diff --git a/src/main/java/net/geedge/asw/module/app/service/impl/TSGApplicationServiceImpl.java b/src/main/java/net/geedge/asw/module/app/service/impl/TSGApplicationServiceImpl.java index 7e89c9c..da42a17 100644 --- a/src/main/java/net/geedge/asw/module/app/service/impl/TSGApplicationServiceImpl.java +++ b/src/main/java/net/geedge/asw/module/app/service/impl/TSGApplicationServiceImpl.java @@ -159,53 +159,56 @@ public class TSGApplicationServiceImpl implements ITSGApplicationService { .build(); List source_object_ids = T.ListUtil.list(true); + // sig_objects JSONArray items = conditionJSONObj.getJSONArray("items"); - for (Object item : items) { - String name = T.MapUtil.getStr((JSONObject) item, "item"); - String objectType = attributeEntity.getObjectType(); - if ("application" .equalsIgnoreCase(objectType)) continue; + String conditionType = attributeEntity.getObjectType(); + if ("application".equalsIgnoreCase(conditionType)) { + continue; + } else if ("boolean".equals(conditionType)) { + items.stream() + .map(obj -> (JSONObject) obj) + .forEach(item -> { + String itemValue = T.MapUtil.getStr((JSONObject) item, "item"); + if ("True".equalsIgnoreCase(itemValue)) { + source_object_ids.add(2); + } else if ("False".equalsIgnoreCase(itemValue)) { + source_object_ids.add(3); + } + }); + } else if ("ip_protocol".equals(conditionType)) { + items.stream() + .map(obj -> (JSONObject) obj) + .forEach(item -> { + String itemValue = T.MapUtil.getStr((JSONObject) item, "item"); + if ("ICMP".equalsIgnoreCase(itemValue)) { + source_object_ids.add(5); + } else if ("TCP".equalsIgnoreCase(itemValue)) { + source_object_ids.add(6); + } else if ("UDP".equalsIgnoreCase(itemValue)) { + source_object_ids.add(7); + } + }); + } else { + String name = T.MapUtil.getStr((JSONObject) items.getFirst(), "item"); + Map sig_object = T.MapUtil.builder() + .put("id", sig_object_id) + .put("source_id", sig_object_id) + .put("name", name) + .put("source_name", name) + .put("type", conditionType) + .put("sub_type", attributeEntity.getType()) + .put("member_type", "item") + .put("uuid", T.IdUtil.fastSimpleUUID()) + .put("statistics_option", "none") + .build(); - if ("boolean" .equals(objectType)) { - String itemValue = T.MapUtil.getStr((JSONObject) item, "item"); - if ("True" .equalsIgnoreCase(itemValue)) { - source_object_ids.add(2); - } else if ("False" .equalsIgnoreCase(itemValue)) { - source_object_ids.add(3); - } else { - continue; - } - } else if ("ip_protocol" .equals(objectType)) { - String itemValue = T.MapUtil.getStr((JSONObject) item, "item"); - if ("ICMP" .equalsIgnoreCase(itemValue)) { - source_object_ids.add(5); - } else if ("TCP" .equalsIgnoreCase(itemValue)) { - source_object_ids.add(6); - } else if ("UDP" .equalsIgnoreCase(itemValue)) { - source_object_ids.add(7); - } else { - continue; - } - } else { - source_object_ids.add(sig_object_id); + Map member = this.buildTSG2402SignaturesMember(attributeEntity, items); + sig_object.put("member", member); - Map member = this.buildTSG2402SignaturesMember(attributeEntity, (JSONObject) item); - - Map sig_object = T.MapUtil.builder() - .put("id", sig_object_id) - .put("source_id", sig_object_id) - .put("name", name) - .put("source_name", name) - .put("type", objectType) - .put("sub_type", attributeEntity.getType()) - .put("member_type", "item") - .put("member", member) - .put("uuid", T.IdUtil.fastSimpleUUID()) - .put("statistics_option", "none") - .build(); - sig_objects.add(sig_object); - } + sig_objects.add(sig_object); + source_object_ids.add(sig_object_id); sig_object_id++; } @@ -217,8 +220,10 @@ public class TSGApplicationServiceImpl implements ITSGApplicationService { and_conditions.add(and_condition_item); } - m.put("and_conditions", and_conditions); - signatures.add(m); + if (T.CollUtil.isNotEmpty(and_conditions)) { + m.put("and_conditions", and_conditions); + signatures.add(m); + } } } sig_objects.add(T.JSONUtil.parseObj(""" @@ -298,139 +303,143 @@ public class TSGApplicationServiceImpl implements ITSGApplicationService { return m; } - private Map buildTSG2402SignaturesMember(AttributeEntity attributeEntity, JSONObject item) { + private Map buildTSG2402SignaturesMember(AttributeEntity attributeEntity, JSONArray itemArr) { List list = T.ListUtil.list(true); - String objectType = attributeEntity.getObjectType().toLowerCase(); - switch (objectType) { - case "keywords": - case "http_signature": { - String str = item.getStr("item"); - List patternExprList = T.ListUtil.list(true); - patternExprList.add(str); + itemArr.stream() + .map(obj -> (JSONObject) obj) + .forEach(item -> { + String objectType = attributeEntity.getObjectType().toLowerCase(); + switch (objectType) { + case "keywords": + case "http_signature": { + String str = item.getStr("item"); + List patternExprList = T.ListUtil.list(true); + patternExprList.add(str); - // 0 -> 无表达式,1 -> 与表达式,2 -> 正则表达式,3、带偏移量的子串匹配 - int expr_type = 0; - String exprType = item.getStr("exprType", "and"); - if ("and" .equalsIgnoreCase(exprType)) { - patternExprList = T.StrUtil.split(str, "&"); - if (patternExprList.size() > 1) { - expr_type = 1; + // 0 -> 无表达式,1 -> 与表达式,2 -> 正则表达式,3、带偏移量的子串匹配 + int expr_type = 0; + String exprType = item.getStr("exprType", "and"); + if ("and".equalsIgnoreCase(exprType)) { + patternExprList = T.StrUtil.split(str, "&"); + if (patternExprList.size() > 1) { + expr_type = 1; + } + } else if ("regex".equalsIgnoreCase(exprType)) { + expr_type = 2; + } + + JSONArray patternArr = new JSONArray(); + for (String expr : patternExprList) { + JSONObject pattern = new JSONObject(); + pattern.put("keywords", expr); + + Map rangeVarMap = this.getRangeVarFromExpr(expr); + if (T.MapUtil.isNotEmpty(rangeVarMap)) { + expr_type = 3; + pattern.put("keywords", expr.replaceAll("^\\(.*?\\)", "")); + pattern.put("offset", T.MapUtil.getInt(rangeVarMap, "offset")); + pattern.put("depth", T.MapUtil.getInt(rangeVarMap, "depth")); + } + patternArr.add(pattern); + } + + if ("keywords".equals(objectType)) { + Map m = T.MapUtil.builder() + .put("string", T.MapUtil.builder() + .put("item_type", "keywords") + .put("expr_type", expr_type) + .put("is_hexbin", 0) + .put("patterns", patternArr) + .build() + ).build(); + list.add(m); + } + if ("http_signature".equals(objectType)) { + Map m = T.MapUtil.builder() + .put("contextual_string", T.MapUtil.builder() + .put("expr_type", expr_type) + .put("is_hexbin", 0) + .put("context_name", item.getStr("district", "Set-Cookie")) + .put("patterns", patternArr) + .build() + ) + .build(); + list.add(m); + } + break; + } + case "url": + case "fqdn": { + Map m = T.MapUtil.builder() + .put("string", T.MapUtil.builder() + .put("item_type", objectType) + .put("expr_type", 0) + .put("is_hexbin", 0) + .put("patterns", T.ListUtil.of( + new JSONObject().put("keywords", item.getStr("item")) + )) + .build() + ) + .build(); + list.add(m); + break; + } + case "ip": { + String str = item.getStr("item"); + String ip = str; + String port = "0-65535"; + if (str.contains("#")) { + ip = str.split("#")[0]; + port = str.split("#")[1]; + } + Map m = T.MapUtil.builder() + .put("ip", T.MapUtil.builder() + .put("addr_type", Validator.isIpv4(str) ? 