Python Scripts

I’m consistently impressed by Python and the power it gives anyone to automate a myriad of tasks.  I encourage all security professionals to learn Python as you have or will more than likely run into a problem that requires some kind of automation.  I got started by going through the excellent How to Think Like a Computer Scientist tutorial.

I’m not a Python expert by any means but I’ve written a few scripts that I thought I’d share in the hopes that others may find them useful.  Forgive any inefficiencies!

bro_missed_rotate.py 

I *love* Bro and think it’s an amazing open source security tool.  For those unfamiliar, it is a “network analysis framework” for monitoring all sorts of network activity and produces very UNIX-friendly ASCII logs.  Typically, Bro is great at writing and rotating logs (gzipping and moving them).  But I’ve noticed every so often (even in 2.2) that logs are sometimes not properly rotated.  I wrote this python script and set it to run as an hourly cron job to look for missed rotations and perform the rotation.

bro_daily_googs.py

I wrote this years ago and there’s probably a great way to write this strictly as a .bro script rather than an external python script (perhaps a future blog post…).  This script will parse Bro’s HTTP logs for search queries made via Google, Yahoo, and Bing.  Before Google changed how they handled SafeSearch queries, it used to be able to parse those as well.  Why would you want to parse search queries?  Turns out that it’s a quick way to determine if users are wandering into the seedier and not-safe-for-work realms of the internet.  These could simply be violations of acceptable use agreements, but often these sites will expose users to malicious and questionable software.

oracle_query.py

I had a situation where I needed to monitor Oracle databases for various transactions on a daily basis.  This was previously a manual process: login to Oracle database, run a set of queries against various Oracle databases, and then manually review results for violations and suspicious activity.  This was incredibly time consuming, so it was time to turn to Python.  My full script would automatically login to several databases and generate CSV logs of raw output as well as perform basic analysis.  This isn’t the full code, more an excerpt that can be customized whichever way you need.

sra_checks.py

This checks for suspicious VPN logins by checking for a high number of failed logins and geolocating inbound IP addresses.  This was designed to look at Dell Secure Remote Access VPN logs but could be modified to look at other VPN log types.

Hope these help someone out!

Related Posts

Zeekurity Zen – Part IX: How To Update Zeek

Zeekurity Zen – Part IX: How To Update Zeek

This is part of the Zeekurity Zen Zeries on building a Zeek (formerly Bro) network sensor. Overview In our Zeek journey thus far, we've: Set up Zeek to monitor some network traffic. Used Zeek Package Manager to install packages. Configured Zeek to send logs to Splunk...

Elastic Explained: How-To Guides For The Elastic Stack

Elastic Explained: How-To Guides For The Elastic Stack

Elastic develops the popular log analytics platform, the Elastic Stack, which supports a variety of search, observability, and security use cases through its many out of the box integrations.  It's a great platform for collecting, analyzing, and visualizing data from...

How To Deploy Elastic Agent on macOS with Microsoft Intune

How To Deploy Elastic Agent on macOS with Microsoft Intune

This guide details how to deploy Elastic Agent on macOS using Intune.  For Windows, please use my companion guide. Using Elastic Agent with Elastic SIEM is a great way to secure and monitor your environment.  Not only does it provide full endpoint security...

Transform Your Business & Operate at Peak Efficiency