1、whitelist增加whiteListCommandsCheck、whiteListStaticRulesCheck。支持前端发送staticRuleIds列表,查询静态规则是否存在白名单。记录白名单check指令的问题
This commit is contained in:
Hao Miao
@@ -171,5 +171,28 @@ public class WhiteListController implements WhiteListControllerApi {
|
||||
|
||||
}
|
||||
|
||||
/*
|
||||
白名单审核思路:
|
||||
(1)按现在界面:任务创建时提示白名单命中。
|
||||
①静态任务:任务还没通过审核进入RUNNING状态,指令也没有生成,目前只能check静态规则在不在白名单
|
||||
②动态任务:任务还没通过审核进入RUNNING状态,告警信息没有接收、指令也没有生成,check不了白名单
|
||||
(2)若对指令进行白名单检查:(直接剔除指令中存在的白名单对象)
|
||||
存在的问题:指令如果是含有掩码的子网IP,就需要把子网拆分成一个个IP,从中剔除白名单IP,然后把一个个IP变成指令。
|
||||
也就是把含有掩码的指令拆分成不包含掩码的多个指令,此时指令展示会很多。
|
||||
①静态任务:指令生成后,自动剔除,若出现掩码,存在以上问题
|
||||
②实时任务:告警接收后,经策略模板指令生成后,自动剔除白名单对象,若出现掩码,存在以上问题
|
||||
③研判后认务:告警接收后,经策略模板指令生成后,自动剔除白名单对象,若出现掩码,包含掩码的指令都拆分多个指令了,
|
||||
告警信息如果不拆的话,告警信息只存一个指令的UUID。无法查询拆分后的多个指令对应哪个告警信息。
|
||||
拆分成多个指令也不好研判下发。
|
||||
如果说直接研判告警信息的话,多个告警信息还可能对应一个指令,下发了这个告警信息,另一个下发吗?所以研判的应该是指令
|
||||
|
||||
*/
|
||||
@Override
|
||||
@GetMapping("/staticrule/check/{staticRuleIds}")
|
||||
public ResponseResult whiteListStaticRulesCheck(@PathVariable List<Integer> staticRuleIds) {
|
||||
return ResponseResult.ok()
|
||||
.setData("whiteobj_list", whiteListService.whiteListStaticRulesCheck(staticRuleIds));
|
||||
}
|
||||
|
||||
|
||||
}
|
||||
|
||||
@@ -9,6 +9,7 @@ import io.swagger.v3.oas.annotations.media.ExampleObject;
|
||||
import io.swagger.v3.oas.annotations.media.Schema;
|
||||
import io.swagger.v3.oas.annotations.tags.Tag;
|
||||
import jakarta.servlet.http.HttpServletResponse;
|
||||
import org.springframework.web.bind.annotation.GetMapping;
|
||||
import org.springframework.web.bind.annotation.PathVariable;
|
||||
import org.springframework.web.bind.annotation.RequestBody;
|
||||
import org.springframework.web.bind.annotation.RequestParam;
|
||||
@@ -205,4 +206,38 @@ public interface WhiteListControllerApi {
|
||||
@PathVariable Integer auditStatus);
|
||||
|
||||
|
||||
/*
|
||||
白名单审核思路:
|
||||
(1)按现在界面:任务创建时提示白名单命中。
|
||||
①静态任务:任务还没通过审核进入RUNNING状态,指令也没有生成,目前只能check静态规则在不在白名单
|
||||
②动态任务:任务还没通过审核进入RUNNING状态,告警信息没有接收、指令也没有生成,check不了白名单
|
||||
(2)若对指令进行白名单检查:(直接剔除指令中存在的白名单对象)
|
||||
存在的问题:指令如果是含有掩码的子网IP,就需要把子网拆分成一个个IP,从中剔除白名单IP,然后把一个个IP变成指令。
|
||||
也就是把含有掩码的指令拆分成不包含掩码的多个指令,此时指令展示会很多。
|
||||
①静态任务:指令生成后,自动剔除,若出现掩码,存在以上问题
|
||||
②实时任务:告警接收后,经策略模板指令生成后,自动剔除白名单对象,若出现掩码,存在以上问题
|
||||
③研判后认务:告警接收后,经策略模板指令生成后,自动剔除白名单对象,若出现掩码,包含掩码的指令都拆分多个指令了,
|
||||
告警信息如果不拆的话,告警信息只存一个指令的UUID。无法查询拆分后的多个指令对应哪个告警信息。
|
||||
拆分成多个指令也不好研判下发。
|
||||
如果说直接研判告警信息的话,多个告警信息还可能对应一个指令,下发了这个告警信息,另一个下发吗?所以研判的应该是指令
|
||||
|
||||
*/
|
||||
@Operation(
|
||||
summary = "查询静态规则命中白名单",
|
||||
description = "用于在创建任务的第三页中,查询静态规则命中的白名单",
|
||||
responses = {
|
||||
@io.swagger.v3.oas.annotations.responses.ApiResponse(
|
||||
description = "返回静态规则命中的所有白名单",
|
||||
content = @Content(
|
||||
mediaType = "application/json",
|
||||
schema = @Schema(title = "ResponseResult和WhiteListObject的属性",
|
||||
anyOf = {ResponseResult.class, WhiteListObject.class})
|
||||
)
|
||||
)
|
||||
},
|
||||
parameters = {
|
||||
@Parameter(name = "staticRuleIds", description = "静态规则id")
