# Lab 00a: Python for Security Fundamentals

[![Open In Colab](https://colab.research.google.com/assets/colab-badge.svg)](https://colab.research.google.com/github/depalmar/ai_for_the_win/blob/main/notebooks/lab00a_python_security.ipynb)

Learn Python basics with security-focused examples. This lab is for absolute beginners.

## Learning Objectives
- Variables, data types, and control flow
- Working with files and APIs
- Regular expressions for pattern matching
- Security-focused coding examples

## 1. Variables and Data Types

In [None]:
# Security-relevant data types
ip_address = "192.168.1.100"
port = 443
is_malicious = False
threat_score = 7.5

print(f"IP: {ip_address}, Port: {port}, Malicious: {is_malicious}, Score: {threat_score}")

In [None]:
# Lists - store multiple IOCs
suspicious_ips = ["10.0.0.1", "192.168.1.50", "172.16.0.100"]
print(f"First IP: {suspicious_ips[0]}")
print(f"All IPs: {suspicious_ips}")

In [None]:
# Dictionaries - structured threat data
threat_intel = {
    "ip": "45.33.32.156",
    "type": "c2_server",
    "confidence": 0.95,
    "first_seen": "2024-01-15"
}

print(f"Threat Type: {threat_intel['type']}")
print(f"Confidence: {threat_intel['confidence']*100}%")

## 2. Control Flow

In [None]:
# If statements - threat classification
threat_score = 8.5

if threat_score >= 9:
    severity = "CRITICAL"
elif threat_score >= 7:
    severity = "HIGH"
elif threat_score >= 4:
    severity = "MEDIUM"
else:
    severity = "LOW"

print(f"Score {threat_score} -> Severity: {severity}")

In [None]:
# For loops - process multiple IOCs
iocs = ["malware.exe", "evil.dll", "backdoor.ps1"]

for ioc in iocs:
    print(f"Analyzing: {ioc}")
    if ioc.endswith(".exe"):
        print("  -> Executable detected!")

## 3. Functions

In [None]:
def calculate_risk_score(cvss_base: float, exploitability: float) -> float:
    """Calculate a risk score from CVSS and exploitability."""
    return (cvss_base * 0.6) + (exploitability * 0.4)

# Test the function
risk = calculate_risk_score(cvss_base=9.8, exploitability=8.0)
print(f"Risk Score: {risk:.2f}")

In [None]:
def is_private_ip(ip: str) -> bool:
    """Check if an IP address is in a private range."""
    private_prefixes = ["10.", "172.16.", "172.17.", "172.18.", "172.19.",
                        "172.20.", "172.21.", "172.22.", "172.23.", "172.24.",
                        "172.25.", "172.26.", "172.27.", "172.28.", "172.29.",
                        "172.30.", "172.31.", "192.168."]
    return any(ip.startswith(prefix) for prefix in private_prefixes)

# Test
test_ips = ["192.168.1.1", "8.8.8.8", "10.0.0.1"]
for ip in test_ips:
    print(f"{ip}: {'Private' if is_private_ip(ip) else 'Public'}")

## 4. Regular Expressions for Security

In [None]:
import re

# Extract IPs from log line
log_line = "Failed login from 192.168.1.100 to 10.0.0.5 at 2024-01-15 10:30:00"

ip_pattern = r'\b(?:\d{1,3}\.){3}\d{1,3}\b'
ips = re.findall(ip_pattern, log_line)
print(f"Found IPs: {ips}")

In [None]:
# Extract file hashes
text = "MD5: d41d8cd98f00b204e9800998ecf8427e SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855"

md5_pattern = r'\b[a-fA-F0-9]{32}\b'
sha256_pattern = r'\b[a-fA-F0-9]{64}\b'

md5_hashes = re.findall(md5_pattern, text)
sha256_hashes = re.findall(sha256_pattern, text)

print(f"MD5: {md5_hashes}")
print(f"SHA256: {sha256_hashes}")

## 5. Working with Files

In [None]:
import json

# Create sample threat data
threats = [
    {"ip": "45.33.32.156", "type": "c2", "score": 9.5},
    {"ip": "185.220.101.1", "type": "scanner", "score": 6.0},
]

# Write to JSON
with open("threats.json", "w") as f:
    json.dump(threats, f, indent=2)

# Read back
with open("threats.json", "r") as f:
    loaded = json.load(f)
    
print(f"Loaded {len(loaded)} threats")
print(json.dumps(loaded, indent=2))

## 6. Making API Requests

In [None]:
import requests

# Example: Query a public API (httpbin for demo)
def check_ip_info(ip: str) -> dict:
    """Get information about an IP (demo using httpbin)."""
    try:
        response = requests.get(f"https://httpbin.org/ip", timeout=5)
        return response.json()
    except Exception as e:
        return {"error": str(e)}

result = check_ip_info("8.8.8.8")
print(f"API Response: {result}")

## Exercise: Build an IOC Extractor

Combine what you learned to extract IOCs from text.

In [None]:
def extract_iocs(text: str) -> dict:
    """Extract various IOC types from text."""
    iocs = {
        "ips": re.findall(r'\b(?:\d{1,3}\.){3}\d{1,3}\b', text),
        "md5": re.findall(r'\b[a-fA-F0-9]{32}\b', text),
        "sha256": re.findall(r'\b[a-fA-F0-9]{64}\b', text),
        "domains": re.findall(r'\b[a-zA-Z0-9][a-zA-Z0-9-]{0,61}[a-zA-Z0-9]\.[a-zA-Z]{2,}\b', text),
        "urls": re.findall(r'https?://[^\s<>"]+', text),
    }
    return {k: list(set(v)) for k, v in iocs.items() if v}

# Test with sample threat report
report = """
The malware connects to 45.33.32.156 and evil-domain.com.
File hash: d41d8cd98f00b204e9800998ecf8427e
C2 URL: https://malware.example.com/beacon
"""

extracted = extract_iocs(report)
print(json.dumps(extracted, indent=2))

## Next Steps

You've learned Python basics with security context! Continue to:
- **Lab 00b**: ML Concepts Primer
- **Lab 01**: Phishing Email Classifier