# Adapted from: https://github.com/sooshie/Security-Data-Analysis
# Introduction
This is a basic introduction to IPython and pandas functionality. <a href="http://pandas.pydata.org/">Pandas</a> (Python Data Analysis Library) "is an open source, BSD-licensed library providing high-performance, easy-to-use data structures and data analysis tools for the Python programming language." It (pandas) provides <a href="http://pandas.pydata.org/pandas-docs/stable/dsintro.html#dataframe">dataframe</a> functionality for reading/accessing/manipulating data in memory. You can think of a data frame as a table of indexed values.

What you're currently looking at is an IPython Notebook, this acts as a way to interactively use the python interpreter as well as a way to display graphs/charts/images/markdown along with code. IPython is commonly used in scientific computing due to its flexibility. Much more information is available on the <a href='http://ipython.org/'>IPython</a> website.

# Tip
If you ever want to know the various keyboard shortcuts, just click on a (non-code) cell or the text "In []" to the left of the cell, and press the *H* key. Or select *Help* from the menu above, and then *Keyboard Shortcuts*.
- `shift + tab`: function doc
- `tab`: auto complete
- installation guide: https://jupyter.org/install

# Log file link
http://www.secrepo.com/Security-Data-Analysis/Lab_1/conn.log.zip
___

# Imports

In [1]:
import pandas as pd
from datetime import datetime

# File sampling
First off, let's take a look at a log file generated from Bro this log is similar to netflow logs as well. However, this log file is rather large and doesn't fit in memory.

As part of the first exercise, figure out what setting the variable sample_percent should be in order to read in between 200k and 300k worth of (randomly selected) lines from the file. Change the variable, after doing that either click the play button above (it's the arrow) or hit the [Shift]+[Enter] keys as the same time.

In [2]:
input_file_path = 'data/conn.log'
total_rows = sum(1 for line in open(input_file_path))
sample_percentage = 0.01
sample_size = int(total_rows * sample_percentage)
sampled_data = pd.read_csv(input_file_path, nrows=sample_size)
print(sampled_data)

       1331901000.000000\tCCUIP21wTjqkj8ZqX5\t192.168.202.79\t50463\t192.168.229.251\t80\ttcp\t-\t-\t-\t-\tSH\t-\t0\tFa\t1\t52\t1\t52\t(empty)
0       1331901000.000000\tCsssjd3tX0yOTPDpng\t192.168...                                                                                     
1       1331901000.000000\tCHEt7z3AzG4gyCNgci\t192.168...                                                                                     
2       1331901000.010000\tCKnDAp2ohlvN6rpiXl\t192.168...                                                                                     
3       1331901000.000000\tCGUBcoXKxBE8gTNl\t192.168.2...                                                                                     
4       1331901000.020000\tCRksHc2i8qahpGOP19\t192.168...                                                                                     
...                                                   ...                                                                                     

# File Creation
Awesome! Now that you have a subset of lines to work with, let's write them to another file so we'll have something to practice reading in. Simply hit [Shift]+[Enter] below to run the code in the cell and create a new file.

In [3]:
outfile = 'data/conn_sample.log'
sampled_data.to_csv(outfile, index=False)

# File Input (CSV)
This next cell does a couple of things, first it imports pandas so we can create a dataframe, and then it reads our newly created file from above into memory. You can see the separator is specified to "\t" because Bro produces tab-delimited files by default. In this case we've also specified what we should call the columns in the dataframe.

In [4]:
outfile = 'data/conn_sample.log'
conn_df = pd.read_csv(outfile, sep="\t", header=None, names=['ts','uid','id.orig_h','id.orig_p','id.resp_h','id.resp_p','proto','service','duration','orig_bytes','resp_bytes','conn_state','local_orig','missed_bytes','history','orig_pkts','orig_ip_bytes','resp_pkts','resp_ip_bytes','tunnel_parents','threat','sample'])

# Verifying Input
Now (in theory) the contents of the file should be in a nicely laid-out dataframe.

For this next exercise, experiment with calling the head() and tail() method to see the values at the beginning and end of the dataframe. You can also pass a number to head() and tail() to specify the number of lines you want to see. Remember to click play or press [Shift]+[Enter] to execute the code in the cell after you change it.

