequencies(df.status_code)
user = value_counts_and_frequencies(df.user_agent)

## Request Path

In [18]:
rp

Unnamed: 0_level_0,count,proba
request_path,Unnamed: 1_level_1,Unnamed: 2_level_1
/api/v1/sales?page=2,709,0.050723
/api/v1/items,464,0.033195
/api/v1/items?page=2,291,0.020818
/api/v1/items?page=3,219,0.015667
/api/v1/stores,162,0.011590
...,...,...
/api/v1,1,0.000072
/api/v1//api/v1/items/next_page,1,0.000072
/api/v1//api/v1/items,1,0.000072
/api/v1/items?page=0,1,0.000072


## Http Version

In [19]:
http

Unnamed: 0_level_0,count,proba
http_version,Unnamed: 1_level_1,Unnamed: 2_level_1
HTTP/1.1,13978,1.0


### No anomalies are present here

## Status Code

In [20]:
status

Unnamed: 0_level_0,count,proba
status_code,Unnamed: 1_level_1,Unnamed: 2_level_1
200,13960,0.998712
499,16,0.001145
301,2,0.000143


### Like we spoke about during the lesson, we have a few status code anomalies here so let's take a look at them.

### First, let's look at 499

In [21]:
df[df['status_code'] == '499']

Unnamed: 0_level_0,ip,request_method,request_path,http_version,status_code,size,user_agent,size_mb
timestamp,Unnamed: 1_level_1,Unnamed: 2_level_1,Unnamed: 3_level_1,Unnamed: 4_level_1,Unnamed: 5_level_1,Unnamed: 6_level_1,Unnamed: 7_level_1,Unnamed: 8_level_1
2019-04-16 19:55:15,97.105.19.58,GET,/api/v1/sales?page=2,HTTP/1.1,499,0,python-requests/2.20.1,0.0
2019-04-16 19:56:02,97.105.19.58,GET,/api/v1/sales?page=21,HTTP/1.1,499,0,python-requests/2.20.1,0.0
2019-04-16 20:28:46,97.105.19.58,GET,/api/v1/sales?page=2,HTTP/1.1,499,0,python-requests/2.21.0,0.0
2019-04-16 20:33:24,97.105.19.58,GET,/api/v1/sales?page=29,HTTP/1.1,499,0,python-requests/2.21.0,0.0
2019-04-16 20:38:13,97.105.19.58,GET,/api/v1/items,HTTP/1.1,499,0,python-requests/2.21.0,0.0
2019-04-16 20:38:55,97.105.19.58,GET,/api/v1/items,HTTP/1.1,499,0,python-requests/2.21.0,0.0
2019-04-16 20:39:00,97.105.19.58,GET,/api/v1/items,HTTP/1.1,499,0,python-requests/2.21.0,0.0
2019-04-16 20:45:17,97.105.19.58,GET,/api/v1/items,HTTP/1.1,499,0,python-requests/2.21.0,0.0
2019-04-16 20:45:28,97.105.19.58,GET,/api/v1/sales?page=2,HTTP/1.1,499,0,python-requests/2.21.0,0.0
2019-04-16 21:00:35,97.105.19.58,GET,/api/v1/sales?page=115,HTTP/1.1,499,0,python-requests/2.20.1,0.0


### Of the 16 cases present, 14 belong to the same IP address (i believe this to be codeup, although the times appear to be pretty late in the day)
### There also appears to be similar times present here, all between the hours of 8 PM to 4 AM

### Let's look at just that ip for the bottom two and see if we can find anything new about these outliers

In [22]:
df[df.ip == '72.181.113.170']

Unnamed: 0_level_0,ip,request_method,request_path,http_version,status_code,size,user_agent,size_mb
timestamp,Unnamed: 1_level_1,Unnamed: 2_level_1,Unnamed: 3_level_1,Unnamed: 4_level_1,Unnamed: 5_level_1,Unnamed: 6_level_1,Unnamed: 7_level_1,Unnamed: 8_level_1
2019-04-17 02:12:07,72.181.113.170,GET,/api/v1/items,HTTP/1.1,200,3561,python-requests/2.21.0,0.003396
2019-04-17 02:18:07,72.181.113.170,GET,/,HTTP/1.1,200,42,Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3...,0.000040
2019-04-17 02:18:07,72.181.113.170,GET,/favicon.ico,HTTP/1.1,200,162,Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3...,0.000154
2019-04-17 02:48:27,72.181.113.170,GET,/api/v1/sales,HTTP/1.1,200,493905,python-requests/2.21.0,0.471025
2019-04-17 02:48:28,72.181.113.170,GET,/api/v1/sales?page=2,HTTP/1.1,200,494819,python-requests/2.21.0,0.471896
...,...,...,...,...,...,...,...,...
2019-04-17 03:52:00,72.181.113.170,GET,/api/v1/sales?page=179,HTTP/1.1,200,511963,python-requests/2.21.0,0.488246
2019-04-17 03:52:02,72.181.113.170,GET,/api/v1/sales?page=180,HTTP/1.1,200,510788,python-requests/2.21.0,0.487125
2019-04-17 03:52:04,72.181.113.170,GET,/api/v1/sales?page=181,HTTP/1.1,200,510317,python-requests/2.21.0,0.486676
2019-04-17 03:52:06,72.181.113.170,GET,/api/v1/sales?page=182,HTTP/1.1,200,510540,python-requests/2.21.0,0.486889


