# Vergleich von IP-Adressen

## Importieren der benötigten Pakete

In [1]:
import os

import pandas as pd
from dns import reversename, resolver
import tldextract
from collections import defaultdict
import pypdns
from ipwhois import IPWhois
from dotenv import load_dotenv
import time

from helper.dataset_splitter import DataSetSplitter

load_dotenv()

True

## Laden der Daten

### Um die aktuellen Daten aus MISP zu erhalten, kann die nachfolgende Codezeile ausgeführt werden. Per default liegt bereits eine exportierte MISP csv-Datei bereit.

In [2]:
# !python3 ../helper/get_csv.py -f ../data/misp_events.csv

In [3]:
data_set_splitter = DataSetSplitter()
data_set_splitter.split_datasets("../data")


  data_set_splitter.split_datasets("../data")


In [4]:
misp_df = pd.read_csv("../data/splitted_datasets/export_ip.csv")

print(len(misp_df))

22823


In [5]:
misp_df.head()

Unnamed: 0,uuid,event_id,value
0,542e4cfe-21ac-46a7-9d82-06b3950d210b,1,1.48.209.68
1,542e4cfe-05f4-46ab-b5b8-06b3950d210b,1,1.73.227.172
2,542e4cfe-81c4-45f2-9e67-06b3950d210b,1,1.162.58.214
3,542e4cfe-0ff4-4a93-aef8-06b3950d210b,1,1.163.34.29
4,542e4cfe-7a98-4c98-a862-06b3950d210b,1,1.192.158.169


## Vorbereitung der Daten

### Betrachtung der Rohdaten
Zur Kontrolle der Rohdaten werden die ersten drei Zeilen, sowie die Anzahl der Daten und Informationen ausgegeben.

In [6]:
print("Anzahl der Daten: ", len(misp_df))

Anzahl der Daten:  22823


## Hier kann man anpassen, wie viele Ergebnisse man haben möchte. Default sind 100.

In [7]:
misp_df = misp_df.sample(frac =.25)
misp_df = misp_df.head(100)
print(len(misp_df))

100


In [8]:
misp_df.head()

Unnamed: 0,uuid,event_id,value
8004,546e0e5c-83f8-4f28-8e10-804b950d210b,25,218.103.38.112
19788,afdaca7f-872f-4567-b0a8-e0c7310c5c8b,1188,45.153.240.246
21595,58f8e8a3-f2c9-4fc1-85d5-e19e4bcc3d87,1190,159.65.166.223
21439,58c5e17d-702e-4128-b3ae-559fea3d324c,1190,24.97.129.36
13142,571f4eec-6ff4-4d42-84ba-4bd1950d210f,262,92.23.68.42


In [9]:
misp_df.info()

<class 'pandas.core.frame.DataFrame'>
Int64Index: 100 entries, 8004 to 9626
Data columns (total 3 columns):
 #   Column    Non-Null Count  Dtype 
---  ------    --------------  ----- 
 0   uuid      100 non-null    object
 1   event_id  100 non-null    int64 
 2   value     100 non-null    object
dtypes: int64(1), object(2)
memory usage: 3.1+ KB


## Reverse IP Lookup

### IP-Adressen in einer Liste für die weitere Bearbeitung speichern

In [10]:
ip_list = misp_df['value'].tolist()

### Dictionary zur späteren Verwendung anlegen. Eine Serie zur Erstellung einer neuen Spalte anlegen.

In [11]:
def_dict_reverse = defaultdict(list)
def_dict_reverse_2 = defaultdict(list)
domain_for_ip_address = pd.Series([],dtype=pd.StringDtype())
ip_domain_dict = {}

### Für jede Ip-Adresse ein Reverse Lookup durchführen

War das Reverse Lookup erfolgreich, wird die Domain extrahiert und sowohl in einem dict als key mit der IP-Adresse als zugehörigen Value abgespeichert. Zudem wird die Domain in der neuen Spalte domain for_ip_address zur jeweiligen Zeile hinzugefügt.
Zu jedem Key (Domain) erhält man 1-n Values (IP-Adressen)

In [12]:
for element in ip_list:
    try:
        rev_name = reversename.from_address(str(element))
        reversed_dns = str(resolver.resolve(rev_name, "PTR")[0])
        result = tldextract.extract(reversed_dns)
        domain = result.domain
        
        if element not in def_dict_reverse:
            def_dict_reverse[element] = domain
        else:
            def_dict_reverse[element].append(domain)
    except:
        continue
ip_domain_dict = dict(def_dict_reverse)

In [13]:
print(ip_domain_dict)

{'218.103.38.112': 'netvigator', '24.97.129.36': 'rr', '92.23.68.42': 'as13285', '54.173.157.23': 'amazonaws', '14.97.164.161': '14-tataidc', '54.193.34.194': 'amazonaws', '89.190.196.99': 'megalan', '122.54.25.66': 'pldt', '65.114.164.245': 'qwest', '176.189.30.63': 'bbox', '174.139.12.85': 'krypt', '107.180.51.235': 'secureserver', '176.10.100.229': 'alpeinsoft', '54.72.124.107': 'amazonaws', '54.149.76.227': 'amazonaws', '195.32.89.29': 'wadsl', '62.171.161.55': 'b2bounty', '138.201.140.110': 'your-server', '107.183.149.75': 'orange', '173.208.206.172': 'spunequable', '149.28.14.163': 'vultr', '122.225.97.103': 'fund123', '192.99.247.174': 'ovh', '77.246.145.157': 'example', '13.127.218.140': 'amazonaws', '54.187.236.253': 'amazonaws', '124.126.224.213': 'bjtelecom', '185.209.20.221': 'had', '217.68.23.131': 'freestart', '78.88.28.161': 'vectranet', '88.119.171.68': 'bacloud', '64.34.216.104': 'indservers', '192.186.246.134': 'secureserver', '75.127.1.214': 'colocrossing', '213.136.

