{ "metadata": { "name": "", "signature": "sha256:68d702d5c3abbbc96762808f68f327f6d51d8681d28d26959cce998dfc012611" }, "nbformat": 3, "nbformat_minor": 0, "worksheets": [ { "cells": [ { "cell_type": "markdown", "metadata": {}, "source": [ "
\n", "# PCAP to Pandas Dataframe\n", "This notebook demonstrates a particularily kewl feature of workbench. Quickly and efficiently going from raw data to a Pandas Dataframe. \n", "\n", "Here we're using the workbench server to look at a specific case captured by [ThreatGlass](http://www.threatglass.com/). The exploited website for this exercise is gold-xxx.net [ThreatGlass_Info](http://www.threatglass.com/malicious_urls/141deabbc8741175d9f51559cf4ef3dd?process_date=2014-05-29).\n", "\n", "**Tools in this Notebook:**\n", "\n", "- Workbench: Open Source Security Framework [Workbench GitHub](https://github.com/SuperCowPowers/workbench)\n", "- Bro Network Security Monitor (http://www.bro.org)\n", "- Pandas: Python Data Analysis Library (http://pandas.pydata.org)\n", "\n", "**More Info:** \n", "\n", "- See [PCAP_to_Graph](http://nbviewer.ipython.org/github/SuperCowPowers/workbench/blob/master/workbench/notebooks/PCAP_to_Graph.ipynb) for a short notebook on turning this PCAP into a Neo4j graph.\n", "\n", "- See [Workbench Demo Notebook](http://nbviewer.ipython.org/github/SuperCowPowers/workbench/blob/master/workbench/notebooks/Workbench_Demo.ipynb) for a lot more info on using workbench.\n", "\n", "$ workbench_server\n", "" ] }, { "cell_type": "code", "collapsed": false, "input": [ "# Lets start to interact with workbench, please note there is NO specific client to workbench,\n", "# Just use the ZeroRPC Python, Node.js, or CLI interfaces.\n", "import zerorpc\n", "c = zerorpc.Client(timeout=120)\n", "c.connect(\"tcp://127.0.0.1:4242\")" ], "language": "python", "metadata": {}, "outputs": [ { "metadata": {}, "output_type": "pyout", "prompt_number": 5, "text": [ "[None]" ] } ], "prompt_number": 5 }, { "cell_type": "markdown", "metadata": {}, "source": [ "\n", "# Read in the Data\n", " The data is pulled from [ThreatGlass](http://www.threatglass.com/), the exploited website for this exercise is gold-xxx.net [ThreatGlass_Info](http://www.threatglass.com/malicious_urls/141deabbc8741175d9f51559cf4ef3dd?process_date=2014-05-29).\n", "" ] }, { "cell_type": "code", "collapsed": false, "input": [ "# Load in the PCAP file\n", "with open('../data/pcap/gold_xxx.pcap','rb') as f:\n", " pcap_md5 = c.store_sample(f.read(), 'gold_xxx', 'pcap')" ], "language": "python", "metadata": {}, "outputs": [], "prompt_number": 6 }, { "cell_type": "code", "collapsed": false, "input": [ "# We can also ask workbench for a python dictionary of all the info from this PCAP,\n", "# because sometimes visualization are useful and sometimes organized data is useful.