#### We have quite a few hits coming from this ip address, all between 2 and 4 AM on April 17th
#### This definitely strikes me as odd. The speed of the requests also stands out to me, whether it's just a resourceful student who made a nice API gathering function, or something altogether odd has yet to be seen.
#### I'd definitely like to explore this occurence more to determine if malicious intent is present.

### First I'd like to see if hitting the server between 2 and 4 am is normal, maybe this cohort was overnight? 

In [23]:
df

Unnamed: 0_level_0,ip,request_method,request_path,http_version,status_code,size,user_agent,size_mb
timestamp,Unnamed: 1_level_1,Unnamed: 2_level_1,Unnamed: 3_level_1,Unnamed: 4_level_1,Unnamed: 5_level_1,Unnamed: 6_level_1,Unnamed: 7_level_1,Unnamed: 8_level_1
2019-04-16 19:34:42,97.105.19.58,GET,/api/v1/sales?page=81,HTTP/1.1,200,512495,python-requests/2.21.0,0.488753
2019-04-16 19:34:42,97.105.19.58,GET,/api/v1/items,HTTP/1.1,200,3561,python-requests/2.21.0,0.003396
2019-04-16 19:34:44,97.105.19.58,GET,/api/v1/sales?page=82,HTTP/1.1,200,510103,python-requests/2.21.0,0.486472
2019-04-16 19:34:46,97.105.19.58,GET,/api/v1/sales?page=83,HTTP/1.1,200,510003,python-requests/2.21.0,0.486377
2019-04-16 19:34:48,97.105.19.58,GET,/api/v1/sales?page=84,HTTP/1.1,200,511963,python-requests/2.21.0,0.488246
...,...,...,...,...,...,...,...,...
2019-04-17 12:55:14,97.105.19.58,GET,/api/v1/sales?page=71,HTTP/1.1,200,510166,python-requests/2.21.0,0.486532
2019-04-21 10:02:41,95.31.18.119,GET,/api/v1/items/,HTTP/1.1,200,1153005,python-requests/2.21.0,1.099591
2019-04-17 19:36:41,95.31.16.121,GET,/api/v1/sales?page=79/,HTTP/1.1,301,1005,python-requests/2.21.0,0.000958
2019-04-18 19:42:41,97.105.15.120,GET,/api/v1/sales?page=79/,HTTP/1.1,301,2560,python-requests/2.21.0,0.002441


In [27]:
df.index

DatetimeIndex(['2019-04-16 19:34:42', '2019-04-16 19:34:42',
               '2019-04-16 19:34:44', '2019-04-16 19:34:46',
               '2019-04-16 19:34:48', '2019-04-16 19:34:48',
               '2019-04-16 19:34:50', '2019-04-16 19:34:52',
               '2019-04-16 19:34:52', '2019-04-16 19:34:53',
               ...
               '2019-04-17 12:55:09', '2019-04-17 12:55:12',
               '2019-04-17 12:55:12', '2019-04-17 12:55:13',
               '2019-04-17 12:55:13', '2019-04-17 12:55:14',
               '2019-04-21 10:02:41', '2019-04-17 19:36:41',
               '2019-04-18 19:42:41', '2019-04-19 19:42:41'],
              dtype='datetime64[ns]', name='timestamp', length=13978, freq=None)

### Now let's take a look at the 301 status code

In [23]:
df[df['status_code'] == '301']