|
||||
}
|
||||
)
|
||||
ResponseResult whiteListStaticRulesCheck(@PathVariable List<Integer> staticRuleIds);
|
||||
}
|
||||
|
||||
@@ -2,6 +2,7 @@ package com.realtime.protection.server.whitelist;
|
||||
|
||||
import com.realtime.protection.configuration.entity.rule.staticrule.StaticRuleObject;
|
||||
import com.realtime.protection.configuration.entity.task.FiveTupleWithMask;
|
||||
import com.realtime.protection.configuration.entity.task.TaskCommandInfo;
|
||||
import com.realtime.protection.configuration.entity.whitelist.WhiteListObject;
|
||||
import org.apache.ibatis.annotations.Delete;
|
||||
import org.apache.ibatis.annotations.Mapper;
|
||||
@@ -37,7 +38,11 @@ public interface WhiteListMapper {
|
||||
|
||||
void deleteWhiteListObjects(@Param("whiteListIds") List<Integer> whiteListBatch);
|
||||
|
||||
List<WhiteListObject> whiteListCommandJudge(@Param("command") FiveTupleWithMask fiveTupleWithMaskInCommand);
|
||||
List<WhiteListObject> whiteListCommandCheck(@Param("command") FiveTupleWithMask fiveTupleWithMaskInCommand);
|
||||
|
||||
Integer queryWhiteListTotalNum(String whiteListName, Integer whiteListId);
|
||||
|
||||
List<WhiteListObject> whiteListCommandsCheck(List<TaskCommandInfo> taskCommandInfos);
|
||||
|
||||
List<WhiteListObject> whiteListCStaticRulesCheck(@Param("staticRuleObjects") List<StaticRuleObject> staticRuleObjects);
|
||||
}
|
||||
|
||||
@@ -129,10 +129,26 @@ public class WhiteListService {
|
||||
|
||||
}
|
||||
|
||||
public List<WhiteListObject> whiteListCommandJudge(TaskCommandInfo taskCommandInfo) {
|
||||
public List<WhiteListObject> whiteListCommandCheck(TaskCommandInfo taskCommandInfo) {
|
||||
//参数应该是指令,不管动态静态
|
||||
// 命中的whitelist列表:每一列包含ip port url
|
||||
return whiteListMapper.whiteListCommandJudge(taskCommandInfo.getFiveTupleWithMask());
|
||||
return whiteListMapper.whiteListCommandCheck(taskCommandInfo.getFiveTupleWithMask());
|
||||
|
||||
}
|
||||
|
||||
|
||||
public List<WhiteListObject> whiteListCommandsCheck(List<TaskCommandInfo> taskCommandInfoList) {
|
||||
//参数应该是指令,不管动态静态
|
||||
// 命中的whitelist列表:每一列包含ip port url
|
||||
return whiteListMapper.whiteListCommandsCheck(taskCommandInfoList);
|
||||
|
||||
}
|
||||
|
||||
public List<WhiteListObject> whiteListStaticRulesCheck(List<Integer> staticRuleId) {
|
||||
//参数应该是指令,不管动态静态
|
||||
// 命中的whitelist列表:每一列包含ip port url
|
||||
List<StaticRuleObject> staticRuleObjects = staticRuleMapper.queryStaticRuleByIds(staticRuleId);
|
||||
return whiteListMapper.whiteListCStaticRulesCheck(staticRuleObjects);
|
||||
|
||||
}
|
||||
|
||||
|
||||
@@ -165,10 +165,11 @@
|
||||
(3)url
|
||||
-->
|
||||
|
||||
<select id="whiteListCommandJudge" resultMap="whiteListMap">
|
||||
select *
|
||||
<select id="whiteListCommandCheck" resultMap="whiteListMap">
|
||||
select *,INET_NTOA(white_list_ip) as white_list_ip_d
|
||||
from t_white_list
|
||||
<where>
|
||||
|
||||
<if test="command.sourceIP != null and command.maskSourceIP == null">
|
||||
(white_list_ip = INET_ATON(#{command.sourceIP})
|
||||
<if test="command.sourcePort != null">
