In [2]:
import pdftotext
import pandas as pd
import re
ip_pattern = re.compile(r"(25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9]?[0-9])\."
                     r"(25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9]?[0-9])\."
                     r"(25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9]?[0-9])\[\.\]"
                     r"(25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9]?[0-9])")

hash_pattern = re.compile(r"\b([^\W_-]{40})\b") #TODO: ensure it is only upper or only lower but not both, might need to break into 2

url_pattern = re.compile(r"\b(([a-zA-Z0-9]{1,63}.)?[^\W_]{1,63}\[\.\][^\W\d_-]{2,3})\b")


In [64]:
def extract_ioc(filepath):
    with open(filepath,"rb") as f:
        all_found={}
        pdf = pdftotext.PDF(f)
        for pageNo, pageText in enumerate(pdf):
            page_contents={}
            ip_matches = ip_pattern.findall(pageText)        
            if ip_matches:
                ip_temp=[]
                for item in ip_matches:
                    ip_temp.append(".".join(i for i in item))
                page_contents['ip_address'] = ip_temp
            hash_matches = hash_pattern.findall(pageText)
            if hash_matches:
                hash_matches=[item for item in hash_matches if (item.lower()==item) or (item.upper()==item)]
                if hash_matches:
                    page_contents['hashes'] = hash_matches
            url_matches = url_pattern.findall(pageText)
            if url_matches:
                url_matches = [item.replace('[','').replace(']','') for (item, _) in url_matches]
                page_contents['url'] = url_matches
            if page_contents:
                all_found[pageNo] = page_contents
    resultant_df =[]
    for key in all_found:
        df = pd.DataFrame([(key, var) for (key, L) in all_found[key].items() for var in L], columns=['ioc_type','value'])
        df['page']=key
        resultant_df.append(df)
    master_df= pd.concat(resultant_df)
#     master_df.columns = ['type', 'value','page']
    return master_df
master_df = extract_ioc('data_files/Win32_Industroyer.pdf')

In [74]:
master_df.head()

Unnamed: 0,ioc_type,value,page,country_code,asn
0,ip_address,195.16.88.6,15,,
1,ip_address,46.28.200.132,15,,
2,ip_address,188.42.253.43,15,,
3,ip_address,5.39.218.152,15,,
4,ip_address,93.115.27.57,15,,


In [22]:
from __future__ import print_function, division
from datetime import date, datetime, timedelta
from time import time
from ftplib import FTP
from sys import argv, exit, stdout, version_info
from pyasn import mrtx, __version__
from sys import argv, exit, stdout
from glob import glob
from argparse import ArgumentParser
try:
    from pyasn import __version__
except:
    pass  # not fatal if we can't get version
if version_info[0] < 3:
    from urllib2 import urlopen
else:
    from urllib.request import urlopen



def ftp_download(server, remote_dir, remote_file, local_file, print_progress=True):
    """Downloads a file from an FTP server and stores it locally"""
    ftp = FTP(server)
    ftp.login()
    ftp.cwd(remote_dir)
    if print_progress:
        print('Downloading ftp://%s/%s/%s' % (server, remote_dir, remote_file))
    filesize = ftp.size(remote_file)
    # perhaps warn before overwriting file?
    with open(local_file, 'wb') as fp:
        def recv(s):
            fp.write(s)
            recv.chunk += 1
            recv.bytes += len(s)
            if recv.chunk % 100 == 0 and print_progress:
                print('\r %.f%%, %.fKB/s' % (recv.bytes*100 / filesize,
                      recv.bytes / (1000*(time()-recv.start))), end='')
                stdout.flush()
        recv.chunk, recv.bytes, recv.start = 0, 0, time()
        ftp.retrbinary('RETR %s' % remote_file, recv)
    ftp.close()
    if print_progress:
        print('\nDownload complete.')


