admin/geedge-jira
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
6a8bfef5778fc7ddd06fa05776bf1ecd0f61d4c4
geedge-jira/md/OMPUB-873.md
hello 46daec8ae4 first
2025-09-14 21:52:36 +00:00

3.8 KiB
Raw Blame History

【E21现场】针对Dos Events数据能否快速统计出针对某一个destination ip 的top N source ip

ID Creation Date Assignee Status
OMPUB-873 2023-03-28T02:35:39.000+0800 完成

针对Dos Events数据能否快速统计出指定时间段内某一个destination ip 的top N source ip 信息嘛。

目前在E现场统计2022-09-01~2023-03-16时间段内Dos Events里Severity=Critical的日志信息

Top 2 Destination IP分别为

197.156.74.223236次

197.156.74.222166次

 

搜索指定destination IP的日志得到的是Source IPs列表里面甚至有很多是Private IP,如何能快速统计出指定时间段具体某个destination ip 的top N source ip 及出现的总次数。doufenghu commented on 2023-03-30T14:58:25.140+0800:

  • 通过SQL查询获取结果

{code:java} select item, sum(count) as count from ( select arrayJoin(items) as item,count from ( select splitByString(',', source_ip_list) as items, count(*) as count from dos_event lt where destination_ip = '27.50.64.2' and notEmpty(source_ip_list) and start_time >= toUnixTimestamp(parseDateTimeBestEffort(toString('2023-03-10 00:00:00+03:00'))) AND start_time < toUnixTimestamp(parseDateTimeBestEffort(toString('2023-03-26 00:00:00+03:00'))) group by source_ip_list ) ) group by item order by count desc limit 10 {code}

  • 后续版本支持: ** 方式1: 可在23.04  Source IPs 定义业务逻辑类型为Array作为多值列统计基于v23.03业务逻辑类型定义支持) ** 方式2: Report Log Type增加 DoS Events ,增加预置数据集

liuju commented on 2023-03-31T22:27:47.207+0800:

收到

liuyang commented on 2023-04-04T09:22:01.118+0800:

通过session record搜索server ip为目标IP然后通过日志字段发现查看top 10的client ip是否能够满足需求[~liuju]

liuju commented on 2023-05-04T16:01:28.997+0800:

[~liuyang] 洋姐你意思是像附件那种截图里的那样搜索嘛搜索结果现场top 10 的结果是10个集合source ips和预期不符想要的是top N client ip。

liuju commented on 2023-05-04T22:21:10.663+0800:

根据虎哥提供的查询语句查询4月份Destination IP为197.156.74.223/222出的top 10  client ip 全是10.x.x.x私网ip,后根据岱杰更新的语句可以查询4月份Destination IP为197.156.74.223/222排除了私网IP之后的top 10  client ip和count ,目前查询的结果已上传展示在了附件中。

执行的更新后查询语句如下:

1、 clickhouse-client -h 10.224.11.35 --port 9001 -m -u default -d tsg_galaxy_v3 --password ***

2、

select item, sum(count) as count from ( select arrayJoin(items) as item,count from ( select splitByString(',', source_ip_list) as items, count(*)as count from dos_event lt where destination_ip = '27.50.64.2' and notEmpty(source_ip_list) and start_time >= toUnixTimestamp(parseDateTimeBestEffort(toString('2023-03-10 00:00:00+03:00'))) AND start_time < toUnixTimestamp(parseDateTimeBestEffort(toString('2023-03-26 00:00:00+03:00'))) group by source_ip_list ) ) where (item not like('10.%') AND item not like('172.%') AND item not like('192.168.%')) group by item order by count desc limit 10;

liuyang commented on 2023-05-12T20:58:19.110+0800:

[~liuju]直接在 session record中搜索不是dos event中搜索 !screenshot-1.png|thumbnail!

Attachments

36666/Critical+Dos+Events.docx

37679/image-2023-05-04-11-00-42-114.png

37923/screenshot-1.png

36665/微信图片_20230327212759.png

37681/微信图片_20230504171242.png

37682/微信图片_20230504171250.png

37683/微信图片_20230504171552.png

37684/微信图片_20230504171559.png