|
||||
@@ -211,4 +212,77 @@
|
||||
</where>
|
||||
</select>
|
||||
|
||||
<select id="whiteListCommandsCheck" resultMap="whiteListMap">
|
||||
select *, INET_NTOA(white_list_ip) as white_list_ip_d
|
||||
from t_white_list
|
||||
<where>
|
||||
<foreach collection="taskCommandInfos" item="command" open="(" separator=" or " close=")">
|
||||
|
||||
<if test="command.fiveTupleWithMask.sourceIP != null and command.fiveTupleWithMask.maskSourceIP == null">
|
||||
(white_list_ip = INET_ATON(#{command.fiveTupleWithMask.sourceIP})
|
||||
<if test="command.fiveTupleWithMask.sourcePort != null">
|
||||
and white_list_port = CAST(#{command.fiveTupleWithMask.sourcePort} AS UNSIGNED)
|
||||
</if>)
|
||||
</if>
|
||||
<if test="command.fiveTupleWithMask.sourceIP != null and command.fiveTupleWithMask.maskSourceIP != null">
|
||||
(( white_list_ip & INET_ATON(#{command.fiveTupleWithMask.maskSourceIP})) =
|
||||
(INET_ATON(#{command.fiveTupleWithMask.sourceIP}) & INET_ATON(#{command.fiveTupleWithMask.maskSourceIP}))
|
||||
<if test="command.fiveTupleWithMask.sourcePort != null">
|
||||
and white_list_port = CAST(#{command.fiveTupleWithMask.sourcePort} AS UNSIGNED)
|
||||
</if>)
|
||||
</if>
|
||||
<if test="command.fiveTupleWithMask.destinationIP != null and command.fiveTupleWithMask.maskDestinationIP == null">
|
||||
or (white_list_ip = INET_ATON(#{command.fiveTupleWithMask.destinationIP})
|
||||
<if test="command.fiveTupleWithMask.destinationPort != null">
|
||||
and white_list_port = CAST(#{command.fiveTupleWithMask.destinationPort} AS UNSIGNED)
|
||||
</if>)
|
||||
</if>
|
||||
<if test="command.fiveTupleWithMask.destinationIP != null and command.fiveTupleWithMask.maskDestinationIP != null">
|
||||
or ((white_list_ip & INET_ATON(#{command.fiveTupleWithMask.maskDestinationIP})) =
|
||||
(INET_ATON(#{command.fiveTupleWithMask.destinationIP}) & INET_ATON(#{command.fiveTupleWithMask.maskDestinationIP}))
|
||||
<if test="command.fiveTupleWithMask.destinationPort != null">
|
||||
and white_list_port = CAST(#{command.fiveTupleWithMask.destinationPort} AS UNSIGNED)
|
||||
</if>)
|
||||
</if>
|
||||
</foreach>
|
||||
</where>
|
||||
|
||||
</select>
|
||||
|
||||
<select id="whiteListCStaticRulesCheck" resultMap="whiteListMap">
|
||||
select *, INET_NTOA(white_list_ip) as white_list_ip_d
|
||||
from t_white_list
|
||||
<where>
|
||||
<foreach collection="staticRuleObjects" item="staticRule" open="(" separator=" or " close=")">
|
||||
|
||||
<if test="staticRule.staticRuleSip != null and staticRule.staticRuleMsip == null">
|
||||
(white_list_ip = INET_ATON(#{staticRule.staticRuleSip})
|
||||
<if test="staticRule.staticRuleSport != null">
|
||||
and white_list_port = #{staticRule.staticRuleSport}
|
||||
</if>)
|
||||
</if>
|
||||
<if test="staticRule.staticRuleSip != null and staticRule.staticRuleMsip != null">
|
||||
(( white_list_ip & INET_ATON(#{staticRule.staticRuleSip})) =
|
||||
(INET_ATON(#{staticRule.staticRuleSip}) & INET_ATON(#{staticRule.staticRuleMsip}))
|
||||
<if test="staticRule.staticRuleSport != null">
