2024-01-17 19:20:45 +08:00
|
|
|
|
package com.realtime.protection.server.alertmessage;
|
|
|
|
|
|
|
2024-01-22 15:41:20 +08:00
|
|
|
|
import com.baomidou.dynamic.datasource.annotation.DSTransactional;
|
2024-01-25 17:29:54 +08:00
|
|
|
|
import com.realtime.protection.configuration.entity.alert.AlertMessage;
|
2024-02-01 09:08:45 +08:00
|
|
|
|
import com.realtime.protection.configuration.entity.defense.template.ProtectLevel;
|
2024-01-18 23:35:56 +08:00
|
|
|
|
import com.realtime.protection.configuration.entity.task.FiveTupleWithMask;
|
2024-01-17 19:20:45 +08:00
|
|
|
|
import com.realtime.protection.configuration.entity.task.TaskCommandInfo;
|
2024-01-19 15:45:06 +08:00
|
|
|
|
import com.realtime.protection.configuration.utils.enums.StateEnum;
|
2024-01-21 00:51:10 +08:00
|
|
|
|
import com.realtime.protection.configuration.utils.enums.TaskTypeEnum;
|
2024-01-19 15:45:06 +08:00
|
|
|
|
import com.realtime.protection.server.command.CommandService;
|
2024-04-01 11:12:01 +08:00
|
|
|
|
import lombok.Data;
|
2024-01-17 19:20:45 +08:00
|
|
|
|
import org.springframework.stereotype.Service;
|
2024-01-21 00:51:10 +08:00
|
|
|
|
|
2024-04-01 11:12:01 +08:00
|
|
|
|
import java.util.ArrayList;
|
2024-01-21 00:51:10 +08:00
|
|
|
|
import java.util.List;
|
2024-03-11 16:05:59 +08:00
|
|
|
|
import java.util.UUID;
|
2024-01-21 00:51:10 +08:00
|
|
|
|
|
2024-03-11 16:05:59 +08:00
|
|
|
|
// AlertMessage的UUID在mapper插入数据库时生成了,这里提前生成好像美神恶魔用
|
2024-01-17 19:20:45 +08:00
|
|
|
|
@Service
|
|
|
|
|
|
public class AlertMessageService {
|
|
|
|
|
|
private final CommandService commandService;
|
2024-01-18 23:35:56 +08:00
|
|
|
|
private final AlertMessageMapper alertMessageMapper;
|
2024-01-17 19:20:45 +08:00
|
|
|
|
|
2024-01-22 23:29:50 +08:00
|
|
|
|
public AlertMessageService(
|
|
|
|
|
|
CommandService commandService,
|
2024-01-18 23:35:56 +08:00
|
|
|
|
AlertMessageMapper alertMessageMapper) {
|
2024-01-17 19:20:45 +08:00
|
|
|
|
this.commandService = commandService;
|
2024-01-18 23:35:56 +08:00
|
|
|
|
this.alertMessageMapper = alertMessageMapper;
|
2024-01-17 19:20:45 +08:00
|
|
|
|
}
|
|
|
|
|
|
|
2024-01-21 00:51:10 +08:00
|
|
|
|
@DSTransactional
|
2024-04-01 11:12:01 +08:00
|
|
|
|
public void processAlertMessage(AlertMessage alertMessage) {
|
|
|
|
|
|
//根据告警信息——>生成指令
|
|
|
|
|
|
List<TaskCommandInfo> dynamicTaskCommandInfoList = generateDynamicCommand(alertMessage);
|
|
|
|
|
|
//获取任务状态,设置指令的isValid字段,且是否生成指令入库(除了RUNING\PAUSED状态,其他都不入库)。
|
|
|
|
|
|
Integer taskStatus = dynamicTaskCommandInfoList.get(0).getTaskStatus();
|
|
|
|
|
|
//获取任务类型,设置指令的isJudged字段。
|
|
|
|
|
|
Integer taskType = dynamicTaskCommandInfoList.get(0).getTaskType();
|
2024-01-21 00:51:10 +08:00
|
|
|
|
|
|
|
|
|
|
|