\n", "output = c.work_request('view_pcap_details', pcap_md5)['view_pcap_details']\n", "output" ], "language": "python", "metadata": {}, "outputs": [ { "metadata": {}, "output_type": "pyout", "prompt_number": 10, "text": [ "{'bro_logs': {'conn_log': 'e6b210abca2299821a31e4448260f5da',\n", " 'dhcp_log': 'cf081f397ae93aaeada91cb68ac86168',\n", " 'dns_log': '3af86fbc1bd125c83160d1f5d0cafa39',\n", " 'files_log': '468dca88929d2ed54b26ff81fe1b1700',\n", " 'http_log': 'b76384cf1c5179bccf64f8320882af94',\n", " 'packet_filter_log': '87676f840e783c2dc537efe51acfc075',\n", " 'weird_log': 'a8d45ed8b0ddb0b9e115d05fe9f65dea'},\n", " 'extracted_files': [{'entropy': 6.845206689967475,\n", " 'file_size': 219136,\n", " 'file_type': 'PE32 executable (GUI) Intel 80386, for MS Windows',\n", " 'md5': '17d786f9a3ac2b54cf29122cd58bdabe',\n", " 'sha256': 'cc5bd99f15d2b2c3153ca132245b2780fac08e66c8ed0dc096919b81beb886b5',\n", " 'ssdeep': '3072:ddZuptT5MSMLp30xUiteu55Cva5xmSnaCOnQe+kAiE7jtMH4jIT9m26zD2FzXunl:dneTSjaxjeu50va5xm2jtcUQR2'},\n", " {'entropy': 6.845206689967475,\n", " 'file_size': 219136,\n", " 'file_type': 'PE32 executable (GUI) Intel 80386, for MS Windows',\n", " 'md5': '17d786f9a3ac2b54cf29122cd58bdabe',\n", " 'sha256': 'cc5bd99f15d2b2c3153ca132245b2780fac08e66c8ed0dc096919b81beb886b5',\n", " 'ssdeep': '3072:ddZuptT5MSMLp30xUiteu55Cva5xmSnaCOnQe+kAiE7jtMH4jIT9m26zD2FzXunl:dneTSjaxjeu50va5xm2jtcUQR2'},\n", " {'entropy': 6.672123050634468,\n", " 'file_size': 149,\n", " 'file_type': 'data',\n", " 'md5': '016d482b6cf4fda57240b539e1468794',\n", " 'sha256': 'b5b1c65f25374362658c6c8ffbdf15fa61f7c09890eb30bd9e835906b2fdd9c6',\n", " 'ssdeep': '3:WH9TISb/x9doI+YBU4eqezcW73YOJKVsv/dXN5bgZMlR/73bU4ZEMGOB9:6ISbvV+2bHYn/d95bg2zbDEI7'},\n", " {'entropy': 3.7725899061892,\n", " 'file_size': 1150,\n", " 'file_type': 'MS Windows icon resource - 1 icon',\n", " 'md5': '8f8e6f2edc6d89b9632d7fa73ee4f5ea',\n", " 'sha256': 'af0db6b81e131069926379a610d770973d24b2be92a99cb5c1a30b5fc4b13e5e',\n", " 'ssdeep': '12:jG28R+X1Zxr94pUfHudkLaJaJaJaJaaJaJaJgEhKqEYax5adqwtmUUlR55n:i28AxrVfHsZUUUXUUVhz1l8UUj'},\n", " {'entropy': 6.672123050634468,\n", " 'file_size': 149,\n", " 'file_type': 'data',\n", " 'md5': '016d482b6cf4fda57240b539e1468794',\n", " 'sha256': 'b5b1c65f25374362658c6c8ffbdf15fa61f7c09890eb30bd9e835906b2fdd9c6',\n", " 'ssdeep': '3:WH9TISb/x9doI+YBU4eqezcW73YOJKVsv/dXN5bgZMlR/73bU4ZEMGOB9:6ISbvV+2bHYn/d95bg2zbDEI7'},\n", " {'entropy': 6.845206689967475,\n", " 'file_size': 219136,\n", " 'file_type': 'PE32 executable (GUI) Intel 80386, for MS Windows',\n", " 'md5': '17d786f9a3ac2b54cf29122cd58bdabe',\n", " 'sha256': 'cc5bd99f15d2b2c3153ca132245b2780fac08e66c8ed0dc096919b81beb886b5',\n", " 'ssdeep': '3072:ddZuptT5MSMLp30xUiteu55Cva5xmSnaCOnQe+kAiE7jtMH4jIT9m26zD2FzXunl:dneTSjaxjeu50va5xm2jtcUQR2'},\n", " {'entropy': 6.845206689967475,\n", " 'file_size': 219136,\n", " 'file_type': 'PE32 executable (GUI) Intel 80386, for MS Windows',\n", " 'md5': '17d786f9a3ac2b54cf29122cd58bdabe',\n", " 'sha256': 'cc5bd99f15d2b2c3153ca132245b2780fac08e66c8ed0dc096919b81beb886b5',\n", " 'ssdeep': '3072:ddZuptT5MSMLp30xUiteu55Cva5xmSnaCOnQe+kAiE7jtMH4jIT9m26zD2FzXunl:dneTSjaxjeu50va5xm2jtcUQR2'},\n", " {'entropy': 6.845206689967475,\n", " 