Quantcast
Channel: orly going thirty
Viewing all articles
Browse latest Browse all 64

Parsing VPC Flow Logs with Pandas

December 29, 2016, 12:23 pm
$
0
0
Here's a trivial code snippet to parse AWS VPC Flow Logs. This is extremely useful when setting up permissive security groups and then tightening them up later.

This script will (probably) fail if there are too many VPC flow log files (and therefore the Python interpreter would run out of memory). However it's nice to see that Pandas read_csv can read S3 URL's directly (even gzip'ped CSV files).

You can also filter for REJECT  rule and find out all the IP's that have been attempting to attack you.


 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
fromboto.s3.connectionimport S3Connection
importpandasaspd
importos

srcbucket ='flowlogs-bucket-orly'
aws_access_key ='AKIAxxx'
aws_secret_key ='oRCIxxx'

os.environ['AWS_ACCESS_KEY_ID'] = aws_access_key
os.environ['AWS_SECRET_ACCESS_KEY'] = aws_secret_key

cols = [ 'timestamp', 'version', 'accountid', 'interfaceid', 'srcaddr', 'dstaddr', 'srcport', 'dstport', 'protocol', 'packets', 'bytes', 'start', 'end', 'action', 'logstatus']

# iterate over all the VPC flowlogs in the bucket
conn = S3Connection(aws_access_key, aws_secret_key)
bucket = conn.get_bucket(srcbucket)

count =0
for key in bucket.list():
    keystr = key.name.encode('utf-8')
if'eni-'in keystr:
        s3url ='s3://'+ srcbucket +'/'+ keystr
        count = count +1

if (count ==1):
            df = pd.read_csv(s3url, delim_whitespace=True, header=None, names=cols, low_memory=True)
            df = df [ df['action'] =='ACCEPT']
else:
            df2 = pd.read_csv(s3url, delim_whitespace=True, header=None, names=cols, low_memory=True)
            df2 = df2 [ df2['action'] =='ACCEPT']
            df = df.append(df2, ignore_index=True)

print'Processed '+ keystr

src = df.groupby(['srcaddr', 'dstaddr', 'dstport']).size().reset_index()
src.columns = [ 'srcaddr', 'dstaddr', 'dstport', 'count' ]

n = src.sort_values(by = ['count', 'srcaddr', 'dstaddr'], ascending=False)

print(n)
Search
Viewing all articles
Browse latest Browse all 64

Trending Articles

Scuffham Amps - S-GEAR 2.6.0 VST, AAX, STANDALONE x86 x64 (R2R NO iLok2, +NO...

November 19, 2017, 7:24 am

Practice Sheet of Right form of verbs for HSC Students

September 22, 2019, 11:40 pm

VHSE First (1st) Allotment 2025 - vhscap.kerala.gov.in

May 24, 2025, 11:58 pm

UNIVERSE LEAGUE – UNIVERSE LEAGUE – WAR (We Are Ready) – EP [iTunes Plus M4A]

January 26, 2025, 11:12 am

City Hunter Teledrama – Episode 18 – 07th May 2016

May 6, 2016, 2:05 pm

Comment on Proposed Criteria for Identifying Predatory Conferences by Luke...

July 4, 2016, 3:53 am

Bureau of Internal Revenue: Regional Offices (Directory)

January 9, 2014, 11:06 pm

Kendrick Lamar – Not Like Us (2024) [24Bit-88.2kHz] [PMEDIA] ⭐️

May 14, 2024, 7:14 pm

Inception 2010 Hindi Dual Audio 650MB BRRip 720p ESubs HEVC

December 27, 2016, 4:23 pm

East Hull MD admits sexual assaults after another victim comes forward

January 14, 2013, 12:20 am

Download: FK ft Shenky – Nakuyewa ”Prod by: Shenky”

February 16, 2017, 4:24 pm

R. v. Sargeant, 2023 ONSC 6406 (CanLII)

November 13, 2023, 9:00 pm

Rajasthan Board 10th Result 2016 Roll No wise & Name Wise

August 20, 2016, 5:13 pm

Who’s been sentenced at Northampton Magistrates’ Court

March 30, 2019, 10:00 pm

मतलबी दोस्त स्टेट्स | Matlabi Dost Status in Hindi – Selfish Friends Status

February 13, 2020, 3:12 am

Family cries out as traditional ruler allegedly abducts brother, extorts N2.5m

September 15, 2024, 1:15 am

Long-Running Conflict In Springfield (MA) Gangland Sphere Has Manzi Family &...

December 26, 2017, 3:59 pm

Wondershare Filmora X v10.1.20.16 x64

February 8, 2021, 5:34 am

Man arrested after fracas in flat

January 16, 2017, 10:10 pm

Man charged in ongoing Sexual Assault Investigation Derek Nyilas, 46, Faces...

May 27, 2019, 8:00 am
Search