2024-01-22 23:29:50 +08:00
|
|
|
|
if (taskType == TaskTypeEnum.DYNAMIC.getTaskType())//实时
|
2024-01-22 15:05:15 +08:00
|
|
|
|
switch (StateEnum.getStateEnumByNum(taskStatus)) {
|
|
|
|
|
|
case RUNNING:
|
2024-04-01 11:12:01 +08:00
|
|
|
|
insertCommandAndAlertMessage(dynamicTaskCommandInfoList, true, true, alertMessage);
|
2024-01-21 00:51:10 +08:00
|
|
|
|
break;
|
2024-01-22 15:05:15 +08:00
|
|
|
|
case PAUSED:
|
2024-04-01 11:12:01 +08:00
|
|
|
|
insertCommandAndAlertMessage(dynamicTaskCommandInfoList, false, true, alertMessage);
|
2024-01-21 00:51:10 +08:00
|
|
|
|
break;
|
|
|
|
|
|
default://主要是stop
|
|
|
|
|
|
//command不入库
|
|
|
|
|
|
//alertmessage入库
|
2024-04-01 11:12:01 +08:00
|
|
|
|
insertAlertMessageOnly(alertMessage);
|
2024-01-21 00:51:10 +08:00
|
|
|
|
break;
|
|
|
|
|
|
}
|
|
|
|
|
|
else if (taskType == TaskTypeEnum.JUDGED.getTaskType())//研判后
|
2024-01-22 15:05:15 +08:00
|
|
|
|
switch (StateEnum.getStateEnumByNum(taskStatus)) {
|
|
|
|
|
|
case RUNNING:
|
2024-04-01 11:12:01 +08:00
|
|
|
|
insertCommandAndAlertMessage(dynamicTaskCommandInfoList, true, false, alertMessage);
|
2024-01-21 00:51:10 +08:00
|
|
|
|
break;
|
2024-01-22 15:05:15 +08:00
|
|
|
|
case PAUSED:
|
2024-04-01 11:12:01 +08:00
|
|
|
|
insertCommandAndAlertMessage(dynamicTaskCommandInfoList, false, false, alertMessage);
|
2024-01-21 00:51:10 +08:00
|
|
|
|
break;
|
|
|
|
|
|
default://主要是stop
|
|
|
|
|
|
//command不入库
|
|
|
|
|
|
//alertmessage入库
|
2024-04-01 11:12:01 +08:00
|
|
|
|
insertAlertMessageOnly(alertMessage);
|
2024-01-21 00:51:10 +08:00
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
2024-04-01 11:12:01 +08:00
|
|
|
|
private List<TaskCommandInfo> generateDynamicCommand(AlertMessage alertMessage){
|
2024-01-17 19:20:45 +08:00
|
|
|
|
Long taskId = alertMessage.getTaskId();
|
2024-01-22 23:29:50 +08:00
|
|
|
|
Integer DynamicRuleId = alertMessage.getDynamicRuleId();
|
2024-01-21 00:51:10 +08:00
|
|
|
|
// 查task信息
|
|
|
|
|
|
// (1)查询生成指令所需信息:和alertMessage中的fiveTuple信息 合并成 TaskCommandInfo;
|
|
|
|
|
|
// (2)额外信息:并额外查询templateId、protectLevel和taskStatus
|
2024-01-22 23:29:50 +08:00
|
|
|
|
TaskCommandInfo dynamicCommandInfo = alertMessageMapper.getDynamicTaskInfos(taskId, DynamicRuleId);
|
2024-01-29 23:41:13 +08:00
|
|
|
|
if (dynamicCommandInfo == null || dynamicCommandInfo.getTemplateId() == null){
|
|
|
|
|
|
throw new IllegalArgumentException("taskId: " + taskId + " DynamicRuleId: " + DynamicRuleId + " 不正确");
|
2024-01-24 14:06:49 +08:00
|
|
|
|
}
|
2024-01-21 00:51:10 +08:00
|
|
|
|
// 根据templateId、protectLevel获取策略模板
|
2024-01-18 23:35:56 +08:00
|
|
|
|
ProtectLevel templateProtectLevel = alertMessageMapper.queryTemplateProtectLevel(
|
2024-01-21 00:51:10 +08:00
|
|
|
|
dynamicCommandInfo.getTemplateId(),