'file_size': 219136,\n", " 'file_type': 'PE32 executable (GUI) Intel 80386, for MS Windows',\n", " 'md5': '17d786f9a3ac2b54cf29122cd58bdabe',\n", " 'sha256': 'cc5bd99f15d2b2c3153ca132245b2780fac08e66c8ed0dc096919b81beb886b5',\n", " 'ssdeep': '3072:ddZuptT5MSMLp30xUiteu55Cva5xmSnaCOnQe+kAiE7jtMH4jIT9m26zD2FzXunl:dneTSjaxjeu50va5xm2jtcUQR2'},\n", " {'entropy': 7.306977991950132,\n", " 'file_size': 12761,\n", " 'file_type': 'PDF document, version 1.6',\n", " 'md5': 'b85cb7cee9e145ac4dfb7e8f1870e360',\n", " 'sha256': 'af1f3785ea4a2be08cb13c6b32a3cf71bbe24f50530b591ddb3be9d363d2e6a3',\n", " 'ssdeep': '384:SW3+jGeEBnZgazaw0eUqfgij6aUi0f+xOfESUxDnDKT:fW+h0eho5YxOIFKT'},\n", " {'entropy': 7.855433934299751,\n", " 'file_size': 10629,\n", " 'file_type': 'Java Jar file data (zip)',\n", " 'md5': 'd4c56b4d0ba9fbbd1028b83401eec133',\n", " 'sha256': '155527017e6dbeec01c1b0a99f9db9dcf7a0b4ea902fb6586b463b2836e481bc',\n", " 'ssdeep': '192:rh3cJzBpxUybGZXwnYzG2/HCtLVl+Wg/+czIPKGgGmnzmIlbA:t3KLFbGdqU6tCWdc8PKUwmf'},\n", " {'entropy': 6.845206689967475,\n", " 'file_size': 219136,\n", " 'file_type': 'PE32 executable (GUI) Intel 80386, for MS Windows',\n", " 'md5': '17d786f9a3ac2b54cf29122cd58bdabe',\n", " 'sha256': 'cc5bd99f15d2b2c3153ca132245b2780fac08e66c8ed0dc096919b81beb886b5',\n", " 'ssdeep': '3072:ddZuptT5MSMLp30xUiteu55Cva5xmSnaCOnQe+kAiE7jtMH4jIT9m26zD2FzXunl:dneTSjaxjeu50va5xm2jtcUQR2'},\n", " {'entropy': 4.869185904780487,\n", " 'file_size': 7692,\n", " 'file_type': 'assembler source, ASCII text',\n", " 'md5': '739993fe99fcb74d283f7faa1617984b',\n", " 'sha256': '2882a10573b80d8c6cfe2137160f993523082dd20948cbbfcb2458128d0a3043',\n", " 'ssdeep': '192:/2TFrmh1FVFlrfVWIXXoJAaF7Fe7cFJeS1NM8M8D2f:uTFryFVFlr9WcaF7FeoF0mHm'},\n", " {'entropy': 6.570728034441538,\n", " 'file_size': 156160,\n", " 'file_type': 'PE32 executable (GUI) Intel 80386, for MS Windows',\n", " 'md5': 'c37f0a7b0249c91a43e749ad3660fb55',\n", " 'sha256': 'e0124e97a99c40b6f48760ab90d2ed009f9b4c661f3e98c86c848b876588c47d',\n", " 'ssdeep': '3072:Dd/1aVzIF8P3h3cJUitGoDp+XSB5mKAKYOnQe+FSDHslun81L:DraVzTP3GJjGoDYXSB5mkHet'},\n", " {'entropy': 7.855433934299751,\n", " 'file_size': 10629,\n", " 'file_type': 'Java Jar file data (zip)',\n", " 'md5': 'd4c56b4d0ba9fbbd1028b83401eec133',\n", " 'sha256': '155527017e6dbeec01c1b0a99f9db9dcf7a0b4ea902fb6586b463b2836e481bc',\n", " 'ssdeep': '192:rh3cJzBpxUybGZXwnYzG2/HCtLVl+Wg/+czIPKGgGmnzmIlbA:t3KLFbGdqU6tCWdc8PKUwmf'},\n", " {'entropy': 6.570728034441538,\n", " 'file_size': 156160,\n", " 'file_type': 'PE32 executable (GUI) Intel 80386, for MS Windows',\n", " 'md5': 'c37f0a7b0249c91a43e749ad3660fb55',\n", " 'sha256': 'e0124e97a99c40b6f48760ab90d2ed009f9b4c661f3e98c86c848b876588c47d',\n", " 'ssdeep': '3072:Dd/1aVzIF8P3h3cJUitGoDp+XSB5mKAKYOnQe+FSDHslun81L:DraVzTP3GJjGoDYXSB5mkHet'},\n", " {'entropy': 7.855433934299751,\n", " 'file_size': 10629,\n", " 'file_type': 'Java Jar file data (zip)',\n", " 'md5': 'd4c56b4d0ba9fbbd1028b83401eec133',\n", " 'sha256': '155527017e6dbeec01c1b0a99f9db9dcf7a0b4ea902fb6586b463b2836e481bc',\n", " 'ssdeep': '192:rh3cJzBpxUybGZXwnYzG2/HCtLVl+Wg/+czIPKGgGmnzmIlbA:t3KLFbGdqU6tCWdc8PKUwmf'}],\n", " 'md5': 'c8e58ff22b9a8e48838373fbb1692bdd'}" ] } ], "prompt_number": 10 }, { "cell_type": "markdown", "metadata": {}, "source": [ "\n", "## If the next line of code doesn't blow your mind, you aren't paying attention!