## passive DNS Lookup

In [14]:
def_dict_pdns = defaultdict(list)
ip_pdns_dict = {}

### pDNS Abfrage bei Circl
Die Ergebnisse des passive DNS Lookups werden in einem Dictionary in folgender Form gespeichert: ip : 1-n pDNS Einträge

In [15]:
request = pypdns.PyPDNS(basic_auth=(os.environ.get('CIRCL_PDNS_USERNAME'),os.environ.get('CIRCL_PDNS_PASSWORD')))
count = 0

for element in ip_list:
    
    count += 1
    print(count)
    
    time.sleep(2)
    
    pdns_result = request.query(str(element))
    
    if len(pdns_result) == 0:
        continue
        
    rdata_list = []
    
    for pdns_result_element in pdns_result:
        rdata = pdns_result_element['rdata']
        rdata_list.append(rdata)
    
    if element not in def_dict_pdns:
        def_dict_pdns[element] = rdata_list

ip_pdns_dict = dict(def_dict_pdns)
print(ip_pdns_dict)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
{'31.170.160.229': ['31.170.160.229'], '107.180.51.235': ['107.180.51.235', '107.180.51.235', 'ns24.domaincontrol.com', 'ns23.domaincontrol.com'], '162.210.102.232': ['162.210.102.232', 'ns8.hoststage.net', '178.33.228.42', 'ns7.hoststage.net', '162.210.102.232', '162.210.102.232', 'dns2.freehostia.com', 'dns1.freehostia.com', '162.210.102.232'], '159.253.46.194': ['159.253.46.194'], '217.68.23.131': ['217.68.23.131', '217.68.23.131', '217.68.23.131'], '64.34.216.104': ['64.34.216.104', 'ns12.indservers.co.in', 'ns11.indservers.co.in', '64.34.216.104', 'ns01.indservers.co.in', '64.34.216.104', 'ns02.indservers.co.in', '64.34.216.104'], '213.136.73.122': ['213.136.73.122', '2a02:c207:2009:742::1'], '

In [16]:
print(ip_pdns_dict)

{'31.170.160.229': ['31.170.160.229'], '107.180.51.235': ['107.180.51.235', '107.180.51.235', 'ns24.domaincontrol.com', 'ns23.domaincontrol.com'], '162.210.102.232': ['162.210.102.232', 'ns8.hoststage.net', '178.33.228.42', 'ns7.hoststage.net', '162.210.102.232', '162.210.102.232', 'dns2.freehostia.com', 'dns1.freehostia.com', '162.210.102.232'], '159.253.46.194': ['159.253.46.194'], '217.68.23.131': ['217.68.23.131', '217.68.23.131', '217.68.23.131'], '64.34.216.104': ['64.34.216.104', 'ns12.indservers.co.in', 'ns11.indservers.co.in', '64.34.216.104', 'ns01.indservers.co.in', '64.34.216.104', 'ns02.indservers.co.in', '64.34.216.104'], '213.136.73.122': ['213.136.73.122', '2a02:c207:2009:742::1'], '217.172.226.2': ['217.172.226.2', '217.172.226.2', '217.172.226.2', '217.172.226.6', 'ns1.mpsz.pl', 'dns1.mm.pl'], '50.63.202.62': ['ns100.rookdns.com', '141.8.224.239', 'ns99.rookdns.com', '50.63.202.62', 'ns51.domaincontrol.com', 'ns52.domaincontrol.com', 'ns01.domaincontrol.com', '50.63.2

## ASN Lookup
Es werden nur einige Felder der ASN-Response verwendet. Diese werden wie schon zuvor in der Form ip : 1 ASN-Eintrag in verschiedene Dictionaries gespeichert.

In [17]:
def_dict_asn_registry = defaultdict(list)
def_dict_asn = defaultdict(list)
def_dict_asn_cidr = defaultdict(list)
def_dict_asn_country_code = defaultdict(list)
def_dict_asn_date = defaultdict(list)

ip_asn_registry_dict = {}
ip_asn_dict = {}
ip_asn_cidr_dict = {}
ip_asn_country_code_dict = {}
ip_asn_date_dict = {}

