{
 "cells": [
  {
   "cell_type": "code",
   "execution_count": 1,
   "metadata": {
    "collapsed": true
   },
   "outputs": [],
   "source": [
    "import json\n",
    "from datetime import datetime, timedelta\n",
    "import matplotlib.pylab as plot\n",
    "import numpy as np"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 2,
   "metadata": {
    "collapsed": true
   },
   "outputs": [],
   "source": [
    "# Read data from http Zeek (formerly known as Bro) logs\n",
    "with open(\"http.log\",'r') as infile:\n",
    "    file_data = infile.read()\n",
    "    \n",
    "# Split file by newlines\n",
    "file_data = file_data.split('\\n')\n",
    "\n",
    "# Remove comment lines\n",
    "http_data = []\n",
    "for line in file_data:\n",
    "    if line[0] is not None and line[0] != \"#\":\n",
    "        http_data.append(line)"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 3,
   "metadata": {},
   "outputs": [
    {
     "name": "stdout",
     "output_type": "stream",
     "text": [
      "{\n",
      "  \"/ftv2lastnode.gif\": 2, \n",
      "  \"/ftv2mnode.gif\": 2, \n",
      "  \"/pics/play_button_27x27px.gif\": 4, \n",
      "  \"/led.asp\": 2, \n",
      "  \"/pics/gray_corner_rt_5x50px.gif\": 4, \n",
      "  \"/img/device.gif\": 4, \n",
      "  \"/ RTSP/1.\": 5, \n",
      "  \"/pics/gray_corner_lt_5x50px.gif\": 4, \n",
      "  \"/webserverconfig.asp\": 1, \n",
      "  \"/auth/logo2_516.gif\": 5, \n",
      "  \"/index.htm\": 1, \n",
      "  \"/syslogserverconfig.asp\": 2, \n",
      "  \"/logo2_516.gif\": 1, \n",
      "  \"/neighbor_cache_table.asp\": 2, \n",
      "  \"/generalinst.htm\": 1, \n",
      "  \"/view/temp.shtml\": 2, \n",
      "  \"/img/checkbox_nchk.gif\": 1, \n",
      "  \"/jscript/sysstatus.js\": 1, \n",
      "  \"/SetModSerial.html\": 1, \n",
      "  \"/logo3.gif\": 2, \n",
      "  \"/status.jsp\": 1, \n",
      "  \"/port_setting.asp\": 1, \n",
      "  \"/syslog_message.asp\": 1, \n",
      "  \"/logo2_EDS-508A.gif\": 1, \n",
      "  \"/port_setting_show.asp\": 1, \n",
      "  \"/jscript/statistics.js\": 3, \n",
      "  \"/images/off.gif\": 3, \n",
      "  \"/pics/line_corner_rb_5x5px.gif\": 4, \n",
      "  \"/sysstatus.asp\": 1, \n",
      "  \"/overview.asp\": 4, \n",
      "  \"/jscript/powerconfig.js\": 1, \n",
      "  \"/jscript/login.js\": 4, \n",
      "  \"/mac_address_table_setting.asp\": 4, \n",
      "  \"/.git/HEAD\": 11, \n",
      "  \"/setid.html\": 1, \n",
      "  \"/network_setting_ipv6.asp\": 1, \n",
      "  \"/activate_button.gif\": 10, \n",
      "  \"/goform/svLogin\": 3, \n",
      "  \"/ftv2plastnode.gif\": 1, \n",
      "  \"/ftv2folderopen.gif\": 2, \n",
      "  \"/tasktracker.jsp\": 1, \n",
      "  \"/spconfig.asp\": 4, \n",
      "  \"/pics/line_corner_lt_5x5px.gif\": 4, \n",
      "  \"/pdmonitor.htm\": 1, \n",
      "  \"/settable.html\": 1, \n",
      "  \"/spconnect.asp\": 2, \n",
      "  \"/setdesc.html\": 1, \n",
      "  \"/jscript/ipconfig.js\": 3, \n",
      "  \"/syslogging.asp\": 1, \n",
      "  \"/images/connect.gif\": 2, \n",
      "  \"/jobtracker.jsp\": 1, \n",
      "  \"/ftv2pnode.gif\": 1, \n",