\n", "#### Thanks to ZeroRPC all of the bro logs are streamed from server to client with NETWORK STREAMING GENERATORS, those highly efficient generators are zero-copy and stream data directly into Pandas Dataframes.\n", "\n", "#### For more on client/server generators and client-contructed/server-executed generator pipelines see our super spiffy [Generator Pipelines](http://nbviewer.ipython.org/url/raw.github.com/SuperCowPowers/workbench/master/workbench/notebooks/Generator_Pipelines.ipynb) notebook." ] }, { "cell_type": "code", "collapsed": false, "input": [ "# Critical Code: Transition from Bro logs to Pandas Dataframes\n", "# This one line of code populates dataframes from the Bro logs, \n", "# streaming client/server generators, zero-copy, efficient, awesome...\n", "import pandas as pd\n", "dataframes = {name:pd.DataFrame(c.stream_sample(bro_log, None)) for name, bro_log in output['bro_logs'].iteritems()}" ], "language": "python", "metadata": {}, "outputs": [], "prompt_number": 11 }, { "cell_type": "markdown", "metadata": {}, "source": [ "\n", "# Lets look at the Data\n", "We're going to use some nice functionality in the Pandas dataframe to look at our network data, specifically we're going to group by host, host-ip, mime_type and uri. The last column represents the aggregated sum of response_body_len.\n", "
\n", " | query | \n", "answers | \n", "qtype_name | \n", "
---|---|---|---|
0 | \n", "gold-xxx.net | \n", "178.208.85.60 | \n", "A | \n", "
1 | \n", "counter.yadro.ru | \n", "88.212.196.105,88.212.196.122,88.212.196.123,8... | \n", "A | \n", "
2 | \n", "picsee.net | \n", "62.75.207.72 | \n", "A | \n", "
3 | \n", "counter.rambler.ru | \n", "81.19.88.95,81.19.88.96,81.19.88.102,81.19.88.... | \n", "A | \n", "
4 | \n", "freeroomhostelz.com | \n", "91.194.254.195 | \n", "A | \n", "
5 | \n", "57d9bf9co3qbc.paroonic.ru | \n", "80.72.37.112 | \n", "A | \n", "
6 | \n", "323210841-1.paroonic.ru | \n", "80.72.37.112 | \n", "A | \n", "
7 | \n", "domainsfullkolls.biz | \n", "94.242.216.61 | \n", "A | \n", "
8 | \n", "update.microsoft.com | \n", "update.microsoft.com.nsatc.net,157.56.96.60,15... | \n", "A | \n", "
9 | \n", "update.microsoft.com | \n", "update.microsoft.com.nsatc.net,65.55.138.114,1... | \n", "A | \n", "
10 rows \u00d7 3 columns
\n", "\n", " | conn_state | \n", "duration | \n", "history | \n", "id.orig_h | \n", "id.orig_p | \n", "id.resp_h | \n", "id.resp_p | \n", "local_orig | \n", "missed_bytes | \n", "orig_bytes | \n", "orig_ip_bytes | \n", "orig_pkts | \n", "proto | \n", "resp_bytes | \n", "resp_ip_bytes | \n", "resp_pkts | \n", "service | \n", "ts | \n", "tunnel_parents | \n", "uid | \n", "