|
|
|
|
|
|
dynamicCommandInfo.getProtectLevel());
|
2024-04-01 11:12:01 +08:00
|
|
|
|
|
2024-01-21 00:51:10 +08:00
|
|
|
|
//根据策略模板和alertMessage中的FiveTupleWithMask生成要下发五元组信息
|
2024-04-01 11:12:01 +08:00
|
|
|
|
//根据策略模板的is_full_flow字段,如果是双向流量会生成两个fiveTuple,所以返回List
|
|
|
|
|
|
List<FiveTupleWithMask> fiveTupleWithMaskNew = updateFiveTupleWithMask(alertMessage.getFiveTupleWithMask(),
|
|
|
|
|
|
alertMessage.getProtectIsSrcOrDst(), templateProtectLevel);
|
|
|
|
|
|
|
|
|
|
|
|
//根据fiveTuple生成动态指令信息
|
|
|
|
|
|
List<TaskCommandInfo> dynamicCommandInfoList = new ArrayList<TaskCommandInfo>();
|
|
|
|
|
|
if (fiveTupleWithMaskNew.size() == 2){
|
|
|
|
|
|
TaskCommandInfo dynamicCommandInfo_bi = new TaskCommandInfo();
|
|
|
|
|
|
dynamicCommandInfo_bi.copyTaskCommandInfo(dynamicCommandInfo);
|
|
|
|
|
|
dynamicCommandInfo_bi.setFiveTupleWithMask(fiveTupleWithMaskNew.get(1));
|
|
|
|
|
|
dynamicCommandInfoList.add(dynamicCommandInfo_bi);
|
|
|
|
|
|
}
|
|
|
|
|
|
dynamicCommandInfo.setFiveTupleWithMask(fiveTupleWithMaskNew.get(0));
|
|
|
|
|
|
dynamicCommandInfoList.add(dynamicCommandInfo);
|
2024-01-17 19:20:45 +08:00
|
|
|
|
|
2024-04-01 11:12:01 +08:00
|
|
|
|
return dynamicCommandInfoList;
|
2024-01-21 00:51:10 +08:00
|
|
|
|
}
|
2024-01-17 19:20:45 +08:00
|
|
|
|
|
2024-01-21 00:51:10 +08:00
|
|
|
|
@DSTransactional
|
2024-04-01 11:12:01 +08:00
|
|
|
|
private void insertCommandAndAlertMessage(List<TaskCommandInfo> dynamicTaskCommandInfoList,
|
2024-01-22 23:29:50 +08:00
|
|
|
|
Boolean isValid,
|
|
|
|
|
|
Boolean isJudged,
|
|
|
|
|
|
AlertMessage alertMessage){
|
2024-04-01 11:12:01 +08:00
|
|
|
|
for (TaskCommandInfo dynamicTaskCommandInfo : dynamicTaskCommandInfoList ){
|
|
|
|
|
|
//command入库
|
|
|
|
|
|
dynamicTaskCommandInfo.setIsValid(isValid);
|
|
|
|
|
|
dynamicTaskCommandInfo.setIsJudged(isJudged);
|
|
|
|
|
|
String commandUUID = commandService.createCommand(dynamicTaskCommandInfo);
|
|
|
|
|
|
|
|
|
|
|
|
//alertmessage入库
|
|
|
|
|
|
alertMessage.setCommandUUID(commandUUID);
|
|
|
|
|
|
String alertMessageUUID = UUID.randomUUID().toString();
|
|
|
|
|
|
alertMessage.setAlertMessageUUID(alertMessageUUID);
|
|
|
|
|
|
alertMessageMapper.insertAlertMessage(alertMessage);
|
|
|
|
|
|
}
|
2024-03-11 16:05:59 +08:00
|
|
|
|
|
2024-01-17 19:20:45 +08:00
|
|
|
|
}
|
2024-03-11 16:05:59 +08:00
|
|
|
|
private String insertAlertMessageOnly(AlertMessage alertMessage){
|
2024-01-21 00:51:10 +08:00
|
|
|
|
//alertmessage入库
|
|
|
|
|
|
alertMessage.setCommandUUID(null);
|
2024-03-11 16:05:59 +08:00
|
|
|
|
String alertMessageUUID = UUID.randomUUID().toString();
|
|
|
|
|
|
alertMessage.setAlertMessageUUID(alertMessageUUID);
|
2024-01-21 00:51:10 +08:00
|
|
|
|