In [18]:
count = 0

for element in ip_list:
    try:
        query = IPWhois(str(element))
        asn_results = query.lookup_rdap(depth=7, rate_limit_timeout=120)
        asn_registry = asn_results.get('asn_registry')
        asn = asn_results.get('asn')
        asn_cidr = asn_results.get('asn_cidr')
        asn_country_code = asn_results.get('asn_country_code')
        asn_date = asn_results.get('asn_date')

        def_dict_asn_registry[element] = asn_registry
        def_dict_asn[element] = asn
        def_dict_asn_cidr[element] = asn_cidr
        def_dict_asn_country_code[element] = asn_country_code
        def_dict_asn_date[element] = asn_date
        count += 1
        print(count)
    except:
        continue

ip_asn_registry_dict = dict(def_dict_asn_registry)
ip_asn_dict = dict(def_dict_asn)
ip_asn_cidr_dict = dict(def_dict_asn_cidr)
ip_asn_country_code_dict = dict(def_dict_asn_country_code)
ip_asn_date_dict = dict(def_dict_asn_date)

print(ip_asn_registry_dict)
print(ip_asn_dict)
print(ip_asn_cidr_dict)
print(ip_asn_country_code_dict)
print(ip_asn_date_dict)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
{'218.103.38.112': 'apnic', '45.153.240.246': 'ripencc', '159.65.166.223': 'arin', '24.97.129.36': 'arin', '92.23.68.42': 'ripencc', '162.219.7.3': 'arin', '206.221.176.205': 'arin', '112.101.64.87': 'apnic', '142.93.253.45': 'arin', '54.173.157.23': 'arin', '31.170.160.229': 'ripencc', '74.121.191.200': 'arin', '14.97.164.161': 'apnic', '203.131.222.109': 'apnic', '54.193.34.194': 'arin', '89.190.196.99': 'ripencc', '122.54.25.66': 'apnic', '31.177.36.232': 'ripencc', '67.205.153.40': 'arin', '65.114.164.245': 'arin', '176.189.30.63': 'ripencc', '47.19.68.248': 'arin', '174.139.12.85': 'arin', '107.180.51.235': 'arin', '42.117.228.104': 'apnic', '162.210.102.232': 'arin', '176.10.100.229': 'ripencc', '

## Dictionaries zusammenführen

In [19]:
print(ip_domain_dict)

{'218.103.38.112': 'netvigator', '24.97.129.36': 'rr', '92.23.68.42': 'as13285', '54.173.157.23': 'amazonaws', '14.97.164.161': '14-tataidc', '54.193.34.194': 'amazonaws', '89.190.196.99': 'megalan', '122.54.25.66': 'pldt', '65.114.164.245': 'qwest', '176.189.30.63': 'bbox', '174.139.12.85': 'krypt', '107.180.51.235': 'secureserver', '176.10.100.229': 'alpeinsoft', '54.72.124.107': 'amazonaws', '54.149.76.227': 'amazonaws', '195.32.89.29': 'wadsl', '62.171.161.55': 'b2bounty', '138.201.140.110': 'your-server', '107.183.149.75': 'orange', '173.208.206.172': 'spunequable', '149.28.14.163': 'vultr', '122.225.97.103': 'fund123', '192.99.247.174': 'ovh', '77.246.145.157': 'example', '13.127.218.140': 'amazonaws', '54.187.236.253': 'amazonaws', '124.126.224.213': 'bjtelecom', '185.209.20.221': 'had', '217.68.23.131': 'freestart', '78.88.28.161': 'vectranet', '88.119.171.68': 'bacloud', '64.34.216.104': 'indservers', '192.186.246.134': 'secureserver', '75.127.1.214': 'colocrossing', '213.136.

In [20]:
print(ip_pdns_dict)

{'31.170.160.229': ['31.170.160.229'], '107.180.51.235': ['107.180.51.235', '107.180.51.235', 'ns24.domaincontrol.com', 'ns23.domaincontrol.com'], '162.210.102.232': ['162.210.102.232', 'ns8.hoststage.net', '178.33.228.42', 'ns7.hoststage.net', '162.210.102.232', '162.210.102.232', 'dns2.freehostia.com', 'dns1.freehostia.com', '162.210.102.232'], '159.253.46.194': ['159.253.46.194'], '217.68.23.131': ['217.68.23.131', '217.68.23.131', '217.68.23.131'], '64.34.216.104': ['64.34.216.104', 'ns12.indservers.co.in', 'ns11.indservers.co.in', '64.34.216.104', 'ns01.indservers.co.in', '64.34.216.104', 'ns02.indservers.co.in', '64.34.216.104'], '213.136.73.122': ['213.136.73.122', '2a02:c207:2009:742::1'], '217.172.226.2': ['217.172.226.2', '217.172.226.2', '217.172.226.2', '217.172.226.6', 'ns1.mpsz.pl', 'dns1.mm.pl'], '50.63.202.62': ['ns100.rookdns.com', '141.8.224.239', 'ns99.rookdns.com', '50.63.202.62', 'ns51.domaincontrol.com', 'ns52.domaincontrol.com', 'ns01.domaincontrol.com', '50.63.2

In [21]:
print(ip_asn_registry_dict)