def find_latest_in_ftp(server, archive_root, sub_dir, print_progress=True):
    """Returns (server, filepath, filename) for the most recent file in an FTP archive"""
    if print_progress:
        print('Connecting to ftp://' + server)
    ftp = FTP(server)
    ftp.login()
    months = sorted(ftp.nlst(archive_root), reverse=True)  # e.g. 'route-views6/bgpdata/2016.12'
    filepath = '/%s/%s' % (months[0], sub_dir)
    if print_progress:
        print("Finding most recent archive in %s ..." % filepath)
    ftp.cwd(filepath)
    fls = ftp.nlst()
    if not fls:
        filepath = '/%s/%s' % (months[1], sub_dir)
        if print_progress:
            print("Finding most recent archive in %s ..." % filepath)
        ftp.cwd(filepath)
        fls = ftp.nlst()
        if not fls:
            raise LookupError("Cannot find file to download. Please report a bug on github?")
    filename = max(fls)
    ftp.close()
    return (server, filepath, filename)


def find_latest_routeviews(archive_ipv):
    # RouteViews archives are as follows:
    # ftp://archive.routeviews.org/datapath/YYYYMM/ribs/XXXX
    archive_ipv = str(archive_ipv)
    assert archive_ipv in ('4', '6', '46', '64')
    return find_latest_in_ftp(server='archive.routeviews.org',
                              archive_root='bgpdata' if archive_ipv == '4' else
                                           'route-views6/bgpdata' if archive_ipv == '6' else
                                           'route-views4/bgpdata',  # 4+6
                              sub_dir='RIBS')



In [110]:
import os
from datetime import datetime
def download_rib_file():
    srvr, rp, fn = find_latest_routeviews('46')
    ftp_download(srvr, rp, fn, fn)
    return

def verify_asn_database():    
    if any(item == "asn_{}.asn".format(datetime.today().strftime('%Y%m%d')) for item in os.listdir('.')):    
        print ('latest asn file found') 
        return [item for item in os.listdir('.') if item.endswith('.asn')][0]
    if not any((item.startswith("rib.{}".format(datetime.today().strftime('%Y%m%d'))) \
               and item.endswith('.bz2')) for item in os.listdir('.')):        
        print('downloading latest rib file') 
        download_rib_file()
    rib_file = sorted([item for item in os.listdir('.') if \
                (item.startswith('rib.{}'.format(datetime.today().strftime('%Y%m%d')))\
                and item.endswith('.bz2'))])[-1]
    prefixes = mrtx.parse_mrt_file(rib_file, print_progress=True,
                                   skip_record_on_error=True)
    mrtx.dump_prefixes_to_file(prefixes, "asn_{}.asn".format(datetime.today().strftime('%Y%m%d'), rib_file))
    return ("asn_{}.asn".format(datetime.today().strftime('%Y%m%d')))  

latest_asn = verify_asn_database() 


latest asn file found


In [111]:
from geolite2 import geolite2
import pyasn
def check_asn_cc(row, asndb, geo):
    if row['ioc_type']=='ip_address':        
        try:
            asn, _ = asndb.lookup(row['value'])
            asn = int(asn)
        except:
            asn = 'not found'
        response = geo.get(row['value'])
        try:
            return (asn, response['country']['iso_code'])
        except:
            return (asn, "not found")
    else:
        return (None, None)

In [113]:
if len(master_df[master_df['ioc_type']=='ip_address'])>0: 
    asndb = pyasn.pyasn(latest_asn) 
    geo = geolite2.reader()
    master_df[['asn','country_code']] = master_df.apply(check_asn_cc, args=(asndb, geo), axis=1, result_type="expand")
master_df

Unnamed: 0,ioc_type,value,page,country_code,asn
0,ip_address,195.16.88.6,15,UA,59939.0
1,ip_address,46.28.200.132,15,CH,197988.0
2,ip_address,188.42.253.43,15,SG,45470.0
3,ip_address,5.39.218.152,15,NL,57043.0
4,ip_address,93.115.27.57,15,LT,16125.0
5,hashes,F6C21F8189CED6AE150F9EF2E82A3A57843B587D,15,,
6,hashes,CCCCE62996D578B984984426A024D9B250237533,15,,
7,hashes,8E39ECA1E48240C01EE570631AE8F0C9A9637187,15,,
8,hashes,2CB8230281B86FA944D3043AE906016C8B5984D9,15,,
9,hashes,79CA89711CDAEDB16B0CCCCFDCFBD6AA7E57120A,15,,