      "  \"/eip_setting.asp\": 1, \n",
      "  \"/ftv2mlastnode.gif\": 2, \n",
      "  \"/garp_timer_setting.asp\": 1, \n",
      "  \"/auth/md5.js\": 13, \n",
      "  \"/incl/activeX.js\": 4, \n",
      "  \"/pics/line_corner_lb_5x5px.gif\": 4, \n",
      "  \"/css/win_ns.css\": 6, \n",
      "  \"/browseDirectory.jsp\": 1, \n",
      "  \"/jscript/spconnect.js\": 2, \n",
      "  \"/modbus_setting.asp\": 1, \n",
      "  \"/master.jsp\": 1, \n",
      "  \"/hwinstall.htm\": 1, \n",
      "  \"/md5.js\": 3, \n",
      "  \"/snmpconfig.asp\": 3, \n",
      "  \"/bg.gif\": 2, \n",
      "  \"/url/ups1.scc\": 1, \n",
      "  \"/\": 187, \n",
      "  \"/rs-status\": 1, \n",
      "  \"/home.asp\": 10, \n",
      "  \"/bus_configuration.htm\": 1, \n",
      "  \"/pics/line_t_100x5px.gif\": 4, \n",
      "  \"/jscript/nfsserverconfig.js\": 1, \n",
      "  \"/setip.html\": 1, \n",
      "  \"/img/pxclogo.gif\": 20, \n",
      "  \"/robots.txt\": 11, \n",
      "  \"/port_setting726.asp\": 2, \n",
      "  \"/name.asp\": 2, \n",
      "  \"/dip_switch_setting.asp\": 1, \n",
      "  \"/jscript/powerunitmanage.js\": 1, \n",
      "  \"/jscript/syslogserverconfig.js\": 2, \n",
      "  \"/local_diagnostics.htm\": 1, \n",
      "  \"/jscript/slidemenu.js\": 6, \n",
      "  \"/powermanage.asp\": 1, \n",
      "  \"/ipconfig.asp\": 3, \n",
      "  \"/jscript/util.js\": 4, \n",
      "  \"/deviceinfo.htm\": 2, \n",
      "  \"/auth/led_auth.asp\": 13, \n",
      "  \"/images/ws_button3.gif\": 4, \n",
      "  \"/flumemaster.jsp\": 1, \n",
      "  \"/goform/EventLogList\": 2, \n",
      "  \"/settimeouts.html\": 1, \n",
      "  \"/tagbase_vlan_setting_show.asp\": 1, \n",
      "  \"12.1.2\": 2, \n",
      "  \"/img/device_s.gif\": 20, \n",
      "  \"/ftv2folderclosed.gif\": 2, \n",
      "  \"/favicon.ico\": 81, \n",
      "  \"/showstatus.html\": 1, \n",
      "  \"/techdata.htm\": 2, \n",
      "  \"/pics/blank.gif\": 4, \n",
      "  \"/dfshealth.jsp\": 1, \n",
      "  \"/images/block.gif\": 3, \n",
      "  \"/css/common.css\": 6, \n",
      "  \"/ftv2vertline.gif\": 2, \n",
      "  \"/stserial.asp\": 80, \n",
      "  \"/nice ports,/Trinity.txt.bak\": 8, \n",
      "  \"/port_setting_show726.asp\": 2, \n",
      "  \"/userloggedonlist.asp\": 1, \n",
      "  \"/reset_button.gif\": 2, \n",
      "  \"/login.asp\": 5, \n",
      "  \"/monitor_statistic_cnt_show.asp\": 2, \n",
      "  \"/getstatus.html\": 4737, \n",
      "  \"/ups1.scc\": 1, \n",
      "  \"/auth/topplan_auth.asp\": 15, \n",
      "  \"/pics/logo_70x29px.gif\": 4, \n",
      "  \"/view\": 1, \n",
      "  \"/ws_button3.gif\": 2, \n",
      "  \"sip:nm SIP/2.\": 4, \n",
      "  \"/pics/space.gif\": 4, \n",
      "  \"/jscript/rhostaccessctrl.js\": 2, \n",
      "  \"/powerconfig.asp\": 1, \n",
      "  \"/tagbase_vlan_setting.asp\": 1, \n",
      "  \"/ftv2node.gif\": 2, \n",
      "  \"/remote_diagnostics.htm\": 1, \n",
      "  \"/images/on.gif\": 2, \n",
      "  \"/jscript/webserverconfig.js\": 1, \n",
      "  \"/auth/loginin.gif\": 13, \n",
      "  \"/left_down_logo.asp\": 2, \n",
      "  \"/auth/accountpassword.asp\": 13, \n",