{'218.103.38.112': 'apnic', '45.153.240.246': 'ripencc', '159.65.166.223': 'arin', '24.97.129.36': 'arin', '92.23.68.42': 'ripencc', '162.219.7.3': 'arin', '206.221.176.205': 'arin', '112.101.64.87': 'apnic', '142.93.253.45': 'arin', '54.173.157.23': 'arin', '31.170.160.229': 'ripencc', '74.121.191.200': 'arin', '14.97.164.161': 'apnic', '203.131.222.109': 'apnic', '54.193.34.194': 'arin', '89.190.196.99': 'ripencc', '122.54.25.66': 'apnic', '31.177.36.232': 'ripencc', '67.205.153.40': 'arin', '65.114.164.245': 'arin', '176.189.30.63': 'ripencc', '47.19.68.248': 'arin', '174.139.12.85': 'arin', '107.180.51.235': 'arin', '42.117.228.104': 'apnic', '162.210.102.232': 'arin', '176.10.100.229': 'ripencc', '63.128.163.30': 'arin', '54.72.124.107': 'arin', '192.241.149.43': 'arin', '54.149.76.227': 'arin', '195.32.89.29': 'ripencc', '149.200.183.84': 'ripencc', '62.116.143.11': 'ripencc', '190.141.30.43': 'lacnic', '62.171.161.55': 'ripencc', '40.82.174.37': 'arin', '138.201.140.110': 'ripen

In [22]:
print(ip_asn_dict)

{'218.103.38.112': '4760', '45.153.240.246': '30823', '159.65.166.223': '14061', '24.97.129.36': '11351', '92.23.68.42': '13285', '162.219.7.3': '55053', '206.221.176.205': '23470', '112.101.64.87': '17897', '142.93.253.45': '14061', '54.173.157.23': '14618', '31.170.160.229': '47583', '74.121.191.200': '27323', '14.97.164.161': 'NA', '203.131.222.109': '37992', '54.193.34.194': '16509', '89.190.196.99': '35141', '122.54.25.66': '9299', '31.177.36.232': '197985', '67.205.153.40': '14061', '65.114.164.245': '209', '176.189.30.63': '5410', '47.19.68.248': '6128', '174.139.12.85': '35908', '107.180.51.235': '26496', '42.117.228.104': '18403', '162.210.102.232': '32748', '176.10.100.229': '51395', '63.128.163.30': '3561', '54.72.124.107': '16509', '192.241.149.43': '14061', '54.149.76.227': '16509', '195.32.89.29': '21034', '149.200.183.84': '8376', '62.116.143.11': '15456', '190.141.30.43': '18809', '62.171.161.55': '51167', '40.82.174.37': '8075', '138.201.140.110': '24940', '107.183.149

In [23]:
print(ip_asn_cidr_dict)

{'218.103.38.112': '218.103.32.0/19', '45.153.240.246': '45.153.240.0/22', '159.65.166.223': '159.65.160.0/20', '24.97.129.36': '24.97.0.0/16', '92.23.68.42': '92.22.0.0/15', '162.219.7.3': '162.219.0.0/21', '206.221.176.205': '206.221.176.0/24', '112.101.64.87': '112.100.0.0/15', '142.93.253.45': '142.93.240.0/20', '54.173.157.23': '54.172.0.0/15', '31.170.160.229': '31.170.160.0/22', '74.121.191.200': '74.121.191.0/24', '14.97.164.161': 'NA', '203.131.222.109': '203.131.222.0/23', '54.193.34.194': '54.193.0.0/17', '89.190.196.99': '89.190.192.0/19', '122.54.25.66': '122.54.0.0/19', '31.177.36.232': '31.177.32.0/21', '67.205.153.40': '67.205.144.0/20', '65.114.164.245': '65.112.0.0/12', '176.189.30.63': '176.128.0.0/10', '47.19.68.248': '47.16.0.0/14', '174.139.12.85': '174.139.12.0/24', '107.180.51.235': '107.180.0.0/18', '42.117.228.104': '42.117.228.0/22', '162.210.102.232': '162.210.102.0/24', '176.10.100.229': '176.10.96.0/19', '63.128.163.30': '63.128.128.0/18', '54.72.124.107':

In [24]:
print(ip_asn_country_code_dict)

{'218.103.38.112': 'HK', '45.153.240.246': 'DE', '159.65.166.223': 'US', '24.97.129.36': 'US', '92.23.68.42': 'GB', '162.219.7.3': 'CA', '206.221.176.205': 'US', '112.101.64.87': 'CN', '142.93.253.45': 'US', '54.173.157.23': 'US', '31.170.160.229': 'CY', '74.121.191.200': 'US', '14.97.164.161': 'IN', '203.131.222.109': 'TH', '54.193.34.194': 'US', '89.190.196.99': 'BG', '122.54.25.66': 'PH', '31.177.36.232': 'NL', '67.205.153.40': 'US', '65.114.164.245': 'US', '176.189.30.63': 'FR', '47.19.68.248': 'US', '174.139.12.85': 'US', '107.180.51.235': 'US', '42.117.228.104': 'VN', '162.210.102.232': 'US', '176.10.100.229': 'CH', '63.128.163.30': 'US', '54.72.124.107': 'US', '192.241.149.43': 'US', '54.149.76.227': 'US', '195.32.89.29': 'IT', '149.200.183.84': 'JO', '62.116.143.11': 'DE', '190.141.30.43': 'PA', '62.171.161.55': 'DE', '40.82.174.37': 'US', '138.201.140.110': 'DE', '107.183.149.75': 'ES', '173.208.206.172': 'US', '149.28.14.163': 'US', '122.225.97.103': 'CN', '192.99.247.174': '