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
0 | \n", "RSTO | \n", "0.631127 | \n", "ShADadR | \n", "192.168.39.10 | \n", "1036 | \n", "178.208.85.60 | \n", "80 | \n", "- | \n", "0 | \n", "587 | \n", "955 | \n", "9 | \n", "tcp | \n", "6459 | \n", "6743 | \n", "7 | \n", "http | \n", "1.401401e+09 | \n", "(empty) | \n", "CBdyLA2FydtnrvzeBi | \n", "
1 | \n", "RSTO | \n", "0.150052 | \n", "ShR | \n", "192.168.39.10 | \n", "1037 | \n", "178.208.85.60 | \n", "80 | \n", "- | \n", "0 | \n", "0 | \n", "88 | \n", "2 | \n", "tcp | \n", "0 | \n", "44 | \n", "1 | \n", "- | \n", "1.401401e+09 | \n", "(empty) | \n", "C0gD932Pau36gzSy93 | \n", "
2 | \n", "RSTO | \n", "0.151529 | \n", "ShR | \n", "192.168.39.10 | \n", "1040 | \n", "178.208.85.60 | \n", "80 | \n", "- | \n", "0 | \n", "0 | \n", "88 | \n", "2 | \n", "tcp | \n", "0 | \n", "44 | \n", "1 | \n", "- | \n", "1.401401e+09 | \n", "(empty) | \n", "CXTGqY2XNUSXRynhFg | \n", "
3 | \n", "RSTO | \n", "0.152817 | \n", "ShR | \n", "192.168.39.10 | \n", "1039 | \n", "178.208.85.60 | \n", "80 | \n", "- | \n", "0 | \n", "0 | \n", "88 | \n", "2 | \n", "tcp | \n", "0 | \n", "44 | \n", "1 | \n", "- | \n", "1.401401e+09 | \n", "(empty) | \n", "CNLjfJ1CSChTSRPRO1 | \n", "
4 | \n", "RSTO | \n", "0.154018 | \n", "ShR | \n", "192.168.39.10 | \n", "1038 | \n", "178.208.85.60 | \n", "80 | \n", "- | \n", "0 | \n", "0 | \n", "88 | \n", "2 | \n", "tcp | \n", "0 | \n", "44 | \n", "1 | \n", "- | \n", "1.401401e+09 | \n", "(empty) | \n", "CWUpVH2eZ0g3HgXe1k | \n", "
5 | \n", "RSTO | \n", "0.15395 | \n", "ShR | \n", "192.168.39.10 | \n", "1041 | \n", "178.208.85.60 | \n", "80 | \n", "- | \n", "0 | \n", "0 | \n", "88 | \n", "2 | \n", "tcp | \n", "0 | \n", "44 | \n", "1 | \n", "- | \n", "1.401401e+09 | \n", "(empty) | \n", "C7WF992bGceJEID9k5 | \n", "
6 | \n", "SF | \n", "0.802815 | \n", "ShADdfFa | \n", "192.168.39.10 | \n", "1051 | \n", "88.212.196.105 | \n", "80 | \n", "- | \n", "0 | \n", "653 | \n", "901 | \n", "6 | \n", "tcp | \n", "1621 | \n", "1829 | \n", "5 | \n", "http | \n", "1.401401e+09 | \n", "(empty) | \n", "C05Lh44T4Od4nxKuPc | \n", "
7 | \n", "SF | \n", "0.009575 | \n", "Dd | \n", "192.168.39.10 | \n", "1048 | \n", "4.2.2.3 | \n", "53 | \n", "- | \n", "0 | \n", "28 | \n", "56 | \n", "1 | \n", "udp | \n", "44 | \n", "72 | \n", "1 | \n", "dns | \n", "1.401401e+09 | \n", "(empty) | \n", "CoK5EL2wWO4GXS26D7 | \n", "
8 | \n", "RSTO | \n", "6.797592 | \n", "ShADadfR | \n", "192.168.39.10 | \n", "1055 | \n", "91.194.254.195 | \n", "80 | \n", "- | \n", "0 | \n", "326 | \n", "574 | \n", "6 | \n", "tcp | \n", "801 | \n", "969 | \n", "4 | \n", "http | \n", "1.401401e+09 | \n", "(empty) | \n", "CiDYwq4jpcz4IGmX0g | \n", "
9 | \n", "RSTO | \n", "8.367047 | \n", "ShADdfR | \n", "192.168.39.10 | \n", "1054 | \n", "81.19.88.95 | \n", "80 | \n", "- | \n", "0 | \n", "799 | \n", "1287 | \n", "12 | \n", "tcp | \n", "7618 | \n", "7946 | \n", "8 | \n", "http | \n", "1.401401e+09 | \n", "(empty) | \n", "CDR6w61LKf7XpsHC36 | \n", "
10 rows \u00d7 20 columns
