### Changelog 

- Separating **process_iplist()** output from VT calls to folders (todays_date)
- changed output of **process_json()** FROM "_parsed-combined" to todays_date_parsed-combined in EACH RESPECTIVE FOLDER 

### Flow

1. User edits and feeds ip.csv
2. **process_iplist()** reads each and calls VT api 
3. Responses are stored in **"downloaded_vtresponse"** and seperated into folders by **respective dates** (DDMMYYYY)
4. **process_json()** reads jsons in each folder and generates a compilation for that day in each folder

### Questions / Todo List

**Update** 

I have managed to get the scripts running from jupyter notebook but have the following questions

(a) Receiving (via a web interface) either an individual or list of domais / IP addresses --> currently it's fed via CSV, should i create a front-end for people to upload their files?

(b) Storing list of domains / IP address into a queue based list --> Is this the back-end of things? That is to say, this script runs in the back-end and whenever files come in from front-end it'll trigger the script?

(c) Carryout enrichment --> Where does this "processed in the previous X days" come from? From what i understand, should i create a check such that when new information comes in, it will look at previous histories when the IP/Domain was checked, and continue / stop accordingly? 

(d) storing responses in disk and extracting subset into DB --> is there a specific subset you'd like? DB-wise I would prefer to try NoSQL as i have no experience with it!

In [1]:
import base64
import hashlib
import json
import requests
import time
import csv
import datetime
import os
import pandas as pd


json_template_ip = {
    
    "whois_date": "",
    "last_analysis_date": "",
    "reputation": "",
    "last_analysis_stats": "",
    "total_votes": "",
    "as_owner": "",
    "country": "",
    "asn": "",
    "image":"",
    "processed_date":""
       
}

API_KEY = '0d9fdb6e32d74b9d12e3d894309531838c3aabe8d66b049fd3a7976fbedf2c68'  #@param  {type: "string"}
    


def process_iplist(filename_to_process, columnIndex):
    
    with open(filename_to_process + ".csv", newline='') as inputfile:

        if not os.path.exists("downloaded_vtresponse"):
                os.makedirs("downloaded_vtresponse")

        with open(filename_to_process + "_tracker.csv", 'w', newline='') as outputfile:
            ip_list = csv.reader(inputfile, delimiter=',')
            output_writer = csv.writer(outputfile, delimiter=',', quotechar='"', quoting=csv.QUOTE_MINIMAL)

            counter = 0

            for row in ip_list:

                if counter == 0:
                    output_writer.writerow(row + ["Time Run"])
                    outputfile.flush()
                    counter += 1
                    continue

                print("Processing: #" + str(counter) + " - " + row[columnIndex])

                #Get an IP address Report
                r = requests.get("https://www.virustotal.com/api/v3/ip_addresses/"+row[0], headers={"x-apikey":API_KEY})

                # TODO: Make generalised and incorporate timestamp in foldername
                now = datetime.datetime.now()
                dt_string = now.strftime("%d%m%Y")
                
                if not os.path.exists("downloaded_vtresponse/" + dt_string):
                    os.makedirs("downloaded_vtresponse/" + dt_string)
#                 with open("downloaded_vtresponse/" + row[columnIndex] +".json", "w") as outfile:
                with open("downloaded_vtresponse/" + dt_string + "/" + row[columnIndex] +".json", "w") as outfile:

                    outfile.write(r.text)

                output_writer.writerow(row + [datetime.datetime.now()])

                outputfile.flush()

                counter += 1
                time.sleep(16)


def process_json_folder(folder_to_process,json_template):
    
    # Get DDMMYYYY to input later
    now = datetime.datetime.now()
    dt_string = now.strftime("%d%m%Y")

    # Usual Folder: downloaded_vtresponse
    combined_df = pd.DataFrame()
    
    
    for filename in os.listdir(folder_to_process):
        f = os.path.join(folder_to_process, filename)
    
#         print("f:", f)
        # check if it is a file
        if os.path.isfile(f) and f[-5:]==".json":

            # Opening JSON file
            f = open(f)
#             print(f)

            # returns JSON object as
            # a dictionary
            data = json.load(f)
#             print(data)

            # load JSON template
            new_row = json_template

            # populate fields in JSON template
            for key in new_row:
                try:
            #         print(loaded_json['data']['attributes'][key]) 
                    new_row[key] = data['data']['attributes'][key]

                except: 
                    print(key,"not found")
                    if key == "processed_date":
                        new_row[key] = dt_string
                    
            print(new_row)
            df_result = pd.json_normalize(new_row)
            combined_df = pd.concat([combined_df, df_result], ignore_index=True, sort=False)
    
    
#     print(combined_df)
    now = datetime.datetime.now()
    dt_string = now.strftime("%d%m%Y")
    
    combined_df.to_csv(folder_to_process + '/' + dt_string + '_parsed-combined.csv')
    


# Process the list of IPs (CSVs ok but IP must be x column in the list)
# process_iplist("Combined_TestKits_BotIPs", 0)
# process_iplist("ip", 0)