### Erstellung eines neuen Dataframes aus den Dictionaries

In [25]:
ip_df = pd.DataFrame({'domain':pd.Series(ip_domain_dict),
                       'asn_registry':pd.Series(ip_asn_registry_dict), 
                       'asn':pd.Series(ip_asn_dict), 
                       'asn_cidr':pd.Series(ip_asn_cidr_dict), 
                       'country_code':pd.Series(ip_asn_country_code_dict), 
                       'pdns':pd.Series(ip_pdns_dict)})
ip_df.head()

Unnamed: 0,domain,asn_registry,asn,asn_cidr,country_code,pdns
103.41.124.35,,apnic,,,HK,
103.49.119.141,,apnic,134341.0,103.49.116.0/22,IN,
103.6.196.118,mschosting,apnic,46015.0,103.6.196.0/22,MY,"[103.6.196.118, ns101.mschosting.com, ns102.ms..."
104.131.88.156,,arin,14061.0,104.131.64.0/18,US,
106.51.183.114,actcorp,apnic,131269.0,106.51.176.0/20,IN,


### NaN Werte rausfiltern

In [26]:
filtered_df = ip_df[ip_df[['domain', 'asn_registry', 'asn', 'asn_cidr', 'country_code']].notnull().all(1)]

In [27]:
filtered_df.head()

Unnamed: 0,domain,asn_registry,asn,asn_cidr,country_code,pdns
103.6.196.118,mschosting,apnic,46015,103.6.196.0/22,MY,"[103.6.196.118, ns101.mschosting.com, ns102.ms..."
106.51.183.114,actcorp,apnic,131269,106.51.176.0/20,IN,
107.180.51.235,secureserver,arin,26496,107.180.0.0/18,US,"[107.180.51.235, 107.180.51.235, ns24.domainco..."
107.183.149.75,orange,ripencc,12479,107.183.128.0/17,ES,
122.225.97.103,fund123,apnic,4134,122.224.0.0/12,CN,


### Dataframe ohne passive DNS, da momentan das Limit der Abfrage erreicht ist und das Dictionary nur NaN Werte enthält

In [28]:
without_pdns = filtered_df.drop(['pdns'], axis=1)
without_pdns.head()

Unnamed: 0,domain,asn_registry,asn,asn_cidr,country_code
103.6.196.118,mschosting,apnic,46015,103.6.196.0/22,MY
106.51.183.114,actcorp,apnic,131269,106.51.176.0/20,IN
107.180.51.235,secureserver,arin,26496,107.180.0.0/18,US
107.183.149.75,orange,ripencc,12479,107.183.128.0/17,ES
122.225.97.103,fund123,apnic,4134,122.224.0.0/12,CN


### Index der Dataframes neu setzen, um einen Join zu ermöglichen

In [29]:
filtered_df.reset_index(level=0, inplace=True)

In [30]:
filtered_df = filtered_df.rename(columns = {'index': 'value'}, inplace = False)

In [31]:
filtered_df.head()

Unnamed: 0,value,domain,asn_registry,asn,asn_cidr,country_code,pdns
0,103.6.196.118,mschosting,apnic,46015,103.6.196.0/22,MY,"[103.6.196.118, ns101.mschosting.com, ns102.ms..."
1,106.51.183.114,actcorp,apnic,131269,106.51.176.0/20,IN,
2,107.180.51.235,secureserver,arin,26496,107.180.0.0/18,US,"[107.180.51.235, 107.180.51.235, ns24.domainco..."
3,107.183.149.75,orange,ripencc,12479,107.183.128.0/17,ES,
4,122.225.97.103,fund123,apnic,4134,122.224.0.0/12,CN,


In [32]:
without_pdns.reset_index(level=0, inplace=True)

In [33]:
without_pdns = without_pdns.rename(columns = {'index': 'value'}, inplace = False)

In [34]:
without_pdns.head()

Unnamed: 0,value,domain,asn_registry,asn,asn_cidr,country_code
0,103.6.196.118,mschosting,apnic,46015,103.6.196.0/22,MY
1,106.51.183.114,actcorp,apnic,131269,106.51.176.0/20,IN
2,107.180.51.235,secureserver,arin,26496,107.180.0.0/18,US
3,107.183.149.75,orange,ripencc,12479,107.183.128.0/17,ES
4,122.225.97.103,fund123,apnic,4134,122.224.0.0/12,CN


### Das ursprüungliche Dataframe mit dem neuen Dataframe über die ip-Adressen joinen.

In [35]:
joined_df = misp_df.join(filtered_df.set_index('value'), on='value')

In [36]:
df1 = joined_df
df2 = joined_df

In [37]:
df_merged = df1.merge(df2,  how = 'cross') 

In [38]:
df_merged.head()

