| { |
| "cells": [ |
| { |
| "cell_type": "markdown", |
| "metadata": {}, |
| "source": [ |
| "## Get Suspicious DNS" |
| ] |
| }, |
| { |
| "cell_type": "code", |
| "execution_count": null, |
| "metadata": { |
| "collapsed": false |
| }, |
| "outputs": [], |
| "source": [ |
| "import urllib2\n", |
| "import json\n", |
| "import os \n", |
| "import datetime\n", |
| "\n", |
| "# getting date from the parent path. \n", |
| "path = os.getcwd().split(\"/\") \n", |
| "date = path[len(path)-1] \n", |
| "dsource = path[len(path)-2]" |
| ] |
| }, |
| { |
| "cell_type": "code", |
| "execution_count": null, |
| "metadata": { |
| "collapsed": false |
| }, |
| "outputs": [], |
| "source": [ |
| "def apply_css_to_select(select):\n", |
| " select._css = (\n", |
| " (None, 'height', '90%'),\n", |
| " (None, 'width', '90%'),\n", |
| " ('select', 'overflow-x', 'auto'),\n", |
| " ('select', 'width', '100%'),\n", |
| " ('select', 'margin', 0)\n", |
| " )\n", |
| "\n", |
| "try:\n", |
| " import ipywidgets as widgets # For jupyter/ipython >= 1.4\n", |
| "except ImportError:\n", |
| " from IPython.html import widgets\n", |
| "from IPython.display import display, HTML, clear_output, Javascript \n", |
| "\n", |
| "def fill_list(list_control,source):\n", |
| " options_list = ['- Select -'] \n", |
| " options_list.extend([s for s in source])\n", |
| " list_control.options = options_list\n", |
| "\n", |
| "# client panel\n", |
| "client_header = widgets.HTML(value=\"Client IP\")\n", |
| "client_select = widgets.Select(height='90%')\n", |
| "apply_css_to_select(client_select)\n", |
| "\n", |
| "client_box = widgets.Box(width='20%', height='100%')\n", |
| "client_box.children = [client_header, client_select]\n", |
| "\n", |
| "# query panel\n", |
| "query_header = widgets.HTML(value=\"Query\")\n", |
| "query_select = widgets.Select(height='90%')\n", |
| "apply_css_to_select(query_select)\n", |
| "\n", |
| "query_box = widgets.Box(width='60%', height='100%')\n", |
| "query_box.children = [query_header, query_select]\n", |
| "\n", |
| "# Actions Panel\n", |
| "actions_header = widgets.HTML(value=\" \")\n", |
| "quick_text = widgets.Text(value='', width='100%', placeholder='Quick scoring')\n", |
| "quick_text._css = (\n", |
| " (None, 'width', '100%'),\n", |
| ")\n", |
| "rating_btn = widgets.RadioButtons(description='Rating:', options=['1', '2', '3'], width='100%')\n", |
| "assign_btn = widgets.Button(description='Score', width='45%')\n", |
| "assign_btn.button_style = 'primary'\n", |
| "save_btn = widgets.Button(description='Save', width='45%')\n", |
| "save_btn.button_style = 'primary'\n", |
| "save_btn._css = (\n", |
| " (None, 'margin-left', '10%'),\n", |
| ")\n", |
| "actions_box = widgets.Box(width='20%', height='100%')\n", |
| "actions_box.children = [actions_header,quick_text,rating_btn, assign_btn,save_btn]\n", |
| "\n", |
| "scoring_form = widgets.HBox(width='90%', height=250)\n", |
| "scoring_form.children = [client_box,query_box,actions_box]\n", |
| "\n", |
| "rest_msg_box = widgets.HTML()\n", |
| "\n", |
| "global score_values \n", |
| "\n", |
| "score_values = []\n", |
| "\n", |
| "def data_loader(): \n", |
| " us_ips = []\n", |
| " us_dns = []\n", |
| " scored = []\n", |
| " \n", |
| " global score_values\n", |
| " query=\"\"\"query($date:SpotDateType!) {\n", |
| " dns{\n", |
| " suspicious(date:$date){\n", |
| " dnsQuery\n", |
| " clientIp\n", |
| " }\n", |
| " }\n", |
| " }\"\"\"\n", |
| " variables={\n", |
| " 'date': datetime.datetime.strptime(date, '%Y%m%d').strftime('%Y-%m-%d')\n", |
| " }\n", |
| " \n", |
| " for item in score_values:\n", |
| " scored.append(item[0])\n", |
| " scored.append(item[1])\n", |
| " \n", |
| " response = GraphQLClient.request(query, variables)\n", |
| " \n", |
| " if not 'errors' in response:\n", |
| " for row in response['data']['dns']['suspicious']: \n", |
| " if row['clientIp'] not in us_ips and row['clientIp'] not in scored: \n", |
| " us_ips.append(row['clientIp'])\n", |
| " if row['dnsQuery'] not in us_dns and row['dnsQuery'] not in scored:\n", |
| " us_dns.append(row['dnsQuery']) \n", |
| "\n", |
| " fill_list(client_select,us_ips)\n", |
| " fill_list(query_select,us_dns)\n", |
| " client_select.value = \"- Select -\"\n", |
| " query_select.value = \"- Select -\" \n", |
| "\n", |
| "\n", |
| "display(Javascript(\"$('.widget-area > .widget-subarea > *').remove();\"))\n", |
| "data_loader()\n", |
| "display(scoring_form)" |
