[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

In ports of a log file, how to detect if the ports are dangerous using python?

I know basic python and I have a log file, also I have print the output of ports from the log file which there are so many ports in the output.
I want to know how to take only the dangerous ports from the printed ports - Also I need to take the IP addresses from the dangerous ports - Finally how to know if the IP addresses are local IP or global IP

import os
from collections import Counter
asc_order = []
def openfile(filename):
    if os.path.exists(filename):
        return open(filename, "r").read()
        return None
def parselog(logline):
    c = logline.split(" ")
    r = {}
    i = -1
    for var in c:
        i += 1
        if i == 1:
            a = var.split("\t")
            for el in a:
                if el.startswith("date="): r["date"] = el.split("=")[1]
        elif i > 1:
            v = var.split("=", 1)
                r[v[0]] = v[1].strip("\"")
    return r
def splitline(logall):
    c = logall.split("\n")
    r = []
    for el in c:
    return r
def main():
    f = openfile("/Users/angelin/Desktop/new sec/2017-04-18_010.082.012.003.txt")
    if f is None:
        print("File not found")
    s = splitline(f)
    counts = {}
    for el in s:
        if len(el) > 50:
            p = parselog(el)
            if "dstport" in p:
                # increment counter
                if p["dstport"] in counts:
                    counts[str(p["dstport"])] += 1
                    counts[str(p["dstport"])] = 1
    ascending = map(int, asc_order)
    for port in ascending:
        print ("Dest Port : %d" % port)
    print ""
    k = map(int, counts.keys())
    sorted(k, key=counts.get)    
    y = sorted(counts.items(), key=lambda x: x[1], reverse=True)
    for x, z in y:
        print  ('Dest Port %s Count: %s' % (x, z))

if __name__ == "__main__": main()

example log file

2017-04-17 00:00:00 Local7.Info date=2017-04-16 time=23:59:59 devname=IDS-DC14-001 devid=FGT90D3Z15018997 logid=1059028704 type=utm subtype=app-ctrl eventtype=app-ctrl-all level=information vd=root appid=27946 user="" srcip= srcport=9170 srcintf="wan1" dstip= dstport=53 dstintf="wan1" profiletype="applist" proto=17 service="DNS" policyid=3 sessionid=39717767 applist="sniffer-profile" appcat="Cloud.IT" app="Fortiguard.Search" action=pass msg="Cloud.IT: Fortiguard.Search," apprisk=medium