      "  \"/ftv2blank.gif\": 2, \n",
      "  \"/logo1.gif\": 2, \n",
      "  \"/images/logo.gif\": 4, \n",
      "  \"/rhostaccessctrl.asp\": 2, \n",
      "  \"/ipconfig.htm\": 2, \n",
      "  \"/auth/logo1.gif\": 13, \n",
      "  \"/view/index.shtml\": 7, \n",
      "  \"/ddnsconfig.asp\": 2, \n",
      "  \"/tcpserviceconfig.asp\": 1, \n",
      "  \"/auth/logo2_EDS-508A.gif\": 8, \n",
      "  \"/auth/name_auth.asp\": 13, \n",
      "  \"/monitor_port.asp\": 2, \n",
      "  \"/css/digistyle.css\": 4, \n",
      "  \"/pics/stop_button_27x27px.gif\": 4, \n",
      "  \"/pcp_configuration.htm\": 1, \n",
      "  \"/pics/line_b_100x5px.gif\": 4, \n",
      "  \"-\": 45, \n",
      "  \"/img/checkbox_chk.gif\": 1, \n",
      "  \"/view/view.shtml\": 4, \n",
      "  \"/img/hw_installation.gif\": 1, \n",
      "  \"/jscript/spconfig.js\": 3, \n",
      "  \"/jscript/snmpconfig.js\": 3, \n",
      "  \"/view/\": 9, \n",
      "  \"/vlan_set.asp\": 1, \n",
      "  \"/mjpg/video.mjpg\": 7, \n",
      "  \"/log_setting.asp\": 2, \n",
      "  \"/smtpconfig.asp\": 1, \n",
      "  \"/jscript/validation.js\": 4, \n",
      "  \"/clear_button.gif\": 2, \n",
      "  \"/phoenix_fl.js\": 20, \n",
      "  \"/jscript/smtpconfig.js\": 1, \n",
      "  \"/services.htm\": 3, \n",
      "  \"/pics/line_corner_rt_5x5px.gif\": 4, \n",
      "  \"/phoenix_fl.css\": 20, \n",
      "  \"/nfsserverconfig.asp\": 1, \n",
      "  \"/jscript/syslogging.js\": 1, \n",
      "  \"/auth/logo3.gif\": 13, \n",
      "  \"/stnetwork.asp\": 1, \n",
      "  \"/pics/gray_t_5x50px.gif\": 4, \n",
      "  \"/auth/auth.asp\": 23, \n",
      "  \"/jscript/default.js\": 4, \n",
      "  \"/d4-43.js\": 2, \n",
      "  \"/left.asp\": 2, \n",
      "  \"/jscript/ddnsconfig.js\": 2, \n",
      "  \"/img/sel.gif\": 16, \n",
      "  \"/ethernetconfig.asp\": 1\n",
      "}\n"
     ]
    }
   ],
   "source": [
    "# Let's stack uris\n",
    "uris = {}\n",
    "for line in http_data:\n",
    "    if len(line.split('\\t')) > 9:\n",
    "        uri = line.split('\\t')[9].split('?')[0].split('&')[0]\n",
    "        if uri not in uris.keys():\n",
    "            uris[uri] = 1\n",
    "        else:\n",
    "            uris[uri] += 1\n",
    "\n",
    "print(json.dumps(uris,indent=2))"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 4,
   "metadata": {},
   "outputs": [
    {
     "name": "stdout",
     "output_type": "stream",
     "text": [
      "{\n",
      "  \"Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:39.0) Gecko/20100101 Firefox/39.0\": 327, \n",
      "  \"Mozilla/5.0 (compatible; Nmap Scripting Engine; http://nmap.org/book/nse.html)\": 171, \n",
      "  \"-\": 103, \n",
      "  \"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.64 Safari/537.36\": 5045, \n",
      "  \"Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:28.0) Gecko/20100101 Firefox/28.0\": 12, \n",
      "  \"Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:41.0) Gecko/20100101 Firefox/41.0\": 99, \n",
      "  \"Wget/1.16.1 (linux-gnu)\": 1\n",
      "}\n"
     ]
    }
   ],
   "source": [
    "# Let's stack user agents\n",
    "user_agents = {}\n",
