# Jupyter Playbooks for Suricata

* Markus Kont
* Stamus Networks
* github.com/markuskont
* https://twitter.com/markuskont

## Introduction

* Introduce a tool
  * not for experienced data scientists
  * spark some ideas
* Focus on use-cases around Suricata
  * no iris dataset
* Might not have time to cover everything
  * presentation is meant to be a resource

### Fmt.presentation()

 * Presentation **IS** a notebook
 * it is public
 * code examples are live
 * all data is generated by the notebook
   * (from `malware-traffic-analysis.net`)

### whoami

* 2011: Server Administrator
  * Now fully recovered
* 2014: Cyber Security MSc, TalTech
  * 2015: PhD candidate
  * academia was not for me
* 2015: Technology Branch Researcher, NATO CCDCOE
  * trainings, exercises, research
  * met Eric Leblond in 2016
  * later met Peter Manev during Suricon
* 2020: Developer & Threat Researcher, Stamus Networks
  * analytics, suricata rules, detection methods, devops, backend dev, ...
  * ...insert random fancy title here...
  * in short, resident hacker

## Hello Jupyter

### pip install jupyter

 * Initially IPython Notebooks
   * interactive coding
   * instant feedback
 * Then rebranded to Jupyter
   * de'facto tool for a data scientist
 * Supports different *kernels*
   * R
   * nodejs
   * julia
   * Go
   * ...

#### Basic concepts

 * Organized into *cells*
 * *Cell* can be *code* or *markdown*
 * Cell is executed by *kernel*
 * JupyterLab is like IDE

#### Installing

```
pip install jupyter jupyterlab
```

#### Starting it up

```
(general) ➜  suricata-analytics-1 git:(next-suricon-2022-10-28) ✗ jupyter lab
[I 2022-10-30 06:10:48.141 ServerApp] jupyterlab | extension was successfully linked.
[I 2022-10-30 06:10:48.150 ServerApp] nbclassic | extension was successfully linked.
[I 2022-10-30 06:10:48.170 LabApp] JupyterLab extension loaded from /home/markus/venvs/general/lib/python3.10/site-packages/jupyterlab
[I 2022-10-30 06:10:48.170 LabApp] JupyterLab application directory is /home/markus/venvs/general/share/jupyter/lab
[I 2022-10-30 06:10:48.173 ServerApp] jupyterlab | extension was successfully loaded.
[I 2022-10-30 06:10:48.177 ServerApp] nbclassic | extension was successfully loaded.
[I 2022-10-30 06:10:48.177 ServerApp] The port 8888 is already in use, trying another port.
[I 2022-10-30 06:10:48.178 ServerApp] Serving notebooks from local directory: /home/markus/Projects/SN/suricata-analytics-1
[I 2022-10-30 06:10:48.178 ServerApp] Jupyter Server 1.21.0 is running at:
[I 2022-10-30 06:10:48.178 ServerApp] http://localhost:8889/lab?token=b675c4daec9a6c2beb11b0a6cd38a314509ae62b1989b2e2
[I 2022-10-30 06:10:48.178 ServerApp]  or http://127.0.0.1:8889/lab?token=b675c4daec9a6c2beb11b0a6cd38a314509ae62b1989b2e2
[I 2022-10-30 06:10:48.178 ServerApp] Use Control-C to stop this server and shut down all kernels (twice to skip confirmation).
[C 2022-10-30 06:10:48.216 ServerApp]

    To access the server, open this file in a browser:
        file:///home/markus/.local/share/jupyter/runtime/jpserver-395207-open.html
    Or copy and paste one of these URLs:
        http://localhost:8889/lab?token=b675c4daec9a6c2beb11b0a6cd38a314509ae62b1989b2e2
     or http://127.0.0.1:8889/lab?token=b675c4daec9a6c2beb11b0a6cd38a314509ae62b1989b2e2
Opening in existing browser session.
```

#### Code

It is suricon, so let's start the demo by downloading a PCAP file. With **pure python**. Purpose of this is to demo:

* Simple python code in notebook;
* To get initial input for next *slides*

Firstly, import supporting libraries.

In [15]:
import requests
from zipfile import ZipFile

Then define download link and output path as variables.

In [18]:
URL = "https://malware-traffic-analysis.net/2022/01/03/2022-01-01-thru-03-server-activity-with-log4j-attempts.pcap.zip"
OUTPUT = "/tmp/malware-pcap.zip"

Download and store the file. Notice the real-time output as code gets evalutated.

In [19]:
response = requests.get(URL, stream=True)
if response.status_code == 200:
    print("Download good, writing %d KBytes to %s" % 
          (int(response.headers.get("Content-length")) / 1024,
           OUTPUT))
    with open(OUTPUT, 'wb') as f:
        f.write(response.raw.read())
    print("Done")
else:
    print("Demo effect has kicked in")

Download good, writing 1254 KBytes to /tmp/malware-pcap.zip
Done


Then unzip the archive.

In [20]:
file_name = OUTPUT
with ZipFile(file_name, "r") as zip:
    zip.extractall(path="/tmp", pwd="infected".encode("utf-8"))

Find the PCAP and store for later use.

