In log file, how to detect if ports are dangerous?

Question

I know basic python and I have a log file, also I have print the output of ports from the log file which there are so many ports in the output.

I want to know how to take only the dangerous ports from the printed ports

• Also I need to take the IP addresses from the dangerous ports
• Finally how to know if the IP addresses are local IP or global IP

---

import os
from collections import Counter
asc_order = []
def openfile(filename):
    if os.path.exists(filename):
        return open(filename, "r").read()
    else:
        return None
def parselog(logline):
    c = logline.split(" ")
    r = {}
    i = -1
    for var in c:
        i += 1
        if i == 1:
            a = var.split("\t")
            for el in a:
                if el.startswith("date="): r["date"] = el.split("=")[1]
        elif i > 1:
            v = var.split("=", 1)
            try:
                r[v[0]] = v[1].strip("\"")
            except:
                pass
    return r
def splitline(logall):
    c = logall.split("\n")
    r = []
    for el in c:
        r.append(el.strip("\r"))
    return r
def main():
    f = openfile("/Users/angelin/Desktop/new sec/2017-04-18_010.082.012.003.txt")
    if f is None:
        print("File not found")
        return
    s = splitline(f)
    counts = {}
    for el in s:
        if len(el) > 50:
            p = parselog(el)
            if "dstport" in p:
                # increment counter
                if p["dstport"] in counts:
                    counts[str(p["dstport"])] += 1
                else:
                    counts[str(p["dstport"])] = 1
                asc_order.append(p["dstport"])
    ascending = map(int, asc_order)
    ascending.sort()
    for port in ascending:
        print ("Dest Port : %d" % port)
    print ""
    k = map(int, counts.keys())
    k.sort()
    sorted(k, key=counts.get)    
    y = sorted(counts.items(), key=lambda x: x[1], reverse=True)
    for x, z in y:
        print  ('Dest Port %s Count: %s' % (x, z))


if __name__ == "__main__": main()

this is log file sample

2017-04-17 00:00:00 Local7.Info 10.82.12.3  
date=2017-04-16 
time=23:59:59 
devname=IDS-DC14-001 
devid=FGT90D3Z15018997 
logid=1059028704 
type=utm 
subtype=app-ctrl 
eventtype=app-ctrl-all 
level=information 
vd=root 
appid=27946 
user="" 
srcip=10.80.10.249 
srcport=9170 
srcintf="wan1" 
dstip=208.91.112.198 
dstport=53 
dstintf="wan1" 
profiletype="applist" 
proto=17 service="DNS" 
policyid=3 
sessionid=39717767 
applist="sniffer-profile" 
appcat="Cloud.IT" 
app="Fortiguard.Search" 
action=pass 
msg="Cloud.IT: Fortiguard.Search," 
apprisk=medium

Answer 1

You ask multiple things here and overall is vague what you want to achieve, so I can only give you a general answer with a few pointers:

1. You need to find the log pattern, what defines one iteration.

For example, if each iteration starts with

2017-04-17 00:00:00 Local7.Info 10.82.12.3

and ends with apprisk=medium

then you need to isolate those and split the whole log into such chunks

2. Use regular expression to help you accurately match a string

3. Define dangerous ports:

dangerousPorts = [80,8080,27015] # etc

4. and, lastly check:

   if port in dangerousPorts: warnSomeone()