\n", "\n", " | missed_bytes | \n", "orig_ip_bytes | \n", "resp_ip_bytes | \n", "resp_pkts | \n", "
---|---|---|---|---|
count | \n", "65 | \n", "65.000000 | \n", "65.000000 | \n", "65.000000 | \n", "
mean | \n", "0 | \n", "1221.769231 | \n", "39791.953846 | \n", "17.107692 | \n", "
std | \n", "0 | \n", "1685.608669 | \n", "74050.375527 | \n", "27.989464 | \n", "
min | \n", "0 | \n", "48.000000 | \n", "0.000000 | \n", "0.000000 | \n", "
25% | \n", "0 | \n", "63.000000 | \n", "79.000000 | \n", "1.000000 | \n", "
50% | \n", "0 | \n", "464.000000 | \n", "365.000000 | \n", "4.000000 | \n", "
75% | \n", "0 | \n", "1600.000000 | \n", "51482.000000 | \n", "18.000000 | \n", "
max | \n", "0 | \n", "5312.000000 | \n", "223664.000000 | \n", "106.000000 | \n", "
8 rows \u00d7 4 columns
\n", "\n", " | conn_state | \n", "duration | \n", "history | \n", "id.orig_h | \n", "id.orig_p | \n", "id.resp_h | \n", "id.resp_p | \n", "local_orig | \n", "missed_bytes | \n", "orig_bytes | \n", "orig_ip_bytes | \n", "orig_pkts | \n", "proto | \n", "resp_bytes | \n", "resp_ip_bytes | \n", "resp_pkts | \n", "service | \n", "ts | \n", "tunnel_parents | \n", "uid | \n", "\n", " |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
7 | \n", "SF | \n", "0.009575 | \n", "Dd | \n", "192.168.39.10 | \n", "1048 | \n", "4.2.2.3 | \n", "53 | \n", "- | \n", "0 | \n", "28 | \n", "56 | \n", "1 | \n", "udp | \n", "44 | \n", "72 | \n", "1 | \n", "dns | \n", "1.401401e+09 | \n", "(empty) | \n", "CoK5EL2wWO4GXS26D7 | \n", "... | \n", "
11 | \n", "SF | \n", "11.55683 | \n", "Dd | \n", "192.168.39.10 | \n", "1035 | \n", "4.2.2.3 | \n", "53 | \n", "- | \n", "0 | \n", "221 | \n", "389 | \n", "6 | \n", "udp | \n", "669 | \n", "837 | \n", "6 | \n", "dns | \n", "1.401401e+09 | \n", "(empty) | \n", "CBWgV42cYiaGqu9Z25 | \n", "... | \n", "
12 | \n", "S0 | \n", "0.000911 | \n", "D | \n", "0.0.0.0 | \n", "68 | \n", "255.255.255.255 | \n", "67 | \n", "- | \n", "0 | \n", "626 | \n", "682 | \n", "2 | \n", "udp | \n", "0 | \n", "0 | \n", "0 | \n", "dhcp | \n", "1.401401e+09 | \n", "(empty) | \n", "CKYJGa15i6s1Rpq0Y | \n", "... | \n", "
13 | \n", "SF | \n", "2.110374 | \n", "dD | \n", "192.168.39.10 | \n", "68 | \n", "192.168.39.1 | \n", "67 | \n", "- | \n", "0 | \n", "314 | \n", "342 | \n", "1 | \n", "udp | \n", "900 | \n", "984 | \n", "3 | \n", "dhcp | \n", "1.401401e+09 | \n", "(empty) | \n", "C6zKAr3iKNDLKufq4h | \n", "... | \n", "
15 | \n", "SF | \n", "0.027165 | \n", "Dd | \n", "192.168.39.10 | \n", "1035 | \n", "4.2.2.3 | \n", "53 | \n", "- | \n", "0 | \n", "38 | \n", "66 | \n", "1 | \n", "udp | \n", "54 | \n", "82 | \n", "1 | \n", "dns | \n", "1.401401e+09 | \n", "(empty) | \n", "C50uAqkg2gpAF0eH5 | \n", "... | \n", "
26 | \n", "S0 | \n", "6.024315 | \n", "D | \n", "192.168.39.10 | \n", "1058 | \n", "239.255.255.250 | \n", "1900 | \n", "- | \n", "0 | \n", "399 | \n", "483 | \n", "3 | \n", "udp | \n", "0 | \n", "0 | \n", "0 | \n", "- | \n", "1.401401e+09 | \n", "(empty) | \n", "CAirC04eZatVhqLFvc | \n", "... | \n", "