In [5]:
conn_df.head()
# conn_df.tail(n=100)

Unnamed: 0,ts,uid,id.orig_h,id.orig_p,id.resp_h,id.resp_p,proto,service,duration,orig_bytes,...,local_orig,missed_bytes,history,orig_pkts,orig_ip_bytes,resp_pkts,resp_ip_bytes,tunnel_parents,threat,sample
0,1331901000.0,CCUIP21wTjqkj8ZqX5,192.168.202.79,50463,192.168.229.251,80,tcp,-,-,-,...,-,0,Fa,1,52,1,52,(empty),,
1,1331901000.0,Csssjd3tX0yOTPDpng,192.168.202.79,46117,192.168.229.254,443,tcp,-,-,-,...,-,0,dDafFr,3,382,9,994,(empty),,
2,1331901000.0,CHEt7z3AzG4gyCNgci,192.168.202.79,50465,192.168.229.251,80,tcp,http,0.010000,166,...,-,0,ShADfFa,4,382,3,382,(empty),,
3,1331901000.0,CKnDAp2ohlvN6rpiXl,192.168.202.79,50467,192.168.229.251,80,tcp,http,0.010000,166,...,-,0,ShADfFa,4,382,3,382,(empty),,
4,1331901000.0,CGUBcoXKxBE8gTNl,192.168.202.79,46119,192.168.229.254,443,tcp,ssl,0.020000,544,...,-,0,ShADadfFr,8,968,13,1744,(empty),,


# Data Summarization
Now create a new cell below this one. This can be accomplished by clicking on this cell once, and then clicking the + icon towards the top or selecting Insert from above and then selecting Insert Cell Below. After creating the new cell, it's time to learn about the describe() method that can be called on dataframes. This will give you a numeric summarization of all columns that contain numbers.

Try it out!

In [6]:
conn_df.describe()
# conn_df.info()

Unnamed: 0,ts,id.orig_p,id.resp_p,missed_bytes,orig_pkts,orig_ip_bytes,resp_pkts,resp_ip_bytes,threat,sample
count,907775.0,907775.0,907775.0,907775.0,907775.0,907775.0,907775.0,907775.0,0.0,0.0
mean,1331902000.0,56500.162229,22535.492412,0.0,1.152538,68.8252,0.976359,71.42829,,
std,288.0528,10422.63913,20698.260555,0.0,46.714103,8826.522,50.743271,18029.07,,
min,1331901000.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,,
25%,1331902000.0,49914.0,3641.0,0.0,1.0,44.0,1.0,40.0,,
50%,1331902000.0,63805.0,15579.0,0.0,1.0,44.0,1.0,40.0,,
75%,1331902000.0,63805.0,40338.5,0.0,1.0,60.0,1.0,40.0,,
max,1331903000.0,65523.0,65535.0,0.0,43697.0,8402145.0,43683.0,16641500.0,,


# Data Types
Wait a second, isn't the ts column supposed to be a timestamp? Perhaps this column would be better suited as a time data type vs. a number.

Run the cell below to see what type of information Python stored in each column.

In [7]:
conn_df.dtypes

ts                float64
uid                object
id.orig_h          object
id.orig_p           int64
id.resp_h          object
id.resp_p           int64
proto              object
service            object
duration           object
orig_bytes         object
resp_bytes         object
conn_state         object
local_orig         object
missed_bytes        int64
history            object
orig_pkts           int64
orig_ip_bytes       int64
resp_pkts           int64
resp_ip_bytes       int64
tunnel_parents     object
threat            float64
sample            float64
dtype: object

# Converting Column Types
Time to change the ts column to a datetime object! We will accomplish that by using a simple function provided called to_datetime(). The cell below runs this function on the ts column (what should be a time stamp), and then re-assigns this column back to the dataframe in the same place. A new timestamp column could have been added to the dataframe as well so both the float value and the datetime object columns are present.

Run the cell below to convert the column type.

In [8]:
conn_df['ts'] = pd.to_datetime(conn_df['ts'], unit='s')

# Data Value Exploration
Verify that the conversion was successful. What is the datatype of the column now?

Scroll back up the page and note where you ran the describe() function. You'll see under the threat and sample columns there is likely the value of NaN. This stands for Not a Number and is a special value assigned to empty column values. There are a few ways to explore what values a column has. Two of these are value_counts() and unique().

Try them below on different columns. You can create new cells or if you want to get more than the last command worth of output you can put a print statement in front.

What happens when you run them on a column with IPs (id.orig_h, id.resp_h)? What about sample or threat?