In [23]:
import glob
FILES = glob.glob("/tmp/*.pcap")
FILES

['/tmp/2022-01-01-thru-03-server-activity-with-log4j-attempts.pcap']

In [40]:
print(FILES[0])

/tmp/2022-01-01-thru-03-server-activity-with-log4j-attempts.pcap


#### Invoking a Shell command

* Writing code to do some simple things can be a hassle
* Jupyter provides some helpers
    * `%` calls builtin magic commands
    * `!` invokes any shell command

For example, we need a Suricata ruleset to proceed with presentation.

In [32]:
%pip install suricata-update

Note: you may need to restart the kernel to use updated packages.


In [33]:
!/home/jovyan/.local/bin/suricata-update

[32m30/10/2022 -- 04:49:50[0m - <[33mInfo[0m> -- Using data-directory /var/lib/suricata.[0m
[32m30/10/2022 -- 04:49:50[0m - <[33mInfo[0m> -- Using Suricata configuration /etc/suricata/suricata.yaml[0m
[32m30/10/2022 -- 04:49:50[0m - <[33mInfo[0m> -- Using /opt/suricata/share/suricata/rules for Suricata provided rules.[0m
[32m30/10/2022 -- 04:49:50[0m - <[33mInfo[0m> -- Found Suricata version 7.0.0-beta1 at /opt/suricata/bin/suricata.[0m
[32m30/10/2022 -- 04:49:50[0m - <[33mInfo[0m> -- Loading /etc/suricata/suricata.yaml[0m
[32m30/10/2022 -- 04:49:50[0m - <[33mInfo[0m> -- Disabling rules for protocol pgsql[0m
[32m30/10/2022 -- 04:49:50[0m - <[33mInfo[0m> -- Disabling rules for protocol modbus[0m
[32m30/10/2022 -- 04:49:50[0m - <[33mInfo[0m> -- Disabling rules for protocol dnp3[0m
[32m30/10/2022 -- 04:49:50[0m - <[33mInfo[0m> -- Disabling rules for protocol enip[0m
[32m30/10/2022 -- 04:49:50[0m - <[33mInfo[0m> -- No sources configured, wil

In [38]:
!rm -rf /tmp/logs && mkdir /tmp/logs

In [46]:
!suricata -S /var/lib/suricata/rules/suricata.rules -l /tmp/logs -r /tmp/2022-01-01-thru-03-server-activity-with-log4j-attempts.pcap -v

[32m30/10/2022 -- 04:56:14[0m - <[1;33mNotice[0m> - [33mThis is Suricata version 7.0.0-beta1 RELEASE running in USER mode[0m
[32m30/10/2022 -- 04:56:14[0m - <[33mInfo[0m> - CPUs/cores online: 12[0m
[32m30/10/2022 -- 04:56:14[0m - <[33mInfo[0m> - fast output device (regular) initialized: fast.log[0m
[32m30/10/2022 -- 04:56:14[0m - <[33mInfo[0m> - eve-log output device (regular) initialized: eve.json[0m
[32m30/10/2022 -- 04:56:14[0m - <[33mInfo[0m> - stats output device (regular) initialized: stats.log[0m
[32m30/10/2022 -- 04:56:19[0m - <[33mInfo[0m> - 1 rule files processed. 28761 rules successfully loaded, 0 rules failed[0m
[32m30/10/2022 -- 04:56:19[0m - <[33mInfo[0m> - Threshold config parsed: 0 rule(s) found[0m
[32m30/10/2022 -- 04:56:19[0m - <[33mInfo[0m> - 28764 signatures processed. 1183 are IP-only rules, 5166 are inspecting packet payload, 22211 inspect application layer, 108 are decoder event only[0m
[32m30/10/2022 -- 04:56:27[0m - <

## Meercat on Jupyter

### Import pandas as pd

* `pandas` is a python library that provides *dataframes*
* more than a library, it's actually a language by itself
* think R and Julia
* forget what you know about for loops
  * but it's totally worth it!

In [47]:
%pip install pandas

Note: you may need to restart the kernel to use updated packages.


In [48]:
import pandas as pd
import numpy as np

In [52]:
import json

with open("/tmp/logs/eve.json", "r") as handle:
    DATA = [json.loads(line) for line in handle]
    DF = pd.json_normalize(DATA)