In [25]:
count=0
# with open("data/http.log" ,'r') as f:
f = open("./data_files/http.log", "r")
for x in f:
    print(x)
    count+=1
    if count>5:
        break
f.close()

1331901000.000000	CHEt7z3AzG4gyCNgci	192.168.202.79	50465	192.168.229.251	80	1	HEAD	192.168.229.251	/DEASLog02.nsf	-	Mozilla/5.0 (compatible; Nmap Scripting Engine; http://nmap.org/book/nse.html)	0	0	404	Not Found	-	-	-	(empty)	-	-	-	-	-	-	-

1331901000.010000	CKnDAp2ohlvN6rpiXl	192.168.202.79	50467	192.168.229.251	80	1	HEAD	192.168.229.251	/DEASLog03.nsf	-	Mozilla/5.0 (compatible; Nmap Scripting Engine; http://nmap.org/book/nse.html)	0	0	404	Not Found	-	-	-	(empty)	-	-	-	-	-	-	-

1331901000.030000	CNTrjn42F3LB58MZH6	192.168.202.79	50469	192.168.229.251	80	1	HEAD	192.168.229.251	/DEASLog04.nsf	-	Mozilla/5.0 (compatible; Nmap Scripting Engine; http://nmap.org/book/nse.html)	0	0	404	Not Found	-	-	-	(empty)	-	-	-	-	-	-	-

1331901000.040000	C1D7mK1PlzKEnEyG03	192.168.202.79	50471	192.168.229.251	80	1	HEAD	192.168.229.251	/DEASLog05.nsf	-	Mozilla/5.0 (compatible; Nmap Scripting Engine; http://nmap.org/book/nse.html)	0	0	404	Not Found	-	-	-	(empty)	-	-	-	-	-	-	-

1331901000.050000	CGF1bVMyl9

In [1]:
import pandas as pd
from IPython.core.display import display, HTML
display(HTML("<style>.container { width:100% !important; }</style>"))
pd.set_option('display.max_columns', None)

df = pd.read_csv("data_files/http.log", sep="\t", nrows=100, header=None)
df.head()

Unnamed: 0,0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26
0,1331901000.0,CHEt7z3AzG4gyCNgci,192.168.202.79,50465,192.168.229.251,80,1,HEAD,192.168.229.251,/DEASLog02.nsf,-,Mozilla/5.0 (compatible; Nmap Scripting Engine...,0,0,404,Not Found,-,-,-,(empty),-,-,-,-,-,-,-
1,1331901000.0,CKnDAp2ohlvN6rpiXl,192.168.202.79,50467,192.168.229.251,80,1,HEAD,192.168.229.251,/DEASLog03.nsf,-,Mozilla/5.0 (compatible; Nmap Scripting Engine...,0,0,404,Not Found,-,-,-,(empty),-,-,-,-,-,-,-
2,1331901000.0,CNTrjn42F3LB58MZH6,192.168.202.79,50469,192.168.229.251,80,1,HEAD,192.168.229.251,/DEASLog04.nsf,-,Mozilla/5.0 (compatible; Nmap Scripting Engine...,0,0,404,Not Found,-,-,-,(empty),-,-,-,-,-,-,-
3,1331901000.0,C1D7mK1PlzKEnEyG03,192.168.202.79,50471,192.168.229.251,80,1,HEAD,192.168.229.251,/DEASLog05.nsf,-,Mozilla/5.0 (compatible; Nmap Scripting Engine...,0,0,404,Not Found,-,-,-,(empty),-,-,-,-,-,-,-
4,1331901000.0,CGF1bVMyl9ALKI32l,192.168.202.79,50473,192.168.229.251,80,1,HEAD,192.168.229.251,/DEASLog.nsf,-,Mozilla/5.0 (compatible; Nmap Scripting Engine...,0,0,404,Not Found,-,-,-,(empty),-,-,-,-,-,-,-


