In [1]:
from bat import bro_log_reader
from datetime import timedelta
from colorama import Fore, Style

In [38]:
class connection:
    def __init__(self, orig, dest, ts, prediction = False):
        self.orig = orig
        self.dest = dest
        self.ts = ts
        self.prediction = prediction

def get_connections(reader):
    conns = []
    for row in reader.readrows():
        orig = row.get('id.orig_h')
        dest = row.get('id.resp_h')
        ts = row.get('ts')
        conns.append(connection(orig, dest, ts))
    return conns

def group_unique(connections):
    unique_orig = []
    grouped = []

    for conn in connections:
        if conn.orig not in unique_orig:
            unique_orig.append(conn.orig)
        else:
            continue
    for i in range(len(unique_orig)):
        sub_group = []
        for conn in connections:
            if conn.orig == unique_orig[i]:
                sub_group.append(conn)
        grouped.append(sub_group)
        
    return grouped

def check_days_ago(string_dt):
    if '-' in string_dt:
        return string_dt.replace('-','') + ' ago'
    else:
        return 'in ' + string_dt

def predict_connection(grouped_connections):   
    predicted = []
    sep = '----'
    for conns in grouped:
        try:
            # timedelta calculation found here:
            #https://stackoverflow.com/questions/3617170/average-timedelta-in-list
            timedeltas = [conns[i].ts - conns[i-1].ts for i in range(1, len(conns))]
            avg = sum(timedeltas, timedelta(0)) / len(timedeltas)
            
            origin= conns[0].orig 
            destination = conns[0].dest
            p_time = check_days_ago(str(avg))

            p = connection(origin, destination, p_time, prediction = True)
            predicted.append(p)
            
            print(Style.RESET_ALL + 'expect connection to', Fore.GREEN + origin,
                  Style.RESET_ALL + 'from', Fore.BLUE + destination,
                  Fore.RED +  p_time)
        except:
            continue
    
    return predicted

In [36]:
reader = bro_log_reader.BroLogReader('./giant/ssh.log')
ssh_connections = get_connections(reader)
grouped = group_unique(ssh_connections)
print(len(ssh_connections), 'ssh connections')

Successfully monitoring ./giant/ssh.log...
29018 ssh connections


In [37]:
predict_connection(grouped)

[0mexpect connection to [32m192.168.230.115 [0mfrom [34m192.168.230.137 [31m1 day, 23:58:31.315883 ago
[0mexpect connection to [32m172.16.10.32 [0mfrom [34m192.168.230.115 [31min 0:31:53.655336
[0mexpect connection to [32m192.168.230.126 [0mfrom [34m192.168.230.115 [31min 9 days, 18:27:00.048165
[0mexpect connection to [32m192.168.230.137 [0mfrom [34m192.168.230.115 [31min 24 days, 12:22:33.302764
[0mexpect connection to [32m192.168.230.135 [0mfrom [34m192.168.230.115 [31min 18:52:18.628698
[0mexpect connection to [32m192.168.231.10 [0mfrom [34m192.168.230.115 [31m1 day, 6:35:01.557586 ago
[0mexpect connection to [32m172.16.10.15 [0mfrom [34m192.168.230.115 [31min 0:00:07.648027
[0mexpect connection to [32m192.168.230.103 [0mfrom [34m192.168.230.100 [31min 0:01:37.804000
[0mexpect connection to [32m192.168.230.106 [0mfrom [34m192.168.230.115 [31m1 day, 0:48:50.929322 ago
[0mexpect connection to [32m192.168.216.11 [0mfrom [34m192.168.230.

[<__main__.connection at 0x7f6a4f549358>,
 <__main__.connection at 0x7f6a4f549400>,
 <__main__.connection at 0x7f6a4f549438>,
 <__main__.connection at 0x7f6a4f549390>,
 <__main__.connection at 0x7f6a4f5493c8>,
 <__main__.connection at 0x7f6a4f549470>,
 <__main__.connection at 0x7f6a4f5494a8>,
 <__main__.connection at 0x7f6a4f5494e0>,
 <__main__.connection at 0x7f6a4f549518>,
 <__main__.connection at 0x7f6a4f5454e0>]