|
||||
and white_list_port = #{staticRule.staticRuleSport}
|
||||
</if>)
|
||||
</if>
|
||||
<if test="staticRule.staticRuleDip != null and staticRule.staticRuleMdip == null">
|
||||
or (white_list_ip = INET_ATON(#{staticRule.staticRuleDip})
|
||||
<if test="staticRule.staticRuleDport != null">
|
||||
and white_list_port = #{staticRule.staticRuleDport}
|
||||
</if>)
|
||||
</if>
|
||||
<if test="staticRule.staticRuleDip != null and staticRule.staticRuleMdip != null">
|
||||
or ((white_list_ip & INET_ATON(#{staticRule.staticRuleDip})) =
|
||||
(INET_ATON(#{staticRule.staticRuleDip}) & INET_ATON(#{staticRule.staticRuleMdip}))
|
||||
<if test="staticRule.staticRuleDport != null">
|
||||
and white_list_port = #{staticRule.staticRuleDport}
|
||||
</if>)
|
||||
</if>
|
||||
</foreach>
|
||||
</where>
|
||||
</select>
|
||||
|
||||
</mapper>
|
||||
@@ -16,9 +16,9 @@ public class AlertMessageTest {
|
||||
this.alertMessageService = alertMessageService;
|
||||
}
|
||||
|
||||
@Ignore
|
||||
@Test
|
||||
void testReceiveAlertMessage() {
|
||||
/*
|
||||
for (int i = 1; i < 4; i++) {
|
||||
AlertMessage alertMessage = new AlertMessage();
|
||||
FiveTupleWithMask fiveTupleWithMask = new FiveTupleWithMask();
|
||||
@@ -35,6 +35,8 @@ public class AlertMessageTest {
|
||||
alertMessage.setDynamicRuleId(31);
|
||||
alertMessageService.processAlertMessage(alertMessage);
|
||||
}
|
||||
*/
|
||||
|
||||
}
|
||||
|
||||
@Test
|
||||
|
||||
@@ -45,9 +45,9 @@ public class DynamicRuleServiceTest extends ProtectionApplicationTests {
|
||||
// System.out.println(object);
|
||||
}
|
||||
|
||||
@Ignore
|
||||
@Test
|
||||
void testUpdateDynamicRule() {
|
||||
/*
|
||||
DynamicRuleObject object = new DynamicRuleObject();
|
||||
object.setDynamicRuleName("UpdateDynamicRule2");
|
||||
object.setDynamicRuleFrequency(1);
|
||||
@@ -58,6 +58,7 @@ public class DynamicRuleServiceTest extends ProtectionApplicationTests {
|
||||
object.setProtectObjectIds(List.of(new Integer[]{6061}));
|
||||
|
||||
dynamicRuleService.updateDynamicRuleObject(5, object);
|
||||
*/
|
||||
}
|
||||
|
||||
@Test
|
||||
|
||||
@@ -1,14 +1,17 @@
|
||||
package com.realtime.protection.server.whitelist;
|
||||
|
||||
import com.realtime.protection.ProtectionApplicationTests;
|
||||
import com.realtime.protection.configuration.entity.rule.staticrule.StaticRuleObject;
|
||||
import com.realtime.protection.configuration.entity.task.FiveTupleWithMask;
|
||||
import com.realtime.protection.configuration.entity.task.TaskCommandInfo;
|
||||
import com.realtime.protection.configuration.entity.whitelist.WhiteListObject;
|
||||
import com.realtime.protection.server.rule.staticrule.StaticRuleService;
|
||||
import org.junit.jupiter.api.BeforeEach;
|
||||
import org.junit.jupiter.api.Test;
|
||||
import org.springframework.beans.factory.annotation.Autowired;
|
||||
import org.springframework.boot.test.context.SpringBootTest;
|
||||
|
||||
import java.time.LocalDateTime;
|
||||
import java.util.ArrayList;
|
||||
import java.util.List;
|
||||
|
||||