Unnamed: 0,uuid_x,event_id_x,value_x,domain_x,asn_registry_x,asn_x,asn_cidr_x,country_code_x,pdns_x,uuid_y,event_id_y,value_y,domain_y,asn_registry_y,asn_y,asn_cidr_y,country_code_y,pdns_y
0,546e0e5c-83f8-4f28-8e10-804b950d210b,25,218.103.38.112,netvigator,apnic,4760,218.103.32.0/19,HK,,546e0e5c-83f8-4f28-8e10-804b950d210b,25,218.103.38.112,netvigator,apnic,4760.0,218.103.32.0/19,HK,
1,546e0e5c-83f8-4f28-8e10-804b950d210b,25,218.103.38.112,netvigator,apnic,4760,218.103.32.0/19,HK,,afdaca7f-872f-4567-b0a8-e0c7310c5c8b,1188,45.153.240.246,,,,,,
2,546e0e5c-83f8-4f28-8e10-804b950d210b,25,218.103.38.112,netvigator,apnic,4760,218.103.32.0/19,HK,,58f8e8a3-f2c9-4fc1-85d5-e19e4bcc3d87,1190,159.65.166.223,,,,,,
3,546e0e5c-83f8-4f28-8e10-804b950d210b,25,218.103.38.112,netvigator,apnic,4760,218.103.32.0/19,HK,,58c5e17d-702e-4128-b3ae-559fea3d324c,1190,24.97.129.36,rr,arin,11351.0,24.97.0.0/16,US,
4,546e0e5c-83f8-4f28-8e10-804b950d210b,25,218.103.38.112,netvigator,apnic,4760,218.103.32.0/19,HK,,571f4eec-6ff4-4d42-84ba-4bd1950d210f,262,92.23.68.42,as13285,ripencc,13285.0,92.22.0.0/15,GB,


### Duplikate entfernen

In [39]:
duplicates = df_merged['uuid_x'] == df_merged['uuid_y']
df_merged = df_merged[~duplicates]

Check String zur Kontrolle hinzufügen

In [40]:
df_merged['check_string'] = df_merged.apply(lambda row: ''.join(sorted([row['uuid_x'], row['uuid_y']])), axis=1)

In [41]:
df_merged = df_merged.drop_duplicates('check_string')

### Umwandlung der passive DNS Werte in eine Liste zum späteren Vergleich

In [42]:
pdns_list = filtered_df['pdns'].tolist()

In [43]:
print(pdns_list)

[['103.6.196.118', 'ns101.mschosting.com', 'ns102.mschosting.com', '103.6.196.118', 'ns101.mschosting.com', 'ns102.mschosting.com', 'ns111.mschosting.com', '103.6.196.118', 'ns112.mschosting.com'], nan, ['107.180.51.235', '107.180.51.235', 'ns24.domaincontrol.com', 'ns23.domaincontrol.com'], nan, nan, nan, nan, nan, nan, nan, nan, nan, nan, nan, nan, nan, nan, nan, nan, nan, nan, nan, nan, nan, nan, nan, nan, ['213.136.73.122', '2a02:c207:2009:742::1'], ['208.78.69.70', '216.146.39.70', '216.146.39.70', '216.146.39.70', '216.146.39.70', '216.146.39.70', '216.146.39.70', '216.146.39.70', '216.146.39.70', '162.88.100.203', '162.88.100.201', '162.88.100.202', '91.198.22.70', '91.198.22.70', '91.198.22.70', '91.198.22.70', '91.198.22.70', '91.198.22.70', '91.198.22.70', '91.198.22.70', '131.186.113.136', '131.186.113.135', '216.146.38.70', '216.146.38.70', '216.146.38.70', '216.146.38.70', '216.146.38.70', '216.146.38.70', '216.146.38.70', '162.88.96.194', '216.146.43.70', '216.146.43.71',

### Methode zum Vergleich und zur Gewichtung der ip-Metadaten
Momentan werden alle Werte gleich gewichtet und nur auf exakte Übereinstimmung verglichen.

In [44]:
def compare_ip_metadata(domain_x, domain_y, 
                        asn_x, asn_y,
                        asn_registry_x, asn_registry_y, 
                        asn_cidr_x, asn_cidr_y, 
                        country_code_x, country_code_y, 
                        pdns_x, pdns_y):
        
    domain_value = 0
    asn_registry_value = 0
    asn_cidr_value = 0
    country_code_value = 0
    pdns_value = 0
    asn_value = 0
    
    if domain_x == domain_y:
        domain_value = 1
    
    if asn_registry_x == asn_registry_y:
        asn_registry_value = 1
    
    if asn_cidr_x == asn_cidr_y:
        asn_cidr_value = 1
    
    if country_code_x == country_code_y:
        country_code_value = 1
    
    if asn_x == asn_y:
        asn_value = 1
    
    if type(pdns_x) is list and type(pdns_y) is list:
        for element in pdns_x:
            if element in pdns_y:
                pdns_value = 1
    
    tmp = int(domain_value) + int(asn_registry_value) + int(asn_cidr_value) + int(country_code_value) + int(pdns_value) + int(asn_value)
    
    score = tmp / 6
    
    return score
    

### Jeden Wert mit jedem vergleichen

In [45]:
df_merged['similarity'] = df_merged.apply(lambda row : compare_ip_metadata(row['domain_x'], row['domain_y'], 
                                                                   row['asn_x'], row['asn_y'],
                                                                   row['asn_registry_x'], row['asn_registry_y'], 
                                                                   row['asn_cidr_x'], row['asn_cidr_y'], 
                                                                   row['country_code_x'], row['country_code_y'], 
                                                                   row['pdns_x'], row['pdns_y']), axis = 1)

