gfwleak/galaxy-tsg-olap-dos-detection-job
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

TSG-13094 修复DoS Event日志出现MVsys id

Browse Source
This commit is contained in:
wanglihui
2022-12-21 17:11:14 +08:00
parent 01bbe562c9
commit ce15a27a1b
2 changed files with 11 additions and 15 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
src/main/java/com/zdjizhi/etl/DosDetection.java
View File

@@ -25,7 +25,6 @@ import java.util.concurrent.TimeUnit;
*/ */
public class DosDetection extends BroadcastProcessFunction<DosSketchLog,Map<String, byte[]>, DosEventLog> { public class DosDetection extends BroadcastProcessFunction<DosSketchLog,Map<String, byte[]>, DosEventLog> {
// private static final Logger logger = LoggerFactory.getLogger(DosDetection.class);
private static final Log logger = LogFactory.get(); private static final Log logger = LogFactory.get();
private static Map<String, Map<String, DosBaselineThreshold>> baselineMap = new HashMap<>(); private static Map<String, Map<String, DosBaselineThreshold>> baselineMap = new HashMap<>();
private final static NumberFormat PERCENT_INSTANCE = NumberFormat.getPercentInstance(); private final static NumberFormat PERCENT_INSTANCE = NumberFormat.getPercentInstance();
@@ -66,7 +65,7 @@ public class DosDetection extends BroadcastProcessFunction<DosSketchLog,Map<Stri
@Override @Override
public void processElement(DosSketchLog value, ReadOnlyContext ctx, Collector<DosEventLog> out) { public void processElement(DosSketchLog value, ReadOnlyContext ctx, Collector<DosEventLog> out) {
ArrayList<DosEventLog> finalResults = new ArrayList<>(); DosEventLog finalResult = null;
try { try {
String destinationIp = value.getDestination_ip(); String destinationIp = value.getDestination_ip();
int vsysId = value.getVsys_id(); int vsysId = value.getVsys_id();
@@ -81,26 +80,21 @@ public class DosDetection extends BroadcastProcessFunction<DosSketchLog,Map<Stri
logger.debug("当前判断IP{}, 类型: {}", key, attackType); logger.debug("当前判断IP{}, 类型: {}", key, attackType);
if (threshold == null && baselineMap.containsKey(key)) { if (threshold == null && baselineMap.containsKey(key)) {
DosEventLog finalResult = getDosEventLogByBaseline(value,key); finalResult = getDosEventLogByBaseline(value,key);
finalResults.add(finalResult);
} else if (threshold == null && !baselineMap.containsKey(key)) { } else if (threshold == null && !baselineMap.containsKey(key)) {
DosEventLog finalResult = getDosEventLogBySensitivityThreshold(value); finalResult = getDosEventLogBySensitivityThreshold(value);
finalResults.add(finalResult);
} else if (threshold != null) { } else if (threshold != null) {
finalResults = getDosEventLogByStaticThreshold(value, threshold); finalResult = getDosEventLogByStaticThreshold(value, threshold);
} else { } else {
logger.debug("未获取到当前server IP{} 类型 {} 静态阈值 和 baseline", key, attackType); logger.debug("未获取到当前server IP{} 类型 {} 静态阈值 和 baseline", key, attackType);
} }
} catch (Exception e) { } catch (Exception e) {
e.printStackTrace();
logger.error("判定失败\n {} \n{}", value, e); logger.error("判定失败\n {} \n{}", