gfwleak/galaxy-tsg-olap-dos-detection-job
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

TSG-15219 优化DoS静态阈值下的检测逻辑

Browse Source
This commit is contained in:
unknown
2023-05-24 14:36:29 +08:00
parent 04ee45f77d
commit 6be3ea7f1e
1 changed files with 50 additions and 17 deletions
Download Patch File Download Diff File Expand all files Collapse all files

67
src/main/java/com/zdjizhi/etl/DosDetection.java
View File

@@ -1,5 +1,6 @@
package com.zdjizhi.etl; package com.zdjizhi.etl;
import cn.hutool.core.math.MathUtil;
import cn.hutool.log.Log; import cn.hutool.log.Log;
import cn.hutool.log.LogFactory; import cn.hutool.log.LogFactory;
import com.zdjizhi.common.*; import com.zdjizhi.common.*;
@@ -121,21 +122,40 @@ public class DosDetection extends BroadcastProcessFunction<DosSketchLog,Map<Stri
private DosEventLog getDosEventLogByStaticThreshold(DosSketchLog value, DosDetectionThreshold threshold) throws CloneNotSupportedException { private DosEventLog getDosEventLogByStaticThreshold(DosSketchLog value, DosDetectionThreshold threshold) throws CloneNotSupportedException {
long base = threshold.getSessionsPerSec(); long base = threshold.getSessionsPerSec();
long diff = value.getSketch_sessions() - base; long diffSession = value.getSketch_sessions() - base;
long profileId = threshold.getProfileId(); long diffPkt = value.getSketch_packets() - base;
DosEventLog result = getDosEventLog(value, base, diff, profileId, STATIC_CONDITION_TYPE, SESSIONS_TAG); long diffByte = value.getSketch_bytes() - base;
if (result == null) { long profileId = 0;
base = threshold.getPacketsPerSec(); DosEventLog result =null;
diff = value.getSketch_packets() - base; // long max =(value.getSketch_sessions()>value.getSketch_packets()?value.getSketch_sessions():value.getSketch_packets())>value.getSketch_bytes()?(value.getSketch_sessions()>value.getSketch_packets()?value.getSketch_sessions():value.getSketch_packets()):value.getSketch_bytes();
if (diffSession>diffPkt && diffSession> diffByte){
profileId = threshold.getProfileId(); profileId = threshold.getProfileId();
result = getDosEventLog(value, base, diff,profileId, STATIC_CONDITION_TYPE, PACKETS_TAG); result= getDosEventLog(value, base, diffSession, profileId, STATIC_CONDITION_TYPE, SESSIONS_TAG);
if (result == null) { }else if (diffPkt>diffSession && diffPkt>diffByte){
base = threshold.getBitsPerSec(); profileId = threshold.getProfileId();
diff = value.getSketch_bytes() - base; result = getDosEventLog(value, base, diffPkt,profileId, STATIC_CONDITION_TYPE, PACKETS_TAG);
profileId=threshold.getProfileId(); }else if (diffByte>diffPkt&&diffByte>diffSession){
result = getDosEventLog(value, base, diff, profileId, STATIC_CONDITION_TYPE, BITS_TAG); profileId = threshold.getProfileId();
} result = getDosEventLog(value, base, diffByte, profileId, STATIC_CONDITION_TYPE, BITS_TAG);
} }
// long base = threshold.getSessionsPerSec();
// long diff = value.getSketch_sessions() - base;
// long profileId = threshold.getProfileId();
// DosEventLog result = getDosEventLog(value, base, diff, profileId, STATIC_CONDITION_TYPE, SESSIONS_TAG);
// if (result == null) {
// base = threshold.getPacketsPerSec();
// diff = value.getSketch_packets() - base;
// profileId = threshold.getProfileId();
// result = getDosEventLog(value, base, diff,profileId, STATIC_CONDITION_TYPE, PACKETS_TAG);
// if (result == null) {
// base = threshold.getBitsPerSec();
// diff = value.getSketch_bytes() - base;
// profileId=threshold.getProfileId();
// result = getDosEventLog(value, base, diff, profileId, STATIC_CONDITION_TYPE, BITS_TAG);
// }
// }
/* /*
ArrayList<DosEventLog> dosEventLogs = new ArrayList<>(); ArrayList<DosEventLog> dosEventLogs = new ArrayList<>();
if (result != null){ if (result != null){
@@ -190,7 +210,8 @@ public class DosDetection extends BroadcastProcessFunction<DosSketchLog,Map<Stri
dosEventLog.setProfile_id(profileId); dosEventLog.setProfile_id(profileId);
dosEventLog.setAttack_type(value.getAttack_type()); dosEventLog.setAttack_type(value.getAttack_type());
dosEventLog.setSeverity(severity.severity); dosEventLog.setSeverity(severity.severity);
dosEventLog.setConditions(getConditions(PERCENT_INSTANCE.format(percent), base, value.getSketch_sessions(), type, tag)); // dosEventLog.setConditions(getConditions(PERCENT_INSTANCE.format(percent), base, value.getSketch_sessions(), type, tag));
dosEventLog.setConditions(getConditions(percent, base, value.getSketch_sessions(), type, tag,dosEventLog));
dosEventLog.setDestination_ip(value.getDestination_ip()); dosEventLog.setDestination_ip(value.getDestination_ip());
dosEventLog.setDestination_country(IpUtils.ipLookup.countryLookup(value.getDestination_ip())); dosEventLog.setDestination_country(IpUtils.ipLookup.countryLookup(value.getDestination_ip()));
String ipList = value.getSource_ip(); String ipList = value.getSource_ip();
@@ -227,15 +248,27 @@ public class DosDetection extends BroadcastProcessFunction<DosSketchLog,Map<Stri
return base; return base;
} }
private String getConditions(String percent, long base, long sessions, int type, String tag) { private String getConditions(double percent, long base, long sessions, int type, String tag,DosEventLog dosEventLog) {
int condition =0;
if ("Minor".equals(dosEventLog.getSeverity())){
condition=50;
}else if ("Warning".equals(dosEventLog.getSeverity())){
condition=100;
}else if ("Major".equals(dosEventLog.getSeverity())){
condition=250;
}else if ("Severe".equals(dosEventLog.getSeverity())){
condition=500;
}else if ("Critical".equals(dosEventLog.getSeverity())){
condition =800;
}
switch (type) { switch (type) {
case STATIC_CONDITION_TYPE: case STATIC_CONDITION_TYPE:
return "Rate > " + return "Rate > " +
base + " " + base + " " +
tag + "/s"; tag + "/s" + "(>"+condition+"%)";
case BASELINE_CONDITION_TYPE: case BASELINE_CONDITION_TYPE:
return tag + " > " + return tag + " > " +
percent + " of baseline"; PERCENT_INSTANCE.format(percent) + " of baseline";
case SENSITIVITY_CONDITION_TYPE: case SENSITIVITY_CONDITION_TYPE:
return String.valueOf(sessions) + " " + return String.valueOf(sessions) + " " +
tag + "/s Unusually high " + tag + "/s Unusually high " +