In [9]:
conn_df.head(n=100)

Unnamed: 0,ts,uid,id.orig_h,id.orig_p,id.resp_h,id.resp_p,proto,service,duration,orig_bytes,...,local_orig,missed_bytes,history,orig_pkts,orig_ip_bytes,resp_pkts,resp_ip_bytes,tunnel_parents,threat,sample
0,2012-03-16 12:30:00.000000000,CCUIP21wTjqkj8ZqX5,192.168.202.79,50463,192.168.229.251,80,tcp,-,-,-,...,-,0,Fa,1,52,1,52,(empty),,
1,2012-03-16 12:30:00.000000000,Csssjd3tX0yOTPDpng,192.168.202.79,46117,192.168.229.254,443,tcp,-,-,-,...,-,0,dDafFr,3,382,9,994,(empty),,
2,2012-03-16 12:30:00.000000000,CHEt7z3AzG4gyCNgci,192.168.202.79,50465,192.168.229.251,80,tcp,http,0.010000,166,...,-,0,ShADfFa,4,382,3,382,(empty),,
3,2012-03-16 12:30:00.009999872,CKnDAp2ohlvN6rpiXl,192.168.202.79,50467,192.168.229.251,80,tcp,http,0.010000,166,...,-,0,ShADfFa,4,382,3,382,(empty),,
4,2012-03-16 12:30:00.000000000,CGUBcoXKxBE8gTNl,192.168.202.79,46119,192.168.229.254,443,tcp,ssl,0.020000,544,...,-,0,ShADadfFr,8,968,13,1744,(empty),,
...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...
95,2012-03-16 12:30:00.580000000,Cz4G424fjTc21kMTxi,192.168.202.79,46207,192.168.229.254,443,tcp,ssl,0.010000,548,...,-,0,ShADadfFr,8,972,13,1744,(empty),,
96,2012-03-16 12:30:00.589999872,C4wEQK1PvekaTOklK6,192.168.202.79,50555,192.168.229.251,80,tcp,http,0.010000,170,...,-,0,ShADfFa,4,386,3,382,(empty),,
97,2012-03-16 12:30:00.589999872,CIRfzG38gNVP8Mmvyf,192.168.202.79,46209,192.168.229.254,443,tcp,ssl,0.020000,548,...,-,0,ShADadfFr,8,972,13,1744,(empty),,
98,2012-03-16 12:30:00.600000000,CrknOV8KMgZSnrH33,192.168.202.79,50557,192.168.229.251,80,tcp,http,0.010000,170,...,-,0,ShADfFa,4,386,3,382,(empty),,


In [10]:
conn_df['sample'].unique()

array([nan])

In [11]:
conn_df['threat'].unique()

array([nan])

In [12]:
conn_df['id.orig_h'].unique()

array(['192.168.202.79', '192.168.202.76', '192.168.202.100',
       '192.168.202.89', '192.168.202.68', '192.168.229.156',
       '192.168.202.85', '192.168.202.102', '192.168.202.93',
       '192.168.202.97', 'fe80::ba8d:12ff:fe53:a8d8', '192.168.202.71',
       '192.168.202.77', '2001:dbb:c18:202:f2de:f1ff:fe9b:ad6a',
       'fe80::216:47ff:fe9d:f2d5', '192.168.202.87', '192.168.202.1',
       '192.168.27.152', '192.168.27.102', '192.168.27.101',
       '192.168.27.25', '192.168.27.253', '192.168.27.203',
       '192.168.27.202', '192.168.27.103', 'fe80::216:47ff:fe9d:f2c3',
       'fe80::216:47ff:fe9d:f2c6', '192.168.202.91', '192.168.204.69',
       '192.168.202.81', 'fe80::216:47ff:fe9d:f2c5', '192.168.202.65',
       'fe80::216:47ff:fe9d:f2c7', '192.168.202.80', '192.168.202.94',
       'fe80::216:47ff:fe9d:f2d6', 'fe80::223:dfff:fe97:4e12',
       '192.168.202.92', 'fe80::216:47ff:fe9d:f2c8',
       'fe80::c62c:3ff:fe37:efc', '192.168.202.88', '192.168.202.84',
       'fe80::21

In [13]:
conn_df['id.resp_h'].unique()

array(['192.168.229.251', '192.168.229.254', '64.4.23.149', ...,
       '192.168.21.193', '192.168.21.194', '192.168.21.195'], dtype=object)

# Remove Columns
Another useful operation on a dataframe is removing and adding columns. Since the threat and sample columns contain only NaNs, we can safely remove them and not impact any analysis that may be performed.

Below the sample column is removed (dropped), add a similar line to drop the threat column and use a method from above to verify they are no longer in the dataframe.

