How to use zat - 10 common examples
To help you get started, we’ve selected a few zat examples, based on popular ways it is used in public projects.
Secure your code as it's written. Use Snyk Code to scan source code in minutes - no build needed - and fix issues immediately.
SuperCowPowers / zat / examples / file_log_vtquery.py View on Github 
sys.exit(1)
# Sanity check that this is a file log
if 'files' not in args.bro_log:
print('This example only works with Zeek files.log files..')
sys.exit(1)
# File may have a tilde in it
if args.bro_log:
args.bro_log = os.path.expanduser(args.bro_log)
# Create a VirusTotal Query Class
vtq = vt_query.VTQuery()
# Run the bro reader on a given log file
reader = bro_log_reader.BroLogReader(args.bro_log, tail=True)
for row in reader.readrows():
file_sha = row.get('sha256', '-') # Zeek uses - for empty field
if file_sha == '-':
file_sha = row.get('sha1', '-') # Zeek uses - for empthy field
if file_sha == '-':
print('Should not find a sha256 or a sha1 key! Skipping...')
continue
# Make the query with either sha
results = vtq.query_file(file_sha)
if results.get('positives', 0) > 1: # At least two hits
pprint(results)parser = argparse.ArgumentParser()
parser.add_argument('bro_log', type=str, help='Specify a bro log to run BroLogReader test on')
parser.add_argument('-t', '--tail', action='store_true', help='Turn on log tailing')
args, commands = parser.parse_known_args()
# Check for unknown args
if commands:
print('Unrecognized args: %s' % commands)
sys.exit(1)
# File may have a tilde in it
if args.bro_log:
args.bro_log = os.path.expanduser(args.bro_log)
# Run the bro reader on a given log file
reader = bro_log_reader.BroLogReader(args.bro_log, tail=args.tail, strict=True)
for row in reader.readrows():
pprint(row)# Check for unknown args
if commands:
print('Unrecognized args: %s' % commands)
sys.exit(1)
# Sanity check that this is a ssl log
if 'ssl' not in args.bro_log:
print('This example only works with Zeek ssl.log files..')
sys.exit(1)
# File may have a tilde in it
if args.bro_log:
args.bro_log = os.path.expanduser(args.bro_log)
# Run the bro reader on the ssl.log file looking for potential Tor connections
reader = bro_log_reader.BroLogReader(args.bro_log, tail=args.t)
# Just a counter to keep an eye on how many possible Tor connections we identify
number = 0
# A empty list to use for the port statistics
ports = []
for row in reader.readrows():
# Add the destination port to the list of ports
ports.append(row['id.resp_p'])
# Pull out the Certificate Issuer
try:
issuer = row['issuer']
except KeyError:
print('Could not find the issuer field in your ssl.log. Please verify your log file.')