In [40]:
with open("data_files/http.log","r") as f:
    data = f.readlines()
print(len(data))
lines = data[31910:31915]
del data

2048442


In [42]:
temp = [item.split('\t') for item in lines]
for item in temp:
    print (len(item))

27
27
27
27
27


In [44]:
df = pd.read_csv("data_files/http.log", sep="\t", header = None, error_bad_lines=False)
df.memory_usage()

b'Skipping line 31914: expected 27 fields, saw 29\n'
b'Skipping line 37072: expected 27 fields, saw 29\nSkipping line 37074: expected 27 fields, saw 29\nSkipping line 37076: expected 27 fields, saw 29\nSkipping line 37079: expected 27 fields, saw 29\nSkipping line 57570: expected 27 fields, saw 29\nSkipping line 57573: expected 27 fields, saw 29\nSkipping line 57576: expected 27 fields, saw 29\nSkipping line 57579: expected 27 fields, saw 29\nSkipping line 57581: expected 27 fields, saw 29\nSkipping line 57582: expected 27 fields, saw 29\nSkipping line 57585: expected 27 fields, saw 29\nSkipping line 57589: expected 27 fields, saw 29\nSkipping line 57591: expected 27 fields, saw 29\nSkipping line 57592: expected 27 fields, saw 29\nSkipping line 57595: expected 27 fields, saw 29\nSkipping line 57597: expected 27 fields, saw 29\nSkipping line 57599: expected 27 fields, saw 29\nSkipping line 57601: expected 27 fields, saw 29\nSkipping line 57607: expected 27 fields, saw 29\nSkipping line 

Index         128
0        16379680
1        16379680
2        16379680
3        16379680
4        16379680
5        16379680
6        16379680
7        16379680
8        16379680
9        16379680
10       16379680
11       16379680
12       16379680
13       16379680
14       16379680
15       16379680
16       16379680
17       16379680
18       16379680
19       16379680
20       16379680
21       16379680
22       16379680
23       16379680
24       16379680
25       16379680
26       16379680
dtype: int64

In [46]:
for item in lines:
    print(item,'\n')

1331904122.040000	CfcNsvIomPj9xFxW	192.168.202.110	41617	192.168.27.203	8080	1	GET	192.168.27.203	/admin-old/	-	Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)	0	985	404	Not Found	-	-	-	(empty)	-	-	-	-	-	Ff2Y5x3ighx3emGwLe	text/html
 

1331904122.040000	CFI7OE4oNpkc1FQhT4	192.168.202.110	41618	192.168.27.203	8080	1	GET	192.168.27.203	/admin.back/	-	Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)	0	988	404	Not Found	-	-	-	(empty)	-	-	-	-	-	FLqvT81NKTFDVS1VH9	text/html
 

1331904122.050000	CiFdInahuznIJNau	192.168.202.110	41619	192.168.27.203	8080	1	GET	192.168.27.203	/admin_/	-	Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)	0	976	404	Not Found	-	-	-	(empty)	-	-	-	-	-	FCIAN513uNEodhfL89	text/html
 

1331904122.050000	CkRnOb3mLxl0S1z2rg	192.168.202.110	51829	192.168.27.102	80	1	GET	192.168.27.102	/scripts/error.php?err=404	<script>alert(document.cookie);</script>	"; system(id);#	0	295	404	Not Found	-	-	-	(empty)	-	-	-	-	-	FoYZX7Fz3sJQDq6Yd	

In [47]:
df.head()