In [46]:
df_merged.head()

Unnamed: 0,uuid_x,event_id_x,value_x,domain_x,asn_registry_x,asn_x,asn_cidr_x,country_code_x,pdns_x,uuid_y,event_id_y,value_y,domain_y,asn_registry_y,asn_y,asn_cidr_y,country_code_y,pdns_y,check_string,similarity
1,546e0e5c-83f8-4f28-8e10-804b950d210b,25,218.103.38.112,netvigator,apnic,4760,218.103.32.0/19,HK,,afdaca7f-872f-4567-b0a8-e0c7310c5c8b,1188,45.153.240.246,,,,,,,546e0e5c-83f8-4f28-8e10-804b950d210bafdaca7f-8...,0.0
2,546e0e5c-83f8-4f28-8e10-804b950d210b,25,218.103.38.112,netvigator,apnic,4760,218.103.32.0/19,HK,,58f8e8a3-f2c9-4fc1-85d5-e19e4bcc3d87,1190,159.65.166.223,,,,,,,546e0e5c-83f8-4f28-8e10-804b950d210b58f8e8a3-f...,0.0
3,546e0e5c-83f8-4f28-8e10-804b950d210b,25,218.103.38.112,netvigator,apnic,4760,218.103.32.0/19,HK,,58c5e17d-702e-4128-b3ae-559fea3d324c,1190,24.97.129.36,rr,arin,11351.0,24.97.0.0/16,US,,546e0e5c-83f8-4f28-8e10-804b950d210b58c5e17d-7...,0.0
4,546e0e5c-83f8-4f28-8e10-804b950d210b,25,218.103.38.112,netvigator,apnic,4760,218.103.32.0/19,HK,,571f4eec-6ff4-4d42-84ba-4bd1950d210f,262,92.23.68.42,as13285,ripencc,13285.0,92.22.0.0/15,GB,,546e0e5c-83f8-4f28-8e10-804b950d210b571f4eec-6...,0.0
5,546e0e5c-83f8-4f28-8e10-804b950d210b,25,218.103.38.112,netvigator,apnic,4760,218.103.32.0/19,HK,,54dc66a3-753c-453d-9453-a308950d210b,46,162.219.7.3,,,,,,,546e0e5c-83f8-4f28-8e10-804b950d210b54dc66a3-7...,0.0


In [47]:
#Show all with overlap > x
mask = df_merged['similarity'] > 0.4
df_merged[mask]

Unnamed: 0,uuid_x,event_id_x,value_x,domain_x,asn_registry_x,asn_x,asn_cidr_x,country_code_x,pdns_x,uuid_y,event_id_y,value_y,domain_y,asn_registry_y,asn_y,asn_cidr_y,country_code_y,pdns_y,check_string,similarity
389,58c5e17d-702e-4128-b3ae-559fea3d324c,1190,24.97.129.36,rr,arin,11351,24.97.0.0/16,US,,c03aeb6f-21d8-44f6-8874-18547f9ad0c3,1190,70.60.153.206,rr,arin,10796,70.60.144.0/20,US,,58c5e17d-702e-4128-b3ae-559fea3d324cc03aeb6f-2...,0.5
914,54dc66ef-26e4-484f-a04d-a308950d210b,46,54.173.157.23,amazonaws,arin,14618,54.172.0.0/15,US,,54dc66e7-8ab0-4d6a-aab7-a308950d210b,46,54.193.34.194,amazonaws,arin,16509,54.193.0.0/17,US,,54dc66e7-8ab0-4d6a-aab7-a308950d210b54dc66ef-2...,0.5
928,54dc66ef-26e4-484f-a04d-a308950d210b,46,54.173.157.23,amazonaws,arin,14618,54.172.0.0/15,US,,54dc671c-d978-4348-878b-a308950d210b,46,54.72.124.107,amazonaws,arin,16509,54.72.0.0/16,US,,54dc66ef-26e4-484f-a04d-a308950d210b54dc671c-d...,0.5
930,54dc66ef-26e4-484f-a04d-a308950d210b,46,54.173.157.23,amazonaws,arin,14618,54.172.0.0/15,US,,54dc6754-bcd0-4bb4-af92-a308950d210b,46,54.149.76.227,amazonaws,arin,16509,54.148.0.0/15,US,,54dc66ef-26e4-484f-a04d-a308950d210b54dc6754-b...,0.5
947,54dc66ef-26e4-484f-a04d-a308950d210b,46,54.173.157.23,amazonaws,arin,14618,54.172.0.0/15,US,,8938b6ee-c88e-4df8-8218-55df2f37375a,1190,13.127.218.140,amazonaws,arin,16509,13.126.0.0/15,US,,54dc66ef-26e4-484f-a04d-a308950d210b8938b6ee-c...,0.5
948,54dc66ef-26e4-484f-a04d-a308950d210b,46,54.173.157.23,amazonaws,arin,14618,54.172.0.0/15,US,,54dc66e8-acb8-46fc-a628-a308950d210b,46,54.187.236.253,amazonaws,arin,16509,54.186.0.0/15,US,,54dc66e8-acb8-46fc-a628-a308950d210b54dc66ef-2...,0.5
969,54dc66ef-26e4-484f-a04d-a308950d210b,46,54.173.157.23,amazonaws,arin,14618,54.172.0.0/15,US,,0e8a4bd9-8083-47ae-beaa-51b3245fd68a,1190,44.234.20.79,amazonaws,arin,16509,44.224.0.0/11,US,,0e8a4bd9-8083-47ae-beaa-51b3245fd68a54dc66ef-2...,0.5
973,54dc66ef-26e4-484f-a04d-a308950d210b,46,54.173.157.23,amazonaws,arin,14618,54.172.0.0/15,US,,54dc66e2-4e88-4489-a776-a308950d210b,46,54.67.29.56,amazonaws,arin,16509,54.67.0.0/17,US,,54dc66e2-4e88-4489-a776-a308950d210b54dc66ef-2...,0.5
1428,54dc66e7-8ab0-4d6a-aab7-a308950d210b,46,54.193.34.194,amazonaws,arin,16509,54.193.0.0/17,US,,54dc671c-d978-4348-878b-a308950d210b,46,54.72.124.107,amazonaws,arin,16509,54.72.0.0/16,US,,54dc66e7-8ab0-4d6a-aab7-a308950d210b54dc671c-d...,0.666667
1430,54dc66e7-8ab0-4d6a-aab7-a308950d210b,46,54.193.34.194,amazonaws,arin,16509,54.193.0.0/17,US,,54dc6754-bcd0-4bb4-af92-a308950d210b,46,54.149.76.227,amazonaws,arin,16509,54.148.0.0/15,US,,54dc66e7-8ab0-4d6a-aab7-a308950d210b54dc6754-b...,0.666667