41 | \n", "SF | \n", "0.008703 | \n", "Dd | \n", "192.168.39.10 | \n", "1035 | \n", "4.2.2.3 | \n", "53 | \n", "- | \n", "0 | \n", "38 | \n", "66 | \n", "1 | \n", "udp | \n", "114 | \n", "142 | \n", "1 | \n", "dns | \n", "1.401401e+09 | \n", "(empty) | \n", "Cjnp9B3tRdimStImlc | \n", "... | \n", "
42 | \n", "SF | \n", "0.009521 | \n", "Dd | \n", "192.168.39.10 | \n", "1048 | \n", "4.2.2.3 | \n", "53 | \n", "- | \n", "0 | \n", "38 | \n", "66 | \n", "1 | \n", "udp | \n", "114 | \n", "142 | \n", "1 | \n", "dns | \n", "1.401401e+09 | \n", "(empty) | \n", "Cl5qe21lfeB8wXEZg4 | \n", "... | \n", "
43 | \n", "SF | \n", "0.021553 | \n", "Dd | \n", "192.168.39.10 | \n", "1066 | \n", "8.8.4.4 | \n", "53 | \n", "- | \n", "0 | \n", "35 | \n", "63 | \n", "1 | \n", "udp | \n", "51 | \n", "79 | \n", "1 | \n", "dns | \n", "1.401401e+09 | \n", "(empty) | \n", "Cn9DTl3yp91dxD8hFl | \n", "... | \n", "
44 | \n", "SF | \n", "0.001862 | \n", "Dd | \n", "192.168.39.10 | \n", "1068 | \n", "8.8.4.4 | \n", "53 | \n", "- | \n", "0 | \n", "35 | \n", "63 | \n", "1 | \n", "udp | \n", "51 | \n", "79 | \n", "1 | \n", "dns | \n", "1.401401e+09 | \n", "(empty) | \n", "Cy7sm63NXzJ1XuxTpj | \n", "... | \n", "
10 rows \u00d7 21 columns
\n", "\n", " | \n", " | \n", " | \n", " | response_body_len | \n", "
---|---|---|---|---|
host | \n", "id.resp_h | \n", "resp_mime_types | \n", "uri | \n", "\n", " |
323210841-1.paroonic.ru | \n", "80.72.37.112 | \n", "application/jar | \n", "/1401379560.jar | \n", "31887 | \n", "
application/pdf | \n", "/1401379560.pdf | \n", "12761 | \n", "||
application/x-dosexec | \n", "/f/1401379560/5/x00cf6b534e520804090407000700080150050f0304045106565601;1;5 | \n", "156160 | \n", "||
/f/1401379560/6 | \n", "156160 | \n", "|||
text/html | \n", "/1401379560.htm | \n", "21138 | \n", "||
57d9bf9co3qbc.paroonic.ru | \n", "80.72.37.112 | \n", "text/html | \n", "/ | \n", "89366 | \n", "
counter.rambler.ru | \n", "81.19.88.95 | \n", "image/gif | \n", "/top100.scn?2148353&rn=2061653628&v=0.3i&bs=780x427&ce=1&rf&en=windows-1251&pt=Download porn free clips, sex porn video&cd=24-bit&sr=800x600&la=en-us&ja=1&acn=Mozilla&an=Microsoft Internet Explorer&pl=Win32&tz=240&fv=10.0 r32&sv&le=1 | \n", "49 | \n", "
text/plain | \n", "/top100.jcn?2148353 | \n", "6853 | \n", "||
counter.yadro.ru | \n", "88.212.196.105 | \n", "image/gif | \n", "/hit?q;t28.6;r;s800*600*24;uhttp://gold-xxx.net/;0.6712898022427673 | \n", "763 | \n", "
text/html | \n", "/hit?t28.6;r;s800*600*24;uhttp://gold-xxx.net/;0.6712898022427673 | \n", "32 | \n", "||
freeroomhostelz.com | \n", "91.194.254.195 | \n", "text/html | \n", "/ | \n", "413 | \n", "
gold-xxx.net | \n", "178.208.85.60 | \n", "- | \n", "/css/engine.css | \n", "0 | \n", "
image/gif | \n", "/templates/xxibeka/images/all_bg.png | \n", "2247 | \n", "||
/templates/xxibeka/images/col-mid-r.gif | \n", "107 | \n", "|||
/templates/xxibeka/images/col-top-r.gif | \n", "1122 | \n", "|||
/templates/xxibeka/images/news.gif | \n", "1416 | \n", "|||
/templates/xxibeka/images/search.gif | \n", "254 | \n", "|||