Unnamed: 0,0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26
0,1331901000.0,CHEt7z3AzG4gyCNgci,192.168.202.79,50465,192.168.229.251,80,1,HEAD,192.168.229.251,/DEASLog02.nsf,-,Mozilla/5.0 (compatible; Nmap Scripting Engine...,0,0,404,Not Found,-,-,-,(empty),-,-,-,-,-,-,-
1,1331901000.0,CKnDAp2ohlvN6rpiXl,192.168.202.79,50467,192.168.229.251,80,1,HEAD,192.168.229.251,/DEASLog03.nsf,-,Mozilla/5.0 (compatible; Nmap Scripting Engine...,0,0,404,Not Found,-,-,-,(empty),-,-,-,-,-,-,-
2,1331901000.0,CNTrjn42F3LB58MZH6,192.168.202.79,50469,192.168.229.251,80,1,HEAD,192.168.229.251,/DEASLog04.nsf,-,Mozilla/5.0 (compatible; Nmap Scripting Engine...,0,0,404,Not Found,-,-,-,(empty),-,-,-,-,-,-,-
3,1331901000.0,C1D7mK1PlzKEnEyG03,192.168.202.79,50471,192.168.229.251,80,1,HEAD,192.168.229.251,/DEASLog05.nsf,-,Mozilla/5.0 (compatible; Nmap Scripting Engine...,0,0,404,Not Found,-,-,-,(empty),-,-,-,-,-,-,-
4,1331901000.0,CGF1bVMyl9ALKI32l,192.168.202.79,50473,192.168.229.251,80,1,HEAD,192.168.229.251,/DEASLog.nsf,-,Mozilla/5.0 (compatible; Nmap Scripting Engine...,0,0,404,Not Found,-,-,-,(empty),-,-,-,-,-,-,-


In [48]:
cols = ['ts','uid','orig_h', 'orig_p','resp_h', 'resp_p','trans_depth','method','host','uri','referrer','user_agent','request_body_len','response_body_len','status_code','status_msg','info_code','info_msg','filename','tags',\
        'username','password','proxied','orig_fuids','orig_mime_types','resp_fuids','resp_mime_types']

df.columns=cols

In [53]:
a= df.groupby('orig_h')['orig_p'].nunique().reset_index().sort_values('orig_p', ascending=False)

In [55]:
a.head(20)

Unnamed: 0,orig_h,orig_p
7,192.168.202.110,28106
16,192.168.202.138,20249
17,192.168.202.140,16090
48,192.168.203.63,13015
33,192.168.202.79,12193
10,192.168.202.118,11289
42,192.168.202.96,8874
2,192.168.202.102,3960
32,192.168.202.76,3839
3,192.168.202.103,1797


(197988, '46.28.200.0/21')

In [5]:
from ip2geotools.databases.noncommercial import DbIpCity
response = DbIpCity.get('46.28.200.32', api_key='free')

response.country


'CH'

In [7]:
response.city

'Zurich (Zürich (Kreis 9) / Altstetten)'

In [2]:
match = geolite2.lookup('46.28.200.32')
match.country

RuntimeError: Cannot use packaged database "geolite2" because package "_geoip_geolite2" is not available. It's provided by PyPI package "python-geoip-geolite2"

get asn and country code
cmd:
git clone https://github.com/hadiasghari/pyasn.git
in folder of pyasn_utils, run "python pyasn_util_download.py --latestv46"
in same folder, run "python pyasn_util_convert.py --single rib.20200529.0200.bz2 ipasn2.dat"
in python, import pyasn, 
import pyasn


asndb = pyasn.pyasn('D:\Documents\github\pyasn\pyasn-utils\ipasn2.dat')
asndb.lookup('46.28.200.32')

In [5]:
import pdftotext
from six.moves.urllib.request import urlopen
import io

# url = 'https://www.sec.gov/litigation/admin/2015/34-76574.pdf'
# remote_file = urlopen(url).read()
# memory_file = io.BytesIO('"data_files/Win32_Industroyer.pdf"')
with open("data_files/Win32_Industroyer.pdf","rb") as f:
    pdf = pdftotext.PDF(f)

# Iterate over all the pages
    for page in pdf:
        print(page)

WIN32/INDUSTROYER
A new threat for
industrial control systems

Anton Cherepanov, ESET
Version 2017-06-12

                                                                                                                                 Win32/Industroyer   1




Contents
Win32/Industroyer: a new threat for industrial control systems  .  .  .  .  .  .  . 2
Main backdoor  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  . 3
Additional backdoor  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  . 4
Launcher component  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  . 5
101 payload component  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .6
104 payload component .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  . 7
61850 payload component  .  .  