In [48]:
df = df_merged.drop(['uuid_x', 'domain_x', 'asn_registry_x', 'asn_x', 'asn_cidr_x', 'country_code_x', 'pdns_x', 'uuid_y', 'domain_y', 'asn_registry_y', 'asn_y', 'asn_cidr_y', 'country_code_y', 'pdns_y', 'check_string'], axis=1)
df.head()

Unnamed: 0,event_id_x,value_x,event_id_y,value_y,similarity
1,25,218.103.38.112,1188,45.153.240.246,0.0
2,25,218.103.38.112,1190,159.65.166.223,0.0
3,25,218.103.38.112,1190,24.97.129.36,0.0
4,25,218.103.38.112,262,92.23.68.42,0.0
5,25,218.103.38.112,46,162.219.7.3,0.0


In [49]:
df.columns = ['left_event_id', 'left_value', 'right_event_id', 'right_value', 'similarity']
df.head()

Unnamed: 0,left_event_id,left_value,right_event_id,right_value,similarity
1,25,218.103.38.112,1188,45.153.240.246,0.0
2,25,218.103.38.112,1190,159.65.166.223,0.0
3,25,218.103.38.112,1190,24.97.129.36,0.0
4,25,218.103.38.112,262,92.23.68.42,0.0
5,25,218.103.38.112,46,162.219.7.3,0.0


In [50]:
df = df[mask]
df.head()

Unnamed: 0,left_event_id,left_value,right_event_id,right_value,similarity
389,1190,24.97.129.36,1190,70.60.153.206,0.5
914,46,54.173.157.23,46,54.193.34.194,0.5
928,46,54.173.157.23,46,54.72.124.107,0.5
930,46,54.173.157.23,46,54.149.76.227,0.5
947,46,54.173.157.23,1190,13.127.218.140,0.5


In [51]:
df.info()

<class 'pandas.core.frame.DataFrame'>
Int64Index: 35 entries, 389 to 9899
Data columns (total 5 columns):
 #   Column          Non-Null Count  Dtype  
---  ------          --------------  -----  
 0   left_event_id   35 non-null     int64  
 1   left_value      35 non-null     object 
 2   right_event_id  35 non-null     int64  
 3   right_value     35 non-null     object 
 4   similarity      35 non-null     float64
dtypes: float64(1), int64(2), object(2)
memory usage: 1.6+ KB


In [52]:
temp_df = df['left_event_id'].append(df['right_event_id'])
unique_event_nodes = temp_df.drop_duplicates()
unique_event_nodes
unique_event_nodes_list = unique_event_nodes.to_list()
unique_event_nodes_list
print(unique_event_nodes_list)

[1190, 46, 269, 1213, 321, 404, 43, 208, 366, 48]


In [53]:
len(unique_event_nodes_list)

10

In [54]:
unique_event_nodes_execution_commands = []

for i in unique_event_nodes_list:
   event_node = "(e:Event {event_id: "+ "'" + str(i) + "'" + "})"
   neo4j_create_statemenet = "CREATE" + event_node
   unique_event_nodes_execution_commands.append(neo4j_create_statemenet)

def execute_transactions(unique_event_nodes_execution_commands):
    data_base_connection = GraphDatabase.driver(uri = "bolt://localhost:7687", auth=("neo4j", "password"))
    session = data_base_connection.session()

    for i in unique_event_nodes_execution_commands:
        session.run(i)

execute_transactions(unique_event_nodes_execution_commands)

NameError: name 'GraphDatabase' is not defined