alertMessageMapper.insertAlertMessage(alertMessage);
|
2024-03-11 16:05:59 +08:00
|
|
|
|
|
|
|
|
|
|
return alertMessageUUID;
|
|
|
|
|
|
|
2024-01-21 00:51:10 +08:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2024-04-01 11:12:01 +08:00
|
|
|
|
private List<FiveTupleWithMask> updateFiveTupleWithMask(FiveTupleWithMask fiveTupleWithMask,
|
|
|
|
|
|
int protectIsSrcOrDst,
|
|
|
|
|
|
ProtectLevel templateProtectLevel) {
|
|
|
|
|
|
//参数是告警信息的FiveTupleWithMask、防护对象是src还是dst、某个安全等级下的安全事件策略模板templateProtectLevel
|
|
|
|
|
|
//首先先从告警信息中获取protectObject和peer
|
|
|
|
|
|
@Data
|
|
|
|
|
|
class CommunicateObject {
|
|
|
|
|
|
private String IP;
|
|
|
|
|
|
private String maskIP;
|
|
|
|
|
|
private String Port;
|
|
|
|
|
|
private String maskPort;
|
|
|
|
|
|
|
|
|
|
|
|
public CommunicateObject(String IP,
|
|
|
|
|
|
String maskIP,
|
|
|
|
|
|
String Port,
|
|
|
|
|
|
String maskPort) {
|
|
|
|
|
|
this.IP = IP;
|
|
|
|
|
|
this.maskIP = maskIP;
|
|
|
|
|
|
this.Port = Port;
|
|
|
|
|
|
this.maskPort = maskPort;
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
CommunicateObject protectObject;
|
|
|
|
|
|
CommunicateObject peer;
|
|
|
|
|
|
if (protectIsSrcOrDst == 0) {
|
|
|
|
|
|
protectObject = new CommunicateObject(
|
|
|
|
|
|
fiveTupleWithMask.getSourceIP(),
|
|
|
|
|
|
fiveTupleWithMask.getMaskSourceIP(),
|
|
|
|
|
|
fiveTupleWithMask.getSourcePort(),
|
|
|
|
|
|
fiveTupleWithMask.getMaskSourcePort()
|
|
|
|
|
|
);
|
|
|
|
|
|
peer = new CommunicateObject(
|
|
|
|
|
|
fiveTupleWithMask.getDestinationIP(),
|
|
|
|
|
|
fiveTupleWithMask.getMaskDestinationIP(),
|
|
|
|
|
|
fiveTupleWithMask.getDestinationPort(),
|
|
|
|
|
|
fiveTupleWithMask.getMaskDestinationPort()
|
|
|
|
|
|
);
|
|
|
|
|
|
} else {
|
|
|
|
|
|
protectObject = new CommunicateObject(
|
|
|
|
|
|
fiveTupleWithMask.getDestinationIP(),
|
|
|
|
|
|
fiveTupleWithMask.getMaskDestinationIP(),
|
|
|
|
|
|
fiveTupleWithMask.getDestinationPort(),
|
|
|
|
|
|
fiveTupleWithMask.getMaskDestinationPort()
|
|
|
|
|
|
);
|
|
|
|
|
|
peer = new CommunicateObject(
|
|
|
|
|
|
fiveTupleWithMask.getSourceIP(),
|
|
|
|
|
|
fiveTupleWithMask.getMaskSourceIP(),
|
|
|
|
|
|
fiveTupleWithMask.getSourcePort(),
|
|
|
|
|
|
fiveTupleWithMask.getMaskSourcePort()
|
|
|
|
|
|
);
|
2024-01-18 23:35:56 +08:00
|
|
|
|
}
|
2024-04-01 11:12:01 +08:00
|
|
|
|
//根据模板抽取防护对象和对端需要的字段
|
|
|
|
|
|
if (!templateProtectLevel.getHasProtectObjectIP()) {
|
|
|
|
|
|
protectObject.setIP(null);
|
|
|
|
|
|
protectObject.setMaskIP(null);
|
2024-01-18 23:35:56 +08:00
|
|
|
|
}
|
2024-04-01 11:12:01 +08:00
|
|
|
|
if (!templateProtectLevel.getHasProtectObjectPort()) {
|
|
|
|
|
|
protectObject.setPort(null);
|
|
|
|
|
|
protectObject.setMaskPort(null);
|
2024-01-18 23:35:56 +08:00
|
|
|
|
}
|