In [25]:
string=pdf[15]
string



In [3]:
%time
text2 = """
     7.2 Paths
          %TEMP%\FXSAPIDebugTrace.txt
          %TEMP%\iecache.bin


     7.3 Windows registry
          (HKLM|HKCU)\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\
          {59031A47-3F72-44A7-80C5-5595FE6B30EE}
          HKLM\SOFTWARE\Microsoft\SQMClient\Windows.WSqmCons


     7.4 Network
          arinas[.]tk
          bedrost[.]com
          branter[.]tk
          bronerg[.]tk
          celestyna[.]tk
          crusider[.]tk
          davilta[.]tk
          deme[.]ml
          dixito[.]ml
          duke6[.]tk
          elizabi[.]tk
          foods.jkub[.]com
          hofa[.]tk
          hunvin[.]tk
          lakify[.]ml
          lindaztert[.]net
          misters[.]ml
          pewyth[.]ga
          progress.zyns[.]com
          sameera[.]gq
          sanitar[.]ml
          scrabble.ikwb[.]com
          sumefu[.]gq
          umefu[.]gq
          vefogy[.]cf
          vylys[.]com
          wekanda[.]tk
"""
import re

url_pattern = re.compile(r"\b(([a-zA-Z0-9]{1,63}.)?[^\W_]{1,63}\[\.\][^\W_-]{2,3})\b")
matches = url_pattern.findall(text2)
if matches:
    print([item for item in matches])

Wall time: 0 ns
[('arinas[.]tk', 'arina'), ('bedrost[.]com', 'bedros'), ('branter[.]tk', 'brante'), ('bronerg[.]tk', 'broner'), ('celestyna[.]tk', 'celestyn'), ('crusider[.]tk', 'cruside'), ('davilta[.]tk', 'davilt'), ('deme[.]ml', 'dem'), ('dixito[.]ml', 'dixit'), ('duke6[.]tk', 'duke'), ('elizabi[.]tk', 'elizab'), ('foods.jkub[.]com', 'foods.'), ('hofa[.]tk', 'hof'), ('hunvin[.]tk', 'hunvi'), ('lakify[.]ml', 'lakif'), ('lindaztert[.]net', 'lindazter'), ('misters[.]ml', 'mister'), ('pewyth[.]ga', 'pewyt'), ('progress.zyns[.]com', 'progress.'), ('sameera[.]gq', 'sameer'), ('sanitar[.]ml', 'sanita'), ('scrabble.ikwb[.]com', 'scrabble.'), ('sumefu[.]gq', 'sumef'), ('umefu[.]gq', 'umef'), ('vefogy[.]cf', 'vefog'), ('vylys[.]com', 'vyly'), ('wekanda[.]tk', 'wekand')]


In [1]:
import pandas as pd
df = pd.read_csv('data_files/http.log.gz', compression='gzip', header=None, sep='\t', quoting=3)
df.columns=['ts','uid','origin_h','origin_p','response_h','response_p',\
            'depth','method','host','uri','referrer','user_agent','request_len','response_len',\
            'status_code','status_msg','info_code','info_msg','filename','tags','username',\
            'password','proxied','origin_fuid','origin_mime_type','response_fuid','response_mime_types']

df.info()

  interactivity=interactivity, compiler=compiler, result=result)


<class 'pandas.core.frame.DataFrame'>
RangeIndex: 2048442 entries, 0 to 2048441
Data columns (total 27 columns):
 #   Column               Dtype  
---  ------               -----  
 0   ts                   float64
 1   uid                  object 
 2   origin_h             object 
 3   origin_p             int64  
 4   response_h           object 
 5   response_p           int64  
 6   depth                int64  
 7   method               object 
 8   host                 object 
 9   uri                  object 
 10  referrer             object 
 11  user_agent           object 
 12  request_len          int64  
 13  response_len         int64  
 14  status_code          object 
 15  status_msg           object 
 16  info_code            object 
 17  info_msg             object 
 18  filename             object 
 19  tags                 object 
 20  username             object 
 21  password             object 
 22  proxied              object 
 23  origin_fuid          object 
 24