    "for line in http_data:\n",
    "    if len(line.split('\\t')) > 12:\n",
    "        user_agent = line.split('\\t')[11]\n",
    "        if user_agent not in user_agents.keys():\n",
    "            user_agents[user_agent] = 1\n",
    "        else:\n",
    "            user_agents[user_agent] += 1\n",
    "\n",
    "print(json.dumps(user_agents,indent=2))"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 5,
   "metadata": {},
   "outputs": [
    {
     "name": "stdout",
     "output_type": "stream",
     "text": [
      "{\n",
      "  \"192.168.2.42\": {\n",
      "    \"192.168.88.115\": {\n",
      "      \"1445425464.684730\": 1, \n",
      "      \"1445425489.066291\": 1, \n",
      "      \"1445425456.492019\": 1, \n",
      "      \"1445425472.897110\": 1, \n",
      "      \"1445425505.330748\": 1, \n",
      "      \"1445425497.221008\": 1, \n",
      "      \"1445425472.798104\": 1, \n",
      "      \"1445425464.734434\": 1, \n",
      "      \"1445425489.264708\": 1, \n",
      "      \"1445425481.058994\": 1, \n",
      "      \"1445425456.491738\": 1, \n",
      "      \"1445425456.492152\": 1, \n",
      "      \"1445425464.684854\": 1, \n",
      "      \"1445425521.550031\": 1, \n",
      "      \"1445425456.491596\": 1, \n",
      "      \"1445425456.492557\": 1, \n",
      "      \"1445425513.438493\": 1, \n",
      "      \"1445425480.908743\": 1\n",
      "    }\n",
      "  }, \n",
      "  \"192.168.2.64\": {\n",
      "    \"192.168.88.25\": {\n",
      "      \"1445422296.875484\": 1, \n",
      "      \"1445422290.967679\": 1, \n",
      "      \"1445422289.381463\": 1, \n",
      "      \"1445422289.591706\": 1, \n",
      "      \"1445422290.459930\": 1, \n",
      "      \"1445422323.002866\": 1, \n",
      "      \"1445422289.808332\": 1, \n",
      "      \"1445422291.185004\": 1, \n",
      "      \"1445422290.239258\": 1, \n",
      "      \"1445422296.668006\": 1, \n",
      "      \"1445422290.239120\": 1, \n",
      "      \"1445422292.854650\": 1, \n",
      "      \"1445422290.678547\": 1, \n",
      "      \"1445422290.020238\": 1, \n",
      "      \"1445422314.053171\": 1, \n",
      "      \"1445422313.799369\": 1, \n",
      "      \"1445422291.184861\": 1, \n",
      "      \"1445422300.715145\": 1\n",
      "    }, \n",
      "    \"192.168.88.115\": {\n",
      "      \"1445422321.290313\": 1, \n",
      "      \"1445422300.766784\": 1, \n",
      "      \"1445422320.650723\": 1, \n",
      "      \"1445422321.503861\": 1, \n",
      "      \"1445422300.184951\": 1, \n",
      "      \"1445422321.928420\": 1, \n",
      "      \"1445422320.867814\": 1, \n",
      "      \"1445422291.938518\": 1, \n",
      "      \"1445422322.355297\": 1, \n",
      "      \"1445422292.693354\": 1, \n",
      "      \"1445422321.713691\": 1, \n",
      "      \"1445422316.046787\": 1, \n",
      "      \"1445422322.142027\": 1, \n",
      "      \"1445422321.077807\": 1, \n",
      "      \"1445422291.454377\": 1\n",
      "    }, \n",
      "    \"192.168.88.20\": {\n",
      "      \"1445422298.992223\": 1, \n",
      "      \"1445422291.885333\": 1, \n",
      "      \"1445422302.855427\": 1, \n",
