Dictionaries
-
The Python dictionary data structure is probably the most important in the entire language and allows us to associate values with keys.
-
A key is any immutable object.
-
The value associated with a key can be accessed with the indexing operator.
-
In Python, dictionaries are implemented using hash tables.
-
A Python dictionary is a way of storing information in the format of key: value pairs. Python dictionaries have curly brackets, . Let’s look at a protocols dictionary, with names and numbers, for example:
Protocol Dictionary
services = {“ftp”:21, “ssh”:22, “smtp”:25, “http”:80}
The limitation with dictionaries is that we cannot use the same key to create multiple values. This will overwrite the duplicate key preceding value.
Using the update method, we can combine two distinct dictionaries into one. In addition, the update method will merge existing elements if they conflict:
services = {“ftp”:21, “ssh”:22, “smtp”:25, “http”:80}
services2 = {“ftp”:21, “ssh”:22, “snmp”:161, “ldap”:389}
services.update(services2)
print(services)
The first value is the key, and the second the key value. We can use any unchangeable value as a key. We can use numbers, sequences, Booleans, or tuples, but not lists or dictionaries, since they are mutable.
The main difference between dictionaries and lists or tuples is that values contained in a dictionary are accessed by their name and not by their index. You may also use this operator to reassign values, as in the lists and tuples:
services[“http”]= 8080
-
services.keys() is a method that will return all the keys in the dictionary.
-
services.items() is a method that will return the entire list of items in a dictionary
keys = services.keys()
print(keys)
Storing IP Address Information
Dictionaries can be used to store information about IP addresses, such as their associated domain names or geolocation data.
ip_info = {
"8.8.8.8": {
"domain": "google-public-dns-a.google.com",
"country": "US"
},
"8.8.4.4": {
"domain": "google-public-dns-b.google.com",
"country": "US"
}
}
# Extracting Data from Dictionaries
# You can retrieve data from dictionaries using their keys:
ip = "8.8.8.8"
print(ip_info[ip]["domain"]) # Outputs: google-public-dns-a.google.com
for ip, details in ip_info.items():
print(f"IP: {ip}, Domain: {details['domain']}, Country: {details['country']}")
Mapping Threat Intelligence
Dictionaries can also be used to map threat intelligence data, such as IP addresses, domains, and URLs to their associated threat types.
threat_intel = {
"192.0.2.123": "Botnet",
"203.0.113.204": "Phishing",
"198.51.100.42": "Malware C2"
}
ip = "192.0.2.123"
print(threat_intel[ip]) # Outputs: Botnet
Incident Response
During incident response, dictionaries can be used to map incidents to their details:
incidents = {
"INC00123": {
"type": "Malware Infection",
"status": "Open",
"assigned_to": "John Doe"
},
"INC00456": {
"type": "Phishing Attempt",
"status": "Resolved",
"assigned_to": "Jane Smith"
}
}
# Adding a new incident
incidents["INC00789"] = {
"type": "DDoS Attack",
"status": "In Progress",
"assigned_to": "Alice Johnson"
}