In [2]:
df.memory_usage()

Index                       128
ts                     16387536
uid                    16387536
origin_h               16387536
origin_p               16387536
response_h             16387536
response_p             16387536
depth                  16387536
method                 16387536
host                   16387536
uri                    16387536
referrer               16387536
user_agent             16387536
request_len            16387536
response_len           16387536
status_code            16387536
status_msg             16387536
info_code              16387536
info_msg               16387536
filename               16387536
tags                   16387536
username               16387536
password               16387536
proxied                16387536
origin_fuid            16387536
origin_mime_type       16387536
response_fuid          16387536
response_mime_types    16387536
dtype: int64

In [3]:
df['origin_p']=df['origin_p'].astype('int')
df['response_p']=df['response_p'].astype('int')
df['depth']=df['depth'].astype('int')
df['request_len']=df['request_len'].astype('int')
df['response_len']=df['response_len'].astype('int')
df.memory_usage()

Index                       128
ts                     16387536
uid                    16387536
origin_h               16387536
origin_p                8193768
response_h             16387536
response_p              8193768
depth                   8193768
method                 16387536
host                   16387536
uri                    16387536
referrer               16387536
user_agent             16387536
request_len             8193768
response_len            8193768
status_code            16387536
status_msg             16387536
info_code              16387536
info_msg               16387536
filename               16387536
tags                   16387536
username               16387536
password               16387536
proxied                16387536
origin_fuid            16387536
origin_mime_type       16387536
response_fuid          16387536
response_mime_types    16387536
dtype: int64

In [4]:
df.info()

<class 'pandas.core.frame.DataFrame'>
RangeIndex: 2048442 entries, 0 to 2048441
Data columns (total 27 columns):
 #   Column               Dtype  
---  ------               -----  
 0   ts                   float64
 1   uid                  object 
 2   origin_h             object 
 3   origin_p             int32  
 4   response_h           object 
 5   response_p           int32  
 6   depth                int32  
 7   method               object 
 8   host                 object 
 9   uri                  object 
 10  referrer             object 
 11  user_agent           object 
 12  request_len          int32  
 13  response_len         int32  
 14  status_code          object 
 15  status_msg           object 
 16  info_code            object 
 17  info_msg             object 
 18  filename             object 
 19  tags                 object 
 20  username             object 
 21  password             object 
 22  proxied              object 
 23  origin_fuid          object 
 24

In [7]:
df['origin_mime_type'].unique()

array(['-', 'application/xml', 'text/plain', 'binary', 'text/html',
       'text/plain,text/html', 'text/plain,text/plain',
       'text/rtf,text/plain', 'application/octet-stream', 'text/x-php',
       'text/plain,text/plain,text/plain,text/plain,text/plain',
       'text/plain,text/plain,text/plain,text/plain,text/plain,text/plain,text/plain,text/plain,text/plain,text/plain,text/plain,text/plain,text/plain',
       'text/plain,text/plain,text/plain,text/plain,text/plain,text/plain,text/plain,text/plain,text/plain,text/plain,text/plain',
       'text/plain,text/plain,text/plain,text/plain,text/plain,text/plain,text/plain,text/plain,text/plain,text/plain,text/plain,text/plain',
       'text/plain,text/plain,text/plain,text/plain,text/plain,text/plain,text/plain,text/plain,application/x-dosexec,text/plain',
       'text/plain,text/plain,text/plain,text/plain,text/plain,text/plain,text/plain,text/plain,text/html,text/plain',
       'text/plain,text/plain,text/plain,text/plain,text/plain,