In [14]:
conn_df.drop('sample', axis=1, inplace=True)
conn_df.drop('threat', axis=1, inplace=True)
conn_df.head()

Unnamed: 0,ts,uid,id.orig_h,id.orig_p,id.resp_h,id.resp_p,proto,service,duration,orig_bytes,resp_bytes,conn_state,local_orig,missed_bytes,history,orig_pkts,orig_ip_bytes,resp_pkts,resp_ip_bytes,tunnel_parents
0,2012-03-16 12:30:00.000000000,CCUIP21wTjqkj8ZqX5,192.168.202.79,50463,192.168.229.251,80,tcp,-,-,-,-,SH,-,0,Fa,1,52,1,52,(empty)
1,2012-03-16 12:30:00.000000000,Csssjd3tX0yOTPDpng,192.168.202.79,46117,192.168.229.254,443,tcp,-,-,-,-,SF,-,0,dDafFr,3,382,9,994,(empty)
2,2012-03-16 12:30:00.000000000,CHEt7z3AzG4gyCNgci,192.168.202.79,50465,192.168.229.251,80,tcp,http,0.010000,166,214,SF,-,0,ShADfFa,4,382,3,382,(empty)
3,2012-03-16 12:30:00.009999872,CKnDAp2ohlvN6rpiXl,192.168.202.79,50467,192.168.229.251,80,tcp,http,0.010000,166,214,SF,-,0,ShADfFa,4,382,3,382,(empty)
4,2012-03-16 12:30:00.000000000,CGUBcoXKxBE8gTNl,192.168.202.79,46119,192.168.229.254,443,tcp,ssl,0.020000,544,1060,SF,-,0,ShADadfFr,8,968,13,1744,(empty)


# Row selection
You can use column values to select rows from the dataframes (and even only view specific columns). First, select all rows that contain SSL traffic by running the cell below.

In [15]:
 conn_df[
    conn_df['service'] == 'ssl'
].head()


Unnamed: 0,ts,uid,id.orig_h,id.orig_p,id.resp_h,id.resp_p,proto,service,duration,orig_bytes,resp_bytes,conn_state,local_orig,missed_bytes,history,orig_pkts,orig_ip_bytes,resp_pkts,resp_ip_bytes,tunnel_parents
4,2012-03-16 12:30:00.000000000,CGUBcoXKxBE8gTNl,192.168.202.79,46119,192.168.229.254,443,tcp,ssl,0.02,544,1060,SF,-,0,ShADadfFr,8,968,13,1744,(empty)
5,2012-03-16 12:30:00.020000000,CRksHc2i8qahpGOP19,192.168.202.79,46121,192.168.229.254,443,tcp,ssl,0.01,544,1060,SF,-,0,ShADadfFr,8,968,13,1744,(empty)
6,2012-03-16 12:30:00.029999872,C56nlH3SloWOj44ABi,192.168.202.79,46123,192.168.229.254,443,tcp,ssl,0.01,548,1060,SF,-,0,ShADadfFr,8,972,13,1744,(empty)
10,2012-03-16 12:30:00.040000000,CC6D613v9i3xbmQbAf,192.168.202.79,46125,192.168.229.254,443,tcp,ssl,0.02,548,1060,SF,-,0,ShADadfrF,8,972,13,1744,(empty)
11,2012-03-16 12:30:00.060000000,C5hpJ62EKjvbtDNVr8,192.168.202.79,46127,192.168.229.254,443,tcp,ssl,0.01,544,1060,SF,-,0,ShADadfFr,8,968,13,1744,(empty)


Next we can assign that result to a dataframe, and then look at all all the SSL connections that happen over ports other than 443.

Ici l'échantillon utilisé n'est pas exactement le même et ne contient peut-être pas d'autre valeur pour la colonne id.resp_p. Le principe reste le même.

In [16]:
ssl_df = conn_df[conn_df['service'] == 'ssl']
ssl_df[ssl_df['id.resp_p'] != 443].head()

Unnamed: 0,ts,uid,id.orig_h,id.orig_p,id.resp_h,id.resp_p,proto,service,duration,orig_bytes,resp_bytes,conn_state,local_orig,missed_bytes,history,orig_pkts,orig_ip_bytes,resp_pkts,resp_ip_bytes,tunnel_parents


You can see the individual column selections above eg: conn_df['service'], and ssl_df['id.resp_p'] respectively. You can use these to view output of specific columns.

For example, run the cell below to see all the individual values of originator bytes associated with a SSL connection over port 443.

In [17]:
ssl_df[ssl_df['id.resp_p'] == 443]['orig_bytes'].head()

4     544
5     544
6     548
10    548
11    544
Name: orig_bytes, dtype: object

# Final Exercise
Use all of the techniques above to display the unique ports and originator IPs (bonus points for the number of connections of each) associated with all HTTP connections NOT over port 80.


In [18]:
http_df = conn_df[conn_df['service'] == 'http']
http_df[http_df['id.resp_p'] != 80]['id.orig_h'].value_counts()

192.168.202.79    1690
Name: id.orig_h, dtype: int64

In [19]:
http_df[http_df['id.resp_p'] != 80]['id.resp_p'].value_counts()

5357    1280
5488     410
Name: id.resp_p, dtype: int64