I’m consistently impressed by Python and the power it gives anyone to automate a myriad of tasks. I encourage all security professionals to learn Python as you have or will more than likely run into a problem that requires some kind of automation. I got started by going through the excellent How to Think Like a Computer Scientist tutorial.
I’m not a Python expert by any means but I’ve written a few scripts that I thought I’d share in the hopes that others may find them useful. Forgive any inefficiencies!
I *love* Bro and think it’s an amazing open source security tool. For those unfamiliar, it is a “network analysis framework” for monitoring all sorts of network activity and produces very UNIX-friendly ASCII logs. Typically, Bro is great at writing and rotating logs (gzipping and moving them). But I’ve noticed every so often (even in 2.2) that logs are sometimes not properly rotated. I wrote this python script and set it to run as an hourly cron job to look for missed rotations and perform the rotation.
I wrote this years ago and there’s probably a great way to write this strictly as a .bro script rather than an external python script (perhaps a future blog post…). This script will parse Bro’s HTTP logs for search queries made via Google, Yahoo, and Bing. Before Google changed how they handled SafeSearch queries, it used to be able to parse those as well. Why would you want to parse search queries? Turns out that it’s a quick way to determine if users are wandering into the seedier and not-safe-for-work realms of the internet. These could simply be violations of acceptable use agreements, but often these sites will expose users to malicious and questionable software.
I had a situation where I needed to monitor Oracle databases for various transactions on a daily basis. This was previously a manual process: login to Oracle database, run a set of queries against various Oracle databases, and then manually review results for violations and suspicious activity. This was incredibly time consuming, so it was time to turn to Python. My full script would automatically login to several databases and generate CSV logs of raw output as well as perform basic analysis. This isn’t the full code, more an excerpt that can be customized whichever way you need.
This checks for suspicious VPN logins by checking for a high number of failed logins and geolocating inbound IP addresses. This was designed to look at Dell Secure Remote Access VPN logs but could be modified to look at other VPN log types.
Hope these help someone out!