JustinAzoff/crunch_bro_ssh.py

## crunch_bro_ssh.py
import sys
import csv
import subprocess
from collections import namedtuple, defaultdict

DATA = "zcat /usr/local/bro/logs/*/ssh*z |bro-cut  id.orig_h id.resp_h auth_success"

Record = namedtuple("Record", "src dst success")
Result = namedtuple("Result", "src success failure unknown hosts subnets")

#from bhr_client.rest import login_from_env
#bhr_client = login_from_env()
#blocked = set(rec['cidr'].replace("/32","") for rec in bhr_client.get_list())

def get_subnet(ip):
    subnet, _ = ip.rsplit(".", 1)
    return subnet

def get_data():
    cmd = subprocess.Popen(DATA, shell=True, stdout=subprocess.PIPE)
    for line in cmd.stdout:
        src, dst, success = line.strip().split("\t")
        yield Record(src, dst, success)

def new_source_record():
    return {
        "success": 0,
        "failure": 0,
        "unknown": 0,
        "hosts": set(),
        "subnets": set(),
    }

SSH_STATUS_MAPPING = {
    'T': 'success',
    'F': 'failure',
    '-': 'unknown',
}
def crunch():
    sources = defaultdict(new_source_record)
    for rec in get_data():
        dat = sources[rec.src]

        field = SSH_STATUS_MAPPING[rec.success]
        dat[field] += 1

        dat["hosts"].add(rec.dst)
        dat["subnets"].add(get_subnet(rec.dst))

    for src, dat in sources.items():
        rec = Result(src, dat["success"], dat["failure"], dat["unknown"], len(dat["hosts"]), len(dat["subnets"]))
        yield rec

COLUMNS = ["src", "success", "failure", "unknown", "hosts", "subnets"]

def main():
    writer = csv.writer(sys.stdout, delimiter="\t")
    writer.writerow(COLUMNS)
    for rec in crunch():
        writer.writerow(rec)

if __name__ == "__main__":
    main()
	import sys
	import csv
	import subprocess
	from collections import namedtuple, defaultdict

	DATA = "zcat /usr/local/bro/logs//sshz \|bro-cut id.orig_h id.resp_h auth_success"

	Record = namedtuple("Record", "src dst success")
	Result = namedtuple("Result", "src success failure unknown hosts subnets")

	#from bhr_client.rest import login_from_env
	#bhr_client = login_from_env()
	#blocked = set(rec['cidr'].replace("/32","") for rec in bhr_client.get_list())

	def get_subnet(ip):
	subnet, _ = ip.rsplit(".", 1)
	return subnet

	def get_data():
	cmd = subprocess.Popen(DATA, shell=True, stdout=subprocess.PIPE)
	for line in cmd.stdout:
	src, dst, success = line.strip().split("\t")
	yield Record(src, dst, success)

	def new_source_record():
	return {
	"success": 0,
	"failure": 0,
	"unknown": 0,
	"hosts": set(),
	"subnets": set(),
	}

	SSH_STATUS_MAPPING = {
	'T': 'success',
	'F': 'failure',
	'-': 'unknown',
	}
	def crunch():
	sources = defaultdict(new_source_record)
	for rec in get_data():
	dat = sources[rec.src]

	field = SSH_STATUS_MAPPING[rec.success]
	dat[field] += 1

	dat["hosts"].add(rec.dst)
	dat["subnets"].add(get_subnet(rec.dst))

	for src, dat in sources.items():
	rec = Result(src, dat["success"], dat["failure"], dat["unknown"], len(dat["hosts"]), len(dat["subnets"]))
	yield rec

	COLUMNS = ["src", "success", "failure", "unknown", "hosts", "subnets"]

	def main():
	writer = csv.writer(sys.stdout, delimiter="\t")
	writer.writerow(COLUMNS)
	for rec in crunch():
	writer.writerow(rec)

	if __name__ == "__main__":
	main()