      "      \"1445422300.497165\": 1, \n",
      "      \"1445422299.414991\": 1, \n",
      "      \"1445422315.698055\": 1, \n",
      "      \"1445422300.287326\": 1, \n",
      "      \"1445422290.968135\": 1, \n",
      "      \"1445422299.207919\": 1, \n",
      "      \"1445422299.839276\": 1, \n",
      "      \"1445422298.777344\": 1, \n",
      "      \"1445422300.078390\": 1, \n",
      "      \"1445422313.532961\": 1, \n",
      "      \"1445422299.628075\": 1\n",
      "    }, \n",
      "    \"192.168.88.100\": {\n",
      "      \"1445422308.102295\": 1, \n",
      "      \"1445422289.380025\": 1, \n",
      "      \"1445422290.915620\": 1, \n",
      "      \"1445422297.138751\": 1, \n",
      "      \"1445422290.513640\": 1\n",
      "    }, \n",
      "    \"192.168.88.51\": {\n",
      "      \"1445422295.870961\": 1, \n",
      "      \"1445422300.023159\": 1, \n",
      "      \"1445422320.920019\": 1, \n",
      "      \"1445422303.707740\": 1, \n",
      "      \"1445422296.667868\": 1, \n",
      "      \"1445422289.754808\": 1, \n",
      "      \"1445422299.364282\": 1, \n",
      "      \"1445422297.667609\": 1, \n",
      "      \"1445422292.639583\": 1, \n",
      "      \"1445422298.789861\": 1, \n",
      "      \"1445422289.381938\": 1, \n",
      "      \"1445422290.520664\": 1, \n",
      "      \"1445422296.027733\": 1, \n",
      "      \"1445422300.212852\": 1, \n",
      "      \"1445422292.587508\": 1, \n",
      "      \"1445422300.341810\": 1, \n",
      "      \"1445422295.554722\": 1, \n",
      "      \"1445422299.694729\": 1, \n",
      "      \"1445422295.714594\": 1, \n",
      "      \"1445422300.498336\": 1, \n",
      "      \"1445422293.066879\": 1, \n",
      "      \"1445422292.476080\": 1, \n",
      "      \"1445422299.696478\": 1, \n",
      "      \"1445422289.592098\": 1, \n",
      "      \"1445422303.873797\": 1, \n",
      "      \"1445422300.660455\": 1, \n",
      "      \"1445422290.349694\": 1, \n",
      "      \"1445422299.260279\": 1, \n",
      "      \"1445422299.840329\": 1, \n",
      "      \"1445422289.385586\": 1, \n",
      "      \"1445422296.188602\": 1, \n",
      "      \"1445422299.518622\": 1, \n",
      "      \"1445422298.727806\": 1, \n",
      "      \"1445422320.466621\": 1, \n",
      "      \"1445422296.506938\": 1, \n",
      "      \"1445422296.349914\": 1, \n",
      "      \"1445422323.263679\": 1, \n",
      "      \"1445422296.824060\": 1, \n",
      "      \"1445422303.927905\": 1\n",
      "    }, \n",
      "    \"192.168.88.49\": {\n",
      "      \"1445422302.534936\": 1, \n",
      "      \"1445422292.047762\": 1, \n",
      "      \"1445422289.380561\": 1, \n",
      "      \"1445422302.965697\": 1, \n",
      "      \"1445422302.746772\": 1, \n",
      "      \"1445422291.619375\": 1, \n",
      "      \"1445422303.183484\": 1, \n",
      "      \"1445422307.565998\": 1, \n",
      "      \"1445422301.635377\": 1, \n",
      "      \"1445422313.849169\": 1, \n",
      "      \"1445422302.111056\": 1, \n",
      "      \"1445422303.397388\": 1, \n",
      "      \"1445422302.325429\": 1, \n",