In [55]:
DF

Unnamed: 0,timestamp,flow_id,pcap_cnt,event_type,src_ip,src_port,dest_ip,dest_port,proto,pkt_src,...,stats.app_layer.error.nfs_udp.internal,stats.app_layer.error.krb5_udp.alloc,stats.app_layer.error.krb5_udp.parser,stats.app_layer.error.krb5_udp.internal,stats.app_layer.expectations,stats.http.memuse,stats.http.memcap,stats.ftp.memuse,stats.ftp.memcap,stats.file_store.open_files
0,2022-01-01T00:04:26.529009+0000,7.368444e+14,34.0,http,64.225.75.232,33556.0,198.71.247.91,80.0,TCP,wire/pcap,...,,,,,,,,,,
1,2022-01-01T00:05:53.595328+0000,5.277809e+14,57.0,http,219.84.187.214,56903.0,198.71.247.91,80.0,TCP,wire/pcap,...,,,,,,,,,,
2,2022-01-01T00:04:26.529078+0000,7.368444e+14,36.0,fileinfo,198.71.247.91,80.0,64.225.75.232,33556.0,TCP,wire/pcap,...,,,,,,,,,,
3,2022-01-01T00:25:53.420609+0000,5.096138e+14,202.0,http,162.158.88.141,47958.0,198.71.247.91,80.0,TCP,wire/pcap,...,,,,,,,,,,
4,2022-01-01T00:00:13.076985+0000,1.756928e+15,,flow,18.212.79.210,,198.71.247.91,,ICMP,,...,,,,,,,,,,
...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...
25896,2022-01-01T00:00:13.076985+0000,1.630767e+15,,flow,218.208.118.2,52073.0,198.71.247.91,445.0,TCP,,...,,,,,,,,,,
25897,2022-01-01T00:00:13.076985+0000,8.976554e+13,,flow,45.134.26.45,58164.0,198.71.247.91,65380.0,TCP,,...,,,,,,,,,,
25898,2022-01-01T00:00:13.076985+0000,1.179594e+15,,flow,45.146.166.116,46439.0,198.71.247.91,19346.0,TCP,,...,,,,,,,,,,
25899,2022-01-01T00:00:13.076985+0000,1.292452e+15,,flow,193.3.53.6,40232.0,198.71.247.91,1962.0,TCP,,...,,,,,,,,,,


In [58]:
len(DF)

25901

In [59]:
len(DF.columns.values)

557

In [60]:
len([c for c in list(DF.columns.values) if not c.startswith("stats")])

120

In [56]:
DF.head(5)

Unnamed: 0,timestamp,flow_id,pcap_cnt,event_type,src_ip,src_port,dest_ip,dest_port,proto,pkt_src,...,stats.app_layer.error.nfs_udp.internal,stats.app_layer.error.krb5_udp.alloc,stats.app_layer.error.krb5_udp.parser,stats.app_layer.error.krb5_udp.internal,stats.app_layer.expectations,stats.http.memuse,stats.http.memcap,stats.ftp.memuse,stats.ftp.memcap,stats.file_store.open_files
0,2022-01-01T00:04:26.529009+0000,736844400000000.0,34.0,http,64.225.75.232,33556.0,198.71.247.91,80.0,TCP,wire/pcap,...,,,,,,,,,,
1,2022-01-01T00:05:53.595328+0000,527780900000000.0,57.0,http,219.84.187.214,56903.0,198.71.247.91,80.0,TCP,wire/pcap,...,,,,,,,,,,
2,2022-01-01T00:04:26.529078+0000,736844400000000.0,36.0,fileinfo,198.71.247.91,80.0,64.225.75.232,33556.0,TCP,wire/pcap,...,,,,,,,,,,
3,2022-01-01T00:25:53.420609+0000,509613800000000.0,202.0,http,162.158.88.141,47958.0,198.71.247.91,80.0,TCP,wire/pcap,...,,,,,,,,,,
4,2022-01-01T00:00:13.076985+0000,1756928000000000.0,,flow,18.212.79.210,,198.71.247.91,,ICMP,,...,,,,,,,,,,


In [62]:
DF.describe()

Unnamed: 0,flow_id,pcap_cnt,src_port,dest_port,tx_id,http.status,http.length,fileinfo.size,fileinfo.tx_id,icmp_type,...,stats.app_layer.error.nfs_udp.internal,stats.app_layer.error.krb5_udp.alloc,stats.app_layer.error.krb5_udp.parser,stats.app_layer.error.krb5_udp.internal,stats.app_layer.expectations,stats.http.memuse,stats.http.memcap,stats.ftp.memuse,stats.ftp.memcap,stats.file_store.open_files
count,25900.0,2754.0,23535.0,23535.0,1207.0,2406.0,2425.0,1233.0,1233.0,2367.0,...,1.0,1.0,1.0,1.0,1.0,1.0,1.0,1.0,1.0,1.0
mean,1137316000000000.0,21675.688453,42136.566093,14515.90376,4.279205,352.704904,219.074639,272.029197,5.257908,7.99324,...,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0
std,646905800000000.0,12319.540304,17984.469425,17838.774877,7.498972,88.45178,99.841086,556.123714,8.729893,0.232495,...,,,,,,,,,,
min,2342168000.0,18.0,0.0,0.0,0.0,200.0,0.0,18.0,0.0,0.0,...,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0
25%,588875400000000.0,10546.75,36100.5,1700.0,0.0,200.0,51.0,138.0,0.0,8.0,...,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0
50%,1130943000000000.0,23269.5,48856.0,7000.0,0.0,404.0,275.0,275.0,0.0,8.0,...,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0
75%,1696583000000000.0,33560.0,54812.0,22080.0,7.0,404.0,279.0,279.0,9.0,8.0,...,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0
max,2251779000000000.0,39193.0,65531.0,65528.0,41.0,408.0,316.0,6138.0,41.0,8.0,...,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0


### Threat hunting

### Advanced Analytics

### Ruleset analysis