image/jpeg | \n", "/templates/xxibeka/images/content.jpg | \n", "1631 | \n", "||
/templates/xxibeka/images/header.jpg | \n", "3630 | \n", "|||
/templates/xxibeka/images/logo.jpg | \n", "47378 | \n", "|||
/uploads/posts/2014-05/1401395470_eavlolprh2nywzf.jpeg | \n", "34600 | \n", "|||
/uploads/posts/2014-05/1401395923_8z4umchk5zwstxw.jpeg | \n", "34866 | \n", "|||
/uploads/posts/2014-05/1401396326_clybb9irt17pygm.jpeg | \n", "31199 | \n", "|||
/uploads/posts/2014-05/1401396909_n8xfse70ugli1cz.jpeg | \n", "51466 | \n", "|||
/uploads/posts/2014-05/1401397123_avgnhrqeylibgyk.jpeg | \n", "49333 | \n", "|||
/uploads/posts/2014-05/1401397541_qbdkzupvm18lgre.jpeg | \n", "36246 | \n", "|||
/uploads/posts/2014-05/1401397822_03ifpwcqtqmz65r.jpeg | \n", "37594 | \n", "|||
/uploads/posts/2014-05/1401398230_zkihngphpwvsuxf.jpeg | \n", "36792 | \n", "|||
/uploads/posts/2014-05/1401400046_jpfy4mfyskolthi.jpeg | \n", "38434 | \n", "|||
/uploads/posts/2014-05/1401400094_aiax6go3xlpkr8d.jpeg | \n", "44885 | \n", "|||
image/png | \n", "/templates/xxibeka/images/nav.png | \n", "184 | \n", "||
/templates/xxibeka/images/send.png | \n", "3826 | \n", "|||
image/x-icon | \n", "/favicon.ico | \n", "1150 | \n", "||
text/html | \n", "/ | \n", "30992 | \n", "||
/css/engine.css | \n", "290 | \n", "|||
/css/site.css | \n", "288 | \n", "|||
/css/style.css | \n", "289 | \n", "|||
/engine/classes/js/jquery.js | \n", "94840 | \n", "|||
/engine/classes/js/js_edit.js | \n", "11012 | \n", "|||
/templates/xxibeka/css/template_css.css | \n", "314 | \n", "|||
/templates/xxibeka/images/h1bg.gif | \n", "309 | \n", "|||
/templates/xxibeka/images/m-bottom.gife | \n", "314 | \n", "|||
/templates/xxibeka/images/m-center.gife | \n", "314 | \n", "|||
/templates/xxibeka/images/m-top.gife | \n", "311 | \n", "|||
text/plain | \n", "/engine/classes/js/dialog.js | \n", "47054 | \n", "||
/engine/classes/js/dle_ajax.js | \n", "4931 | \n", "|||
/engine/classes/js/effects.js | \n", "13628 | \n", "|||
/engine/classes/js/menu.js | \n", "2992 | \n", "|||
/templates/xxibeka/css/site.css | \n", "595 | \n", "|||
/templates/xxibeka/css/style.css | \n", "13241 | \n", "|||
text/x-asm | \n", "/templates/xxibeka/css/engine.css | \n", "7692 | \n", "||
newsbrontima.com | \n", "192.64.115.91 | \n", "- | \n", "/5jeno9e6lbsffl | \n", "0 | \n", "
text/plain | \n", "/epb4y7viha3 | \n", "14 | \n", "||
online-serial.net | \n", "178.208.83.15 | \n", "application/x-dosexec | \n", "/lok2.exe | \n", "438272 | \n", "
picsee.net | \n", "62.75.207.72 | \n", "image/jpeg | \n", "/upload/2014-05-30/258f383e1712.jpeg | \n", "61906 | \n", "
/upload/2014-05-30/552a444e0929.jpeg | \n", "25267 | \n", "|||
/upload/2014-05-30/8db84be028a0.jpeg | \n", "62012 | \n", "|||
/upload/2014-05-30/a906f803f653.jpeg | \n", "71508 | \n", "|||
/upload/2014-05-30/ffb0f9075f26.jpeg | \n", "65423 | \n", "|||
t2bot.ru | \n", "178.208.83.55 | \n", "application/x-dosexec | \n", "/lok2.exe | \n", "876544 | \n", "
\n", " | \n", " | \n", " | \n", " | ... | \n", "
62 rows \u00d7 1 columns
\n", "