In [None]:

import pandas as pd
from collections import defaultdict

# CSV file load karo
df = pd.read_csv(r"C:\Users\LENOVO\Downloads\CloudWatch_Traffic_Web_Attack.csv")

# For counting requests from IPs
ip_request_count = defaultdict(int)
historical_avg_traffic = defaultdict(lambda: 10000)  # Example: fill dummy average
traffic_today = defaultdict(int)
ports_accessed_today = defaultdict(set)
baseline_port_count = defaultdict(lambda: 3)

# Sample threat IP list
threat_intel_list = ['192.168.1.1', '185.13.44.23']

# Known ports
known_ports = [80, 443, 21, 22, 25]

for idx, row in df.iterrows():
    flags = []

    # Rule 1: Frequency spike
    ip_request_count[row['src_ip']] += 1
    if ip_request_count[row['src_ip']] > 5 * 1:  # Assume avg = 1
        flags.append("Bhai: Is IP ki request frequency bahut badh gayi h")

    # Rule 2: Impossible Travel Rule
    other_rows = df[(df['src_ip'] == row['src_ip']) & (df['time'] != row['time'])]
    other_row = other_rows.iloc[0] if not other_rows.empty else None
    if other_row is not None:
        time_diff = abs((pd.to_datetime(row['time']) - pd.to_datetime(other_row['time'])).total_seconds())
        if (row['src_ip'] == other_row['src_ip']) and (row['src_ip_country_code'] != other_row['src_ip_country_code']) and (time_diff < 30):
            flags.append("Bhai: Ek hi IP alag-alag country se short time me access kar rahi h")

    # Rule 3: Access During Holiday or Weekend
    if pd.to_datetime(row['time']).weekday() in [5, 6]:  # 5=Saturday, 6=Sunday
        flags.append("Bhai: Weekend ya holiday par access hua h")

    # Rule 4: Port Count Anomaly
    ports_accessed_today[row['src_ip']].add(row['dst_port'])
    if len(ports_accessed_today[row['src_ip']]) > baseline_port_count[row['src_ip']]:
        flags.append("Bhai: Is IP ne jyada ports access kiye h")

    # Rule 5: IP reputation
    if row['src_ip'] in threat_intel_list:
        flags.append("Bhai: IP malicious list me mila h")

    # Rule 6: Unauthorized Sensitive File Access
    if row['source.name'] == "prod_webserver" and row['src_ip_country_code'] != "IN":
        flags.append("Bhai: Foreign IP ne prod server access kiya h")

    # Rule 7: Abnormal Payload Size in GET Request
    if row['rule_names'] == "GET Request" and row['bytes_out'] > 1000000:
        flags.append("Bhai: GET request me payload bahut zyada h")

    # Rule 8: Abnormal Payload Size in POST Request
    if row['rule_names'] == "POST Request" and row['bytes_out'] > 500000:
        flags.append("Bhai: POST request me payload bahut zyada h")

    # Rule 9: File Download at Unusual Time
    hour = pd.to_datetime(row['time']).hour
    if hour in [2, 3, 4]:
        flags.append("Bhai: Raat ke time suspicious activity hui h")

    # Rule 10: Unknown port
    if row['dst_port'] not in known_ports:
        flags.append("Bhai: Unknown port access hua h")

    if flags:
        print(f"{row['src_ip']} → {' | '.join(flags)}")