2024-04-01 11:12:01 +08:00
|
|
|
|
if (!templateProtectLevel.getHasPeerIP()) {
|
|
|
|
|
|
peer.setIP(null);
|
|
|
|
|
|
peer.setMaskIP(null);
|
2024-01-18 23:35:56 +08:00
|
|
|
|
}
|
2024-04-01 11:12:01 +08:00
|
|
|
|
if (!templateProtectLevel.getHasPeerPort()) {
|
|
|
|
|
|
peer.setPort(null);
|
|
|
|
|
|
peer.setMaskPort(null);
|
2024-01-18 23:35:56 +08:00
|
|
|
|
}
|
2024-04-01 11:12:01 +08:00
|
|
|
|
List<FiveTupleWithMask> newFiveTupleWithMask = new ArrayList<FiveTupleWithMask>();
|
|
|
|
|
|
//生成指令
|
|
|
|
|
|
FiveTupleWithMask command1 = new FiveTupleWithMask();
|
|
|
|
|
|
command1.setSourceIP(peer.getIP());
|
|
|
|
|
|
command1.setMaskSourceIP(peer.getMaskIP());
|
|
|
|
|
|
command1.setSourcePort(peer.getPort());
|
|
|
|
|
|
command1.setMaskSourcePort(peer.getMaskPort());
|
|
|
|
|
|
command1.setDestinationIP(protectObject.getIP());
|
|
|
|
|
|
command1.setMaskDestinationIP(protectObject.getMaskIP());
|
|
|
|
|
|
command1.setSourcePort(protectObject.getPort());
|
|
|
|
|
|
command1.setMaskSourcePort(protectObject.getMaskPort());
|
|
|
|
|
|
if (templateProtectLevel.getHasProtocol()){
|
|
|
|
|
|
command1.setProtocol(fiveTupleWithMask.getProtocol());
|
|
|
|
|
|
command1.setProtocol(fiveTupleWithMask.getMaskProtocol());
|
|
|
|
|
|
}
|
|
|
|
|
|
newFiveTupleWithMask.add(command1);
|
|
|
|
|
|
//若需要处置全方向流量,再生成防护对象为源的规则
|
|
|
|
|
|
if(templateProtectLevel.getIsFullFlow()){
|
|
|
|
|
|
FiveTupleWithMask command2 = new FiveTupleWithMask();
|
|
|
|
|
|
|
|
|
|
|
|
command2.setSourceIP(protectObject.getIP());
|
|
|
|
|
|
command2.setMaskSourceIP(protectObject.getMaskIP());
|
|
|
|
|
|
command2.setSourcePort(protectObject.getPort());
|
|
|
|
|
|
command2.setMaskSourcePort(protectObject.getMaskPort());
|
|
|
|
|
|
|
|
|
|
|
|
command2.setDestinationIP(peer.getIP());
|
|
|
|
|
|
command2.setMaskDestinationIP(peer.getMaskIP());
|
|
|
|
|
|
command2.setSourcePort(peer.getPort());
|
|
|
|
|
|
command2.setMaskSourcePort(peer.getMaskPort());
|
|
|
|
|
|
if (templateProtectLevel.getHasProtocol()){
|
|
|
|
|
|
command2.setProtocol(fiveTupleWithMask.getProtocol());
|
|
|
|
|
|
command2.setProtocol(fiveTupleWithMask.getMaskProtocol());
|
|
|
|
|
|
}
|
|
|
|
|
|
newFiveTupleWithMask.add(command2);
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2024-01-18 23:35:56 +08:00
|
|
|
|
//目前告警信息还只是五元组,没有url、dns
|
2024-01-21 00:51:10 +08:00
|
|
|
|
return newFiveTupleWithMask;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
public List<AlertMessage> queryAlarmsByCommandId(String commandId) {
|
2024-01-22 15:05:15 +08:00
|
|
|
|
|
2024-01-21 00:51:10 +08:00
|
|
|
|
return alertMessageMapper.queryAlermsByCommandId(commandId);
|
2024-01-18 23:35:56 +08:00
|
|
|
|
}
|
2024-01-17 19:20:45 +08:00
|
|
|
|
}
|