Unnamed: 0_level_0,ip,request_method,request_path,http_version,status_code,size,user_agent,size_mb
timestamp,Unnamed: 1_level_1,Unnamed: 2_level_1,Unnamed: 3_level_1,Unnamed: 4_level_1,Unnamed: 5_level_1,Unnamed: 6_level_1,Unnamed: 7_level_1,Unnamed: 8_level_1
2019-04-17 19:36:41,95.31.16.121,GET,/api/v1/sales?page=79/,HTTP/1.1,301,1005,python-requests/2.21.0,0.000958
2019-04-18 19:42:41,97.105.15.120,GET,/api/v1/sales?page=79/,HTTP/1.1,301,2560,python-requests/2.21.0,0.002441


### Both the server errors occured requesting the same page, I want to see if any attempts succeed at pulling this page

In [24]:
df[df.request_path == '/api/v1/sales?page=79/']

Unnamed: 0_level_0,ip,request_method,request_path,http_version,status_code,size,user_agent,size_mb
timestamp,Unnamed: 1_level_1,Unnamed: 2_level_1,Unnamed: 3_level_1,Unnamed: 4_level_1,Unnamed: 5_level_1,Unnamed: 6_level_1,Unnamed: 7_level_1,Unnamed: 8_level_1
2019-04-17 19:36:41,95.31.16.121,GET,/api/v1/sales?page=79/,HTTP/1.1,301,1005,python-requests/2.21.0,0.000958
2019-04-18 19:42:41,97.105.15.120,GET,/api/v1/sales?page=79/,HTTP/1.1,301,2560,python-requests/2.21.0,0.002441
2019-04-19 19:42:41,97.105.19.58,GET,/api/v1/sales?page=79/,HTTP/1.1,200,2056327,python-requests/2.21.0,1.961066


### One did get through but it was the latest date and was the codeup IP address.
#### Two immediate assumptions present themselves:
- having a codeup ip allowed access to content
- the server wasn't responsive until April 19th

## User

In [25]:
user

Unnamed: 0_level_0,count,proba
user_agent,Unnamed: 1_level_1,Unnamed: 2_level_1
python-requests/2.21.0,12005,0.85885
python-requests/2.20.1,1911,0.136715
"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.103 Safari/537.36",34,0.002432
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:66.0) Gecko/20100101 Firefox/66.0,8,0.000572
Slackbot-LinkExpanding 1.0 (+https://api.slack.com/robots),7,0.000501
Slackbot 1.0 (+https://api.slack.com/robots),6,0.000429
"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.103 Safari/537.36",4,0.000286
"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.121 Safari/537.36",2,0.000143
Python-urllib/3.7,1,7.2e-05


In [26]:
odd_user = df[(df.user_agent != 'python-requests/2.21.0') & 
              (df.user_agent != 'python-requests/2.20.1') & 
              (df.user_agent != 'Slackbot-LinkExpanding 1.0 (+https://api.slack.com/robots)') & 
              (df.user_agent != 'Slackbot 1.0 (+https://api.slack.com/robots)') &
              (df.ip != '97.105.19.58')]
odd_user

Unnamed: 0_level_0,ip,request_method,request_path,http_version,status_code,size,user_agent,size_mb
timestamp,Unnamed: 1_level_1,Unnamed: 2_level_1,Unnamed: 3_level_1,Unnamed: 4_level_1,Unnamed: 5_level_1,Unnamed: 6_level_1,Unnamed: 7_level_1,Unnamed: 8_level_1
2019-04-16 22:01:52,72.181.105.81,GET,/api/v1/items,HTTP/1.1,200,3561,Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_4...,0.003396
2019-04-16 22:01:52,72.181.105.81,GET,/favicon.ico,HTTP/1.1,200,162,Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_4...,0.000154
2019-04-16 22:01:53,72.181.105.81,GET,/api/v1/,HTTP/1.1,200,162,Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_4...,0.000154
2019-04-16 22:01:53,72.181.105.81,GET,/favicon.ico,HTTP/1.1,200,162,Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_4...,0.000154
2019-04-16 22:02:42,72.181.105.81,GET,/api/v1/,HTTP/1.1,200,162,Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_4...,0.000154
2019-04-16 22:02:42,72.181.105.81,GET,/favicon.ico,HTTP/1.1,200,162,Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_4...,0.000154
2019-04-16 23:44:34,72.181.105.81,GET,/,HTTP/1.1,200,42,Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_4...,4e-05
2019-04-16 23:44:35,72.181.105.81,GET,/favicon.ico,HTTP/1.1,200,162,Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_4...,0.000154
2019-04-17 01:25:07,72.181.105.81,GET,/,HTTP/1.1,200,42,Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; ...,4e-05
2019-04-17 01:25:07,70.121.214.34,GET,/,HTTP/1.1,200,42,Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3...,4e-05
