analyze.py

1. #!/usr/bin/python -tt
2.  
3. # You have been asked to investigate an incident.  The business unit provided a log file (drops.csv) for your investigation.  Use the skeleton framework to:
4. # 1) What are the top 10 destination ports that are dropped?
5. # 2) Identify the top 10 source addresses that are generating drops (and the number of drops for the top 10) but do *NOT* count RFC1918 addresses
6. # 3) Identify the top 10 class C SUBNETS that are generating drops (and the number of drops for the top 10 subnets)
7.  
8.  
9. import re
10. from IPy import IP
11. from netaddr import IPNetwork, IPAddress
12.  
13. private_ranges = [IP('10.0.0.0/8'), IP('172.16.0.0/12'), IP('192.168.0.0/16')]
14.  
15. def open_file():
16.     f = open('drops.csv', 'r')
17.     return f
18.     f.close()
19.  
20. def get_count(row_count_tuple):
21.   """Returns the count from a dict word/count tuple  -- used for custom sort."""
22.   return row_count_tuple[1]
23.  
24.    
25. def is_private(addr):
26.     return any(addr in range for range in private_ranges)
27.    
28.  
29. def top_ports():
30. # What are the top 10 destination ports that are dropped?
31. # +++your code here+++
32.     mydict = {}
33.     f = open_file()
34.    
35.     for line in f:
36.         lines = line.split(',')
37.         for word in lines[2:-2]:
38.             if not word in mydict:
39.                 mydict[word] = 1
40.             else:
41.                 mydict[word] = mydict[word] +1
42.     tops = mydict
43.     items = sorted(tops.items(), key=get_count, reverse=True)
44.     print '-----------'
45.     print 'Top 10 Dst Ports'
46.     print '-----------'
47.     for item in items[:10]:
48.         print item[0]
49.        
50.  
51. def top_external_addresses():
52. # Identify the top 10 source addresses that are generating drops (and the number of drops for the top 10) but do *NOT* count RFC1918 addresses
53. # +++your code here+++
54.     mydict = {}
55.     f = open_file()
56.    
57.     for line in f:
58.         lines = line.split(',')
59.         for top_src_addr in lines[3:-1]:
60.             if not top_src_addr in mydict:
61.                 mydict[top_src_addr] = 1
62.             else:
63.                 mydict[top_src_addr] = mydict[top_src_addr] +1             
64.     tops = mydict
65.     items = sorted(tops.items(), key=get_count, reverse=True)  
66.    
67.     print '-----------'
68.     print 'Top 10 Src Addr'
69.     print 'Address Count'
70.     print '-----------'
71.    
72.     for item in items[:34]:
73.         k = is_private(item[0])
74.         if k != True:
75.             print item[0],
76.             print '  ',
77.             print item[1]
78.        
79.  
80. def top_subnets():
81. # Identify the top 10 class C SUBNETS that are generating drops (and the number of drops for the top 10 subnets)
82. # +++your code here+++
83.  
84.     mydict = {}
85.     f = open_file()
86.    
87.     for line in f:
88.         lines = line.split(',')
89.         lala = lines.remove(lines[2])
90.  
91.         for top_src_addr in lines[1:2]:
92.             if not top_src_addr in mydict:
93.                 mydict[top_src_addr] = 1
94.             else:
95.                 mydict[top_src_addr] = mydict[top_src_addr] +1             
96.     tops = mydict
97.     items = sorted(tops.items(), key=get_count, reverse=True)  
98.  
99.     print '-----------'
100.     print 'Top 10 class C Subnets'
101.     print 'Address Count'
102.     print '-----------'
103.    
104.     for item in items[:41]:
105.         if IPAddress(item[0]) in IPNetwork("192.168.0.0/3"):
106.             print item[0],
107.             print '  ',
108.             print item[1]
109.  
110. ###
111. def main():
112.     top_ports()
113.     top_external_addresses()
114.     top_subnets()
115.    
116. if __name__ == '__main__':
117.   main()