@@ -20,9 +23,12 @@ class WhiteListServiceTest extends ProtectionApplicationTests {
|
||||
private final WhiteListService whiteListService;
|
||||
private WhiteListObject whiteListObject;
|
||||
|
||||
private final StaticRuleService staticRuleService;
|
||||
|
||||
@Autowired
|
||||
WhiteListServiceTest(WhiteListService whiteListService) {
|
||||
WhiteListServiceTest(WhiteListService whiteListService, StaticRuleService staticRuleService) {
|
||||
this.whiteListService = whiteListService;
|
||||
this.staticRuleService = staticRuleService;
|
||||
}
|
||||
|
||||
@BeforeEach
|
||||
@@ -77,7 +83,7 @@ class WhiteListServiceTest extends ProtectionApplicationTests {
|
||||
}
|
||||
|
||||
@Test
|
||||
void testWhiteListCommandJudge() {
|
||||
void testWhiteListCommandCheck() {
|
||||
FiveTupleWithMask fiveTupleWithMask = new FiveTupleWithMask();
|
||||
TaskCommandInfo taskCommandInfo = new TaskCommandInfo();
|
||||
fiveTupleWithMask.setDestinationIP("128.1.1.123");
|
||||
@@ -85,8 +91,41 @@ class WhiteListServiceTest extends ProtectionApplicationTests {
|
||||
fiveTupleWithMask.setDestinationPort("80");
|
||||
taskCommandInfo.setFiveTupleWithMask(fiveTupleWithMask);
|
||||
|
||||
List<WhiteListObject> whitelists = whiteListService.whiteListCommandJudge(taskCommandInfo);
|
||||
List<WhiteListObject> whitelists = whiteListService.whiteListCommandCheck(taskCommandInfo);
|
||||
System.out.println(whitelists);
|
||||
}
|
||||
|
||||
@Test
|
||||
void testWhiteListStaticRulesCheck() {
|
||||
StaticRuleObject staticRuleTest = new StaticRuleObject();
|
||||
staticRuleTest.setStaticRuleName("test_staticrule");
|
||||
staticRuleTest.setStaticRuleCreateTime(LocalDateTime.now());
|
||||
staticRuleTest.setStaticRuleCreateUsername("mh");
|
||||
staticRuleTest.setStaticRuleCreateDepart("mmeess");
|
||||
staticRuleTest.setStaticRuleCreateUserId(2);
|
||||
staticRuleTest.setStaticRuleAuditStatus(0);
|
||||
|
||||
staticRuleTest.setStaticRuleSip("1.1.2.3");
|
||||
staticRuleTest.setStaticRuleSport(80);
|
||||
|
||||
staticRuleTest.setStaticRulePriority(1);
|
||||
staticRuleTest.setStaticRuleFrequency(1);
|
||||
staticRuleTest.setStaticRuleRange("北京");
|
||||
|
||||
Integer id = staticRuleService.newStaticRuleObject(staticRuleTest);
|
||||
List<Integer> ruleIds = new ArrayList<>(List.of(id));
|
||||
List<StaticRuleObject> staticRules= staticRuleService.queryStaticRule(null,null,null,null,1,2);
|
||||
for (StaticRuleObject staticRule : staticRules) {
|
||||
ruleIds.add(staticRule.getStaticRuleId());
|
||||
}
|
||||
whiteListObject = new WhiteListObject();
|
||||
whiteListObject.setWhiteListName("test");
|
||||
whiteListObject.setWhiteListSystemName("china");
|
||||
whiteListObject.setWhiteListIP("1.1.2.3");
|
||||
whiteListObject.setWhiteListPort(80);
|
||||
whiteListObject.setWhiteListUrl("www.baidu.com");
|
||||
whiteListObject.setWhiteListProtocol("TCP");
|
||||
whiteListService.newWhiteListObject(whiteListObject);
|
||||
System.out.println(whiteListService.whiteListStaticRulesCheck(ruleIds));
|
||||
}
|
||||
}
|
||||
Reference in New Issue
Block a user