sys.exit(1)
# Check if the issuer matches the known Tor format
if issuer_regex.match(issuer):def test():
"""Test for LogToDataFrame Class"""
import os
pd.set_option('display.width', 1000)
from zat.utils import file_utils
# Grab a test file
data_path = file_utils.relative_dir(__file__, '../data')
log_path = os.path.join(data_path, 'conn.log')
# Convert it to a Pandas DataFrame
log_to_df = LogToDataFrame()
my_df = log_to_df.create_dataframe(log_path)
# Print out the head
print(my_df.head())
# Print out the datatypes
print(my_df.dtypes)
# Test a bunch
tests = ['app_stats.log', 'dns.log', 'http.log', 'notice.log', 'tor_ssl.log',
'conn.log', 'dhcp_002.log', 'files.log', 'smtp.log', 'weird.log',
'ftp.log', 'ssl.log', 'x509.log']def test():
"""Test for DataFrame Stats module"""
import os
from zat.utils import file_utils
# Open a dataset (relative path)
data_dir = file_utils.relative_dir(__file__, 'test_data')
file_path = os.path.join(data_dir, 'g_test_data.csv')
dataframe = pd.read_csv(file_path)
print(dataframe.head())
# Print out the contingency_table
print('\nContingency Table')
print(contingency_table(dataframe, 'name', 'status'))
# Print out the joint_distribution
print('\nJoint Distribution Table')
print(joint_distribution(dataframe, 'name', 'status'))
# Print out the expected_counts
print('\nExpected Counts Table')
print(expected_counts(dataframe, 'name', 'status'))def test():
"""Test for BroMultiLogReader Python Class"""
from zat.utils import file_utils
# Grab a test file
data_path = file_utils.relative_dir(__file__, '../data')
# For each file, create the Class and test the reader
files = ['http.log.gz', 'dhcp*.log', 'dhcp*.log.gz']
for bro_log in files:
test_path = os.path.join(data_path, bro_log)
print('Opening Data File: {:s}'.format(test_path))
reader = BroMultiLogReader(test_path)
for line in reader.readrows():
print(line)
print('Tests successful!')def test():
"""Test the DirWatcher Class"""
watch_path = file_utils.relative_dir(__file__, '../../data')
print('Watching Directory: %s' % watch_path)
DirWatcher(watch_path, my_callback)
# Create a file and then delete it
temp_file = os.path.join(watch_path, 'test.tmp')
open(temp_file, 'w').close()
time.sleep(1)
os.remove(temp_file)def test():
"""Test for LogToSparkDF Class"""
import os
from zat.utils import file_utils
from pyspark.sql import SparkSession
# Spin up a local Spark Session (with 4 executors)
spark = SparkSession.builder.master('local[4]').appName('my_awesome').getOrCreate()
# Grab a test file
data_path = file_utils.relative_dir(__file__, '../data')
log_path = os.path.join(data_path, 'ftp.log')
# Convert it to a Spark DataFrame
log_to_spark = LogToSparkDF(spark)
spark_df = log_to_spark.create_dataframe(log_path)
# Print out the head
print(spark_df.show())
# Print out the datatypes
print(spark_df.printSchema())
num_rows = spark_df.count()
print("Number of Spark DataFrame rows: {:d}".format(num_rows))
columns = spark_df.columns
print("Columns: {:s}".format(','.join(columns)))def test():
"""Test for LiveSimulator Python Class"""
# Grab a test file
data_path = file_utils.relative_dir(__file__, '../data')
test_path = os.path.join(data_path, 'conn.log')
print('Opening Data File: {:s}'.format(test_path))
# Create a LiveSimulator reader
data_stream = LiveSimulator(test_path, max_rows=10)
for line in data_stream.rows():
print(line)
print('Read with max_rows Test successful!')def test():
"""Test for the Cache class"""
# Create the Cache
my_cache = Cache(max_size=5, timeout=1)
my_cache.set('foo', 'bar')
# Test storage
assert my_cache.get('foo') == 'bar'
# Test timeout
time.sleep(1.1)
assert my_cache.get('foo') is None
# Test max_size
my_cache = Cache(max_size=5)
for i in range(6):
my_cache.set(str(i), i)
# So the '0' key should no longer be there FIFO
assert my_cache.get('0') is None
Popular zat functions
- zat.bro_log_reader
- zat.bro_log_reader.BroLogReader
- zat.dataframe_cache.DataFrameCache
- zat.dataframe_to_matrix
- zat.dataframe_to_matrix.DataFrameToMatrix
- zat.live_simulator.LiveSimulator
- zat.log_to_dataframe.LogToDataFrame
- zat.log_to_sparkdf.LogToSparkDF
- zat.utils.cache
- zat.utils.cache.Cache
- zat.utils.dir_watcher.DirWatcher
- zat.utils.file_tailer.FileTailer
- zat.utils.file_utils
- zat.utils.geo_lookup.GeoLookup
- zat.utils.net_utils.is_special
- zat.utils.signal_utils
- zat.utils.vt_query
- zat.utils.vt_query.VTQuery