| ] |
| }, |
| { |
| "cell_type": "markdown", |
| "metadata": {}, |
| "source": [ |
| "# Update Suspicious DNS" |
| ] |
| }, |
| { |
| "cell_type": "code", |
| "execution_count": null, |
| "metadata": { |
| "collapsed": false |
| }, |
| "outputs": [], |
| "source": [ |
| "import csv\n", |
| "import datetime\n", |
| "import subprocess \n", |
| "\n", |
| "\n", |
| "def assign_score(b):\n", |
| " clear_output()\n", |
| " sev = int(rating_btn.selected_label) \n", |
| "\n", |
| " if quick_text.value: \n", |
| " ip = \"\"\n", |
| " dns = quick_text.value\n", |
| " dns_sev = int(rating_btn.selected_label) \n", |
| " for query in query_select.options:\n", |
| " if query.endswith(dns): \n", |
| " score_values.append((ip,query,sev))\n", |
| " else: \n", |
| " ip = client_select.value if not \"- Select -\" in client_select.value else \"\"\n", |
| " dns = query_select.value if not \"- Select -\" in query_select.value else \"\"\n", |
| " score_values.append((ip,dns,sev))\n", |
| " clear_output()\n", |
| " \n", |
| " if client_select.value != \"- Select -\": \n", |
| " display(Javascript(\"$(\\\"option:nth-of-type(0)[data-value='\" + client_select.value +\"']\\\").remove();\"))\n", |
| " if quick_text.value:\n", |
| " display(Javascript(\"$(\\\"option:nth-of-type(1)[data-value$='\" + dns +\"']\\\").remove();\"))\n", |
| " elif query_select.value != \"- Select -\":\n", |
| " display(Javascript(\"$(\\\"option:nth-of-type(1)[data-value='\" + query_select.value +\"']\\\").remove();\"))\n", |
| "\n", |
| " client_select.value = \"- Select -\"\n", |
| " query_select.value = \"- Select -\"\n", |
| " quick_text.value = \"\" \n", |
| " \n", |
| " rest_msg_box.visible = False\n", |
| " data_loader() \n", |
| " \n", |
| " print \"Click the 'Save' button when you're finished scoring\" \n", |
| "\n", |
| " \n", |
| "def reset_scoring():\n", |
| " response = GraphQLClient.request(\n", |
| " query=\"\"\"mutation($date:SpotDateType!) {\n", |
| " dns{\n", |
| " resetScoredConnections(date:$date){\n", |
| " success\n", |
| " }\n", |
| " }\n", |
| " }\"\"\",\n", |
| " variables={\n", |
| " 'date': datetime.datetime.strptime(date, '%Y%m%d').strftime('%Y-%m-%d')\n", |
| " }\n", |
| " ) \n", |
| " \n", |
| " if not 'errors' in response:\n", |
| " rest_msg_box.value=\"Suspicious connects successfully reset\"\n", |
| " data_loader()\n", |
| " rest_msg_box.visible = True\n", |
| " display(rest_msg_box)\n", |
| " else:\n", |
| " print \"An error ocurred: \" + response['errors'][0]['message']\n", |
| " \n", |
| " \n", |
| "def save(b): \n", |
| " variables=[]\n", |
| " global score_values\n", |
| " mutation=\"\"\"mutation($input:[DnsScoreType!]!)\n", |
| " {\n", |
| " dns{\n", |
| " score(input:$input)\n", |
| " {success}\n", |
| " }\n", |
| " }\"\"\" \n", |
| " \n", |
| " for row in score_values:\n", |
| " variables.append({\n", |
| " 'date': datetime.datetime.strptime(date, '%Y%m%d').strftime('%Y-%m-%d'),\n", |
| " 'clientIp': row[0] if row[0] != \"\" else None,\n", |
| " 'dnsQuery': row[1] if row[1] != \"\" else None,\n", |
| " 'score': row[2] if row[2] != \"\" else None \n", |
| " })\n", |
| "\n", |
| " var = {'input':variables}\n", |
| " response = GraphQLClient.request(mutation,var)\n", |
| " \n", |
| " score_values = []\n", |
| " if not 'errors' in response:\n", |
| " clear_output() \n", |
| " display(Javascript(\"$('.widget-area > .widget-subarea > *').remove();\"))\n", |
| " data_loader() \n", |
| " display(scoring_form)\n", |
| " display(Javascript('reloadParentData();')) \n", |
| " print \"Suspicious connects successfully updated\"\n", |
| " else:\n", |
| " print \"An error ocurred: \" + response['errors'][0]['message']\n", |
| " \n", |
| " \n", |
| "assign_btn.on_click(assign_score)\n", |
| "save_btn.on_click(save) " |
| ] |
| }, |
| { |
| "cell_type": "code", |
| "execution_count": null, |
| "metadata": { |
| "collapsed": true |
| }, |
| "outputs": [], |
| "source": [ |
| "# reset_scoring()" |
| ] |
| } |
| ], |
| "metadata": { |
| "kernelspec": { |
| "display_name": "Python 2", |
| "language": "python", |
| "name": "python2" |
| }, |
| "language_info": { |
| "codemirror_mode": { |
| "name": "ipython", |
| "version": 2 |
| }, |
| "file_extension": ".py", |
| "mimetype": "text/x-python", |
| "name": "python", |
| "nbconvert_exporter": "python", |
| "pygments_lexer": "ipython2", |
| "version": "2.7.10" |
| } |
| }, |
| "nbformat": 4, |
| "nbformat_minor": 0 |
| } |