      "      \"1445422301.899644\": 1\n",
      "    }, \n",
      "    \"192.168.88.60\": {\n",
      "      \"1445422289.865632\": 1, \n",
      "      \"1445422289.591967\": 1, \n",
      "      \"1445422291.235170\": 1, \n",
      "      \"1445422291.885204\": 1, \n",
      "      \"1445422289.381938\": 1, \n",
      "      \"1445422291.018922\": 1, \n",
      "      \"1445422306.307627\": 1, \n",
      "      \"1445422290.565864\": 1, \n",
      "      \"1445422292.319808\": 1, \n",
      "      \"1445422299.890418\": 1, \n",
      "      \"1445422292.100843\": 1, \n",
      "      \"1445422289.381132\": 1, \n",
      "      \"1445422298.992366\": 1, \n",
      "      \"1445422291.454248\": 1, \n",
      "      \"1445422289.379891\": 1, \n",
      "      \"1445422289.865921\": 1, \n",
      "      \"1445422298.777468\": 1\n",
      "    }, \n",
      "    \"192.168.88.61\": {\n",
      "      \"1445422300.131605\": 1, \n",
      "      \"1445422289.591833\": 1, \n",
      "      \"1445422300.988103\": 1, \n",
      "      \"1445422292.798306\": 1, \n",
      "      \"1445422289.866199\": 1, \n",
      "      \"1445422290.915767\": 1, \n",
      "      \"1445422299.679622\": 1, \n",
      "      \"1445422297.244478\": 1, \n",
      "      \"1445422300.766659\": 1, \n",
      "      \"1445422301.201058\": 1, \n",
      "      \"1445422299.466633\": 1, \n",
      "      \"1445422293.119720\": 1, \n",
      "      \"1445422300.548608\": 1, \n",
      "      \"1445422299.890145\": 1, \n",
      "      \"1445422300.339324\": 1\n",
      "    }, \n",
      "    \"192.168.88.95\": {\n",
      "      \"1445422289.380290\": 1, \n",
      "      \"1445422344.783066\": 1, \n",
      "      \"1445422352.905377\": 1, \n",
      "      \"1445422317.744378\": 1, \n",
      "      \"1445422321.022581\": 1, \n",
      "      \"1445422320.387407\": 1, \n",
      "      \"1445422295.370559\": 1, \n",
      "      \"1445422309.529967\": 1, \n",
      "      \"1445422336.568033\": 1, \n",
      "      \"1445422320.490386\": 1, \n",
      "      \"1445422301.580724\": 1, \n",
      "      \"1445422337.822249\": 1, \n",
      "      \"1445422305.513430\": 1, \n",
      "      \"1445422348.751232\": 1, \n",
      "      \"1445422290.347162\": 1, \n",
      "      \"1445422289.380169\": 1\n",
      "    }\n",
      "  }\n",
      "}\n"
     ]
    }
   ],
   "source": [
    "# Let's search for the nmap user agent\n",
    "suspicious_user_agents = ['Mozilla/5.0 (compatible; Nmap Scripting Engine; http://nmap.org/book/nse.html)']\n",
    "nmap_scanned_hosts = {}\n",
    "for line in http_data:\n",
    "    if len(line.split('\\t')) > 12:\n",
    "        timestamp = line.split('\\t')[0]\n",
    "        client = line.split('\\t')[2]\n",
    "        server = line.split('\\t')[4]\n",
    "        user_agent = line.split('\\t')[11]\n",
    "        if user_agent in suspicious_user_agents:\n",
    "            if client not in nmap_scanned_hosts.keys():\n",
    "                nmap_scanned_hosts[client] = {server:{timestamp:1}}\n",
    "            elif server not in nmap_scanned_hosts[client].keys():\n",
    "                nmap_scanned_hosts[client][server] = {timestamp: 1}\n",