In [8]:
df['uri'].unique()

array(['/DEASLog02.nsf', '/DEASLog03.nsf', '/DEASLog04.nsf', ...,
       '/resources/js/jquery.js?_=1332017247533',
       '/resources/js/jquery-ui.js?_=1332017247590',
       '/resources/js/jquery.form.js?_=1332017247692'], dtype=object)

In [9]:
df['ts']=pd.to_datetime(df['ts'], unit='s', origin='unix')
df.head()

Unnamed: 0,ts,uid,origin_h,origin_p,response_h,response_p,depth,method,host,uri,...,info_msg,filename,tags,username,password,proxied,origin_fuid,origin_mime_type,response_fuid,response_mime_types
0,2012-03-16 12:30:00.000000000,CHEt7z3AzG4gyCNgci,192.168.202.79,50465,192.168.229.251,80,1,HEAD,192.168.229.251,/DEASLog02.nsf,...,-,-,(empty),-,-,-,-,-,-,-
1,2012-03-16 12:30:00.009999990,CKnDAp2ohlvN6rpiXl,192.168.202.79,50467,192.168.229.251,80,1,HEAD,192.168.229.251,/DEASLog03.nsf,...,-,-,(empty),-,-,-,-,-,-,-
2,2012-03-16 12:30:00.029999971,CNTrjn42F3LB58MZH6,192.168.202.79,50469,192.168.229.251,80,1,HEAD,192.168.229.251,/DEASLog04.nsf,...,-,-,(empty),-,-,-,-,-,-,-
3,2012-03-16 12:30:00.039999962,C1D7mK1PlzKEnEyG03,192.168.202.79,50471,192.168.229.251,80,1,HEAD,192.168.229.251,/DEASLog05.nsf,...,-,-,(empty),-,-,-,-,-,-,-
4,2012-03-16 12:30:00.049999952,CGF1bVMyl9ALKI32l,192.168.202.79,50473,192.168.229.251,80,1,HEAD,192.168.229.251,/DEASLog.nsf,...,-,-,(empty),-,-,-,-,-,-,-


In [10]:
df.ts.min(), df.ts.max()

(Timestamp('2012-03-16 12:30:00'), Timestamp('2012-03-17 20:46:54.250000'))

In [12]:
a=df.groupby('origin_h')['origin_p'].nunique().reset_index().sort_values(by='origin_p', ascending=False)

In [21]:
a.head(20)

Unnamed: 0,origin_h,origin_p
7,192.168.202.110,28108
16,192.168.202.138,20251
17,192.168.202.140,16090
48,192.168.203.63,13015
33,192.168.202.79,12193
10,192.168.202.118,11289
42,192.168.202.96,8874
2,192.168.202.102,3960
32,192.168.202.76,3843
3,192.168.202.103,1798


In [16]:
df[['origin_p','status_code']].drop_duplicates(subset=['origin_p','status_code'], keep='first')

Unnamed: 0,origin_p,status_code
0,50465,404
1,50467,404
2,50469,404
3,50471,404
4,50473,404
...,...,...
2048423,39852,-
2048424,55469,-
2048425,44974,302
2048435,1512,304


In [17]:
df.groupby('status_code')['origin_p'].nunique()

status_code
200     1767
301        4
302        4
303        1
304       23
400       60
401       10
403       73
404     6330
405        3
414        1
501        1
-       7392
200    28211
201      113
204        1
206      266
207        4
301      541
302     3783
303     9424
304     2303
400    20532
401     1688
403     6780
404    36298
405      429
406        3
411       12
413       32
414      188
417       46
500      387
501      338
502        1
503     1551
505        5
Name: origin_p, dtype: int64

In [20]:
df.groupby('origin_h')['user_agent'].nunique().reset_index().sort_values(by='user_agent', ascending=False)

Unnamed: 0,origin_h,user_agent
33,192.168.202.79,6389
12,192.168.202.125,90
2,192.168.202.102,27
16,192.168.202.138,18
7,192.168.202.110,16
...,...,...
39,192.168.202.91,1
41,192.168.202.95,1
43,192.168.202.97,1
44,192.168.202.98,1