# Process the downloaded VT JSONs
# process_json_folder("downloaded_vtresponse_10Jan_combinedFull5k")
process_json_folder("downloaded_vtresponse/23022023",json_template_ip)


print("completed")
exit(0)




image not found
processed_date not found
{'whois_date': 1676767998, 'last_analysis_date': 1676767972, 'reputation': 0, 'last_analysis_stats': {'harmless': 87, 'malicious': 0, 'suspicious': 0, 'undetected': 0, 'timeout': 0}, 'total_votes': {'harmless': 0, 'malicious': 0}, 'as_owner': 'GOOGLE-CLOUD-PLATFORM', 'country': 'US', 'asn': 396982, 'image': '', 'processed_date': '23022023'}
last_analysis_date not found
image not found
processed_date not found
{'whois_date': 1606940287, 'last_analysis_date': 1676767972, 'reputation': 0, 'last_analysis_stats': {'harmless': 87, 'malicious': 0, 'suspicious': 0, 'undetected': 0, 'timeout': 0}, 'total_votes': {'harmless': 0, 'malicious': 0}, 'as_owner': 'Volia', 'country': 'UA', 'asn': 25229, 'image': '', 'processed_date': '23022023'}
whois_date not found
image not found
processed_date not found
{'whois_date': 1606940287, 'last_analysis_date': 1677050350, 'reputation': 0, 'last_analysis_stats': {'harmless': 87, 'malicious': 0, 'suspicious': 0, 'undete

In [9]:
json_template_general = {
    
    "DNS": "", 
    "Whois": "",
    "whois_date": "", ## CONVERT FROM EPOCH TO USER FRIENDLY DATE
    "last_analysis_date": "",
    "creation_date": "",
    "reputation": "",
    "registrar": "",
    "last_analysis_stats": "",  ## SEPERATE INTO 5 COLUMNS?
    "last_https_certificate": "",
    "categories": "",
    "total_votes": "",
    "as_owner": "",
    "country": "",
    "asn": "",
    "download_archived_page":"",
    "image":"",
    "processed_date":""     ## OWN FIELD TO CHECK X+7 DAYS
    
    
}

In [23]:
json_template_ip = {
    
    "whois_date": "",
    "last_analysis_date": "",
    "reputation": "",
    "last_analysis_stats": "",
    "total_votes": "",
    "as_owner": "",
    "country": "",
    "asn": "",
    "image":"",
    "processed_date":""
    
    
}

In [15]:
json_template_domain = {
    
    "DNS": "", 
    "Whois": "",
    "whois_date": "",
    "last_analysis_date": "",
    "creation_date": "",
    "reputation": "",
    "registrar": "",
    "last_analysis_stats": "",
    "last_https_certificate": "",
    "categories": "",
    "total_votes": "",
    "download_archived_page":"",
    "image":"",
    "processed_date":""
    
    
}

In [19]:
for key in json_template_ip:
    json_template_ip[key] = 1 
    
json_template_ip

{'whois_date': 1,
 'last_analysis_date': 1,
 'reputation': 1,
 'last_analysis_stats': 1,
 'total_votes': 1,
 'as_owner': 1,
 'country': 1,
 'asn': 1,
 'image': 1}

In [21]:
import json
f = open("downloaded_vtresponse/22022023/34.123.194.52.json")
data = json.load(f)
data['data'].keys()
data['data']['type']

TypeError: string indices must be integers

In [25]:
import json
import datetime


now = datetime.datetime.now()
dt_string = now.strftime("%d%m%Y")
    
f = open("downloaded_vtresponse/22022023/34.123.194.52.json")

new_row = json_template_ip 
loaded_json = json.load(f)
                

for key in new_row:
    try:
#         print(loaded_json['data']['attributes'][key]) 
        new_row[key] = loaded_json['data']['attributes'][key]

    except: 
        print(key,"not found")
        if key == "processed_date":
            new_row[key] = dt_string
            
new_row

image not found
processed_date not found


{'whois_date': 1676767998,
 'last_analysis_date': 1676767972,
 'reputation': 0,
 'last_analysis_stats': {'harmless': 87,
  'malicious': 0,
  'suspicious': 0,
  'undetected': 0,
  'timeout': 0},
 'total_votes': {'harmless': 0, 'malicious': 0},
 'as_owner': 'GOOGLE-CLOUD-PLATFORM',
 'country': 'US',
 'asn': 396982,
 'image': '',
 'processed_date': '23022023'}

In [2]:
import datetime
from dateutil import tz

epoch_time = 1676767998

date_time = datetime.datetime.fromtimestamp( epoch_time )  

print("utc:", date_time)

to_zone = tz.gettz('US/Mountain')
new_date_time = date_time.replace(tzinfo=to_zone)


print("sgt:", new_date_time)



utc: 2023-02-19 08:53:18
sgt: 2023-02-19 08:53:18-07:00