4 : 6) + .put("port", port) + .put("ip_address", ip) + .build() + ) + .build(); + list.add(m); + break; + } + case "port": { + String port = item.getStr("item"); + Map m = T.MapUtil.builder() + .put("port", new JSONObject().put("port", port)) + .build(); + if (port.contains("-")) { + m.put("port", new JSONObject().put("port_range", port)); + } + list.add(m); + break; + } + case "interval": { + String str = item.getStr("item"); + String low_boundary = str, up_boundary = str; + if (str.contains("-")) { + low_boundary = item.getStr("item").split("-")[0]; + up_boundary = item.getStr("item").split("-")[1]; + } + Map m = T.MapUtil.builder() + .put("interval", T.MapUtil.builder() + .put("low_boundary", low_boundary) + .put("up_boundary", up_boundary) + .build() + ) + .build(); + list.add(m); + break; + } + case "boolean": + case "ip_protocol": + case "application": { + break; + } + default: + break; } - } else if ("regex" .equalsIgnoreCase(exprType)) { - expr_type = 2; - } - - JSONArray patternArr = new JSONArray(); - for (String expr : patternExprList) { - JSONObject pattern = new JSONObject(); - pattern.put("keywords", expr); - - Map rangeVarMap = this.getRangeVarFromExpr(expr); - if (T.MapUtil.isNotEmpty(rangeVarMap)) { - expr_type = 3; - pattern.put("keywords", expr.replaceAll("^\\(.*?\\)", "")); - pattern.put("offset", T.MapUtil.getInt(rangeVarMap, "offset")); - pattern.put("depth", T.MapUtil.getInt(rangeVarMap, "depth")); - } - patternArr.add(pattern); - } - - if ("keywords" .equals(objectType)) { - Map m = T.MapUtil.builder() - .put("string", T.MapUtil.builder() - .put("item_type", "keywords") - .put("expr_type", expr_type) - .put("is_hexbin", 0) - .put("patterns", patternArr) - .build() - ).build(); - list.add(m); - } - if("http_signature".equals(objectType)){ - Map m = T.MapUtil.builder() - .put("contextual_string", T.MapUtil.builder() - .put("expr_type", expr_type) - .put("is_hexbin", 0) - .put("context_name", item.getStr("district", "Set-Cookie")) - .put("patterns", patternArr) - .build() - ) - .build(); - list.add(m); - } - break; - } - case "url": - case "fqdn": { - Map m = T.MapUtil.builder() - .put("string", T.MapUtil.builder() - .put("item_type", objectType) - .put("expr_type", 0) - .put("is_hexbin", 0) - .put("patterns", T.ListUtil.of( - new JSONObject().put("keywords", item.getStr("item")) - )) - .build() - ) - .build(); - list.add(m); - break; - } - case "ip": { - String str = item.getStr("item"); - String ip = str; - String port = "0-65535"; - if (str.contains("#")) { - ip = str.split("#")[0]; - port = str.split("#")[1]; - } - Map m = T.MapUtil.builder() - .put("ip", T.MapUtil.builder() - .put("addr_type", Validator.isIpv4(str) ? 4 : 6) - .put("port", port) - .put("ip_address", ip) - .build() - ) - .build(); - list.add(m); - break; - } - case "port": { - String port = item.getStr("item"); - Map m = T.MapUtil.builder() - .put("port", new JSONObject().put("port", port)) - .build(); - if (port.contains("-")) { - m.put("port", new JSONObject().put("port_range", port)); - } - list.add(m); - break; - } - case "interval": { - String str = item.getStr("item"); - String low_boundary = str, up_boundary = str; - if (str.contains("-")) { - low_boundary = item.getStr("item").split("-")[0]; - up_boundary = item.getStr("item").split("-")[1]; - } - Map m = T.MapUtil.builder() - .put("interval", T.MapUtil.builder() - .put("low_boundary", low_boundary) - .put("up_boundary", up_boundary) - .build() - ) - .build(); - list.add(m); - break; - } - case "boolean": - case "ip_protocol": - case "application": { - break; - } - default: - break; - } + }); Map member = T.MapUtil.builder() .put("items", list) @@ -467,6 +476,13 @@ public class TSGApplicationServiceImpl implements ITSGApplicationService { return new HashMap<>(); } +// ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ +// ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ +// ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ +// ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ +// ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ +// ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ + @Override @Transactional(rollbackFor = Exception.class) public List tsg2402ToAsw(String workspaceId, List dataList) {