    "            elif timestamp not in nmap_scanned_hosts[client][server].keys():\n",
    "                nmap_scanned_hosts[client][server][timestamp] = 1\n",
    "            else:\n",
    "                nmap_scanned_hosts[client][server][timestamp] += 1\n",
    "\n",
    "print(json.dumps(nmap_scanned_hosts,indent=2))"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 6,
   "metadata": {},
   "outputs": [
    {
     "name": "stdout",
     "output_type": "stream",
     "text": [
      "client ip,server ip,num requests\n",
      "192.168.2.42,192.168.88.115,18\n",
      "192.168.2.64,192.168.88.100,5\n",
      "192.168.2.64,192.168.88.115,15\n",
      "192.168.2.64,192.168.88.20,14\n",
      "192.168.2.64,192.168.88.25,18\n",
      "192.168.2.64,192.168.88.49,14\n",
      "192.168.2.64,192.168.88.51,39\n",
      "192.168.2.64,192.168.88.60,17\n",
      "192.168.2.64,192.168.88.61,15\n",
      "192.168.2.64,192.168.88.95,16\n"
     ]
    }
   ],
   "source": [
    "# Add up the number of requests the client made to the server\n",
    "print(\"client ip,server ip,num requests\")\n",
    "suspicious_hosts = {}\n",
    "for client in sorted(nmap_scanned_hosts.keys()):\n",
    "    for server in sorted(nmap_scanned_hosts[client].keys()):\n",
    "        print(client + \",\" + server + \",\" + str(len(nmap_scanned_hosts[client][server])))\n",
    "        if client not in suspicious_hosts.keys():\n",
    "            suspicious_hosts[client] = [server]\n",
    "        else:\n",
    "            suspicious_hosts[client].append(server)"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 7,
   "metadata": {
    "collapsed": true
   },
   "outputs": [],
   "source": [
    "# Write CSV file out for display/distribution in excel\n",
    "with open('suspicious_http_records.csv','w') as outfile:\n",
    "    outfile.write(\"ts,uid,id.orig_h,id.orig_p,id.resp_h,id.resp_p,trans_depth,method,host,uri,referrer,user_agent,request_body_len,response_body_len,status_code,status_msg,info_code,info_msg,filename,tags,username,password,proxied,orig_fuids,orig_mime_types,resp_fuids,resp_mime_types\\n\")\n",
    "    for line in http_data:\n",
    "        if len(line.split('\\t')) > 12:\n",
    "            timestamp = line.split('\\t')[0]\n",
    "            client = line.split('\\t')[2]\n",
    "            server = line.split('\\t')[4]\n",
    "            user_agent = line.split('\\t')[11]\n",
    "            uri = line.split('\\t')[9]\n",
    "            if client in suspicious_hosts.keys():\n",
    "                if server in suspicious_hosts[client]:\n",
    "                    outfile.write(\"\\\"\" + line.replace(\"\\t\",\"\\\",\\\"\") + \"\\\"\\n\")\n"
   ]
  }
 ],
 "metadata": {
  "kernelspec": {
   "display_name": "Python 2",
   "language": "python",
   "name": "python2"
  },
  "language_info": {
   "codemirror_mode": {
    "name": "ipython",
    "version": 2
   },
   "file_extension": ".py",
   "mimetype": "text/x-python",
   "name": "python",
   "nbconvert_exporter": "python",
   "pygments_lexer": "ipython2",
   "version": "2.7.13"
  }
 },
 "nbformat": 4,
 "nbformat_minor": 2
}