admin/geedge-jira
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
6a8bfef5778fc7ddd06fa05776bf1ecd0f61d4c4
geedge-jira/md/OMPUB-873.md

123 lines
3.8 KiB
Markdown
Raw Normal View History

first
2025-09-14 21:52:36 +00:00
# 【E21现场】针对Dos Events数据能否快速统计出针对某一个destination ip 的top N source ip
| ID | Creation Date | Assignee | Status |
|----|----------------|----------|--------|
| OMPUB-873 | 2023-03-28T02:35:39.000+0800 | | 完成 |
---
针对Dos Events数据能否快速统计出指定时间段内某一个destination ip 的top N source ip 信息嘛。
目前在E现场统计2022-09-01~2023-03-16时间段内Dos Events里Severity=Critical的日志信息
Top 2 Destination IP分别为
197.156.74.223236次
197.156.74.222166次
 
搜索指定destination IP的日志得到的是Source IPs列表里面甚至有很多是Private IP,如何能快速统计出指定时间段具体某个destination ip 的top N source ip 及出现的总次数。**doufenghu** commented on *2023-03-30T14:58:25.140+0800*:
* 通过SQL查询获取结果
{code:java}
select item, sum(count) as count from ( select arrayJoin(items) as item,count from ( select splitByString(',', source_ip_list) as items, count(*) as count from dos_event lt where destination_ip = '27.50.64.2' and notEmpty(source_ip_list) and start_time >= toUnixTimestamp(parseDateTimeBestEffort(toString('2023-03-10 00:00:00+03:00'))) AND start_time < toUnixTimestamp(parseDateTimeBestEffort(toString('2023-03-26 00:00:00+03:00'))) group by source_ip_list ) ) group by item order by count desc limit 10
{code}
* 后续版本支持:
** 方式1: 可在23.04  Source IPs 定义业务逻辑类型为Array作为多值列统计基于v23.03业务逻辑类型定义支持)
** 方式2: Report Log Type增加 DoS Events ,增加预置数据集
---
**liuju** commented on *2023-03-31T22:27:47.207+0800*:
收到
---
**liuyang** commented on *2023-04-04T09:22:01.118+0800*:
通过session record搜索server ip为目标IP然后通过日志字段发现查看top 10的client ip是否能够满足需求[~liuju]
---
**liuju** commented on *2023-05-04T16:01:28.997+0800*:
[~liuyang] 洋姐你意思是像附件那种截图里的那样搜索嘛搜索结果现场top 10 的结果是10个集合source ips和预期不符想要的是top N client ip。
---
**liuju** commented on *2023-05-04T22:21:10.663+0800*:
根据虎哥提供的查询语句查询4月份Destination IP为197.156.74.223/222出的top 10  client ip 全是10.x.x.x私网ip,后根据岱杰更新的语句可以查询4月份Destination IP为197.156.74.223/222排除了私网IP之后的top 10  client ip和count ,目前查询的结果已上传展示在了附件中。
执行的更新后查询语句如下:
1、
clickhouse-client -h 10.224.11.35 --port 9001 -m -u default -d tsg_galaxy_v3 --password ***
2、
select item, sum(count) as count from ( select arrayJoin(items) as item,count from ( select splitByString(',', source_ip_list) as items, count(*)as count from dos_event lt where destination_ip = '27.50.64.2' and notEmpty(source_ip_list) and start_time >= toUnixTimestamp(parseDateTimeBestEffort(toString('2023-03-10 00:00:00+03:00'))) AND start_time < toUnixTimestamp(parseDateTimeBestEffort(toString('2023-03-26 00:00:00+03:00'))) group by source_ip_list ) ) where (item not like('10.%') AND item not like('172.%') AND item not like('192.168.%')) group by item order by count desc limit 10;
---
**liuyang** commented on *2023-05-12T20:58:19.110+0800*:
[~liuju]直接在 session record中搜索不是dos event中搜索
!screenshot-1.png|thumbnail!
---
## Attachments
**36666/Critical+Dos+Events.docx**
---
**37679/image-2023-05-04-11-00-42-114.png**
---
**37923/screenshot-1.png**
---
**36665/微信图片_20230327212759.png**
---
**37681/微信图片_20230504171242.png**
---
**37682/微信图片_20230504171250.png**
---
**37683/微信图片_20230504171552.png**
---
**37684/微信图片_20230504171559.png**
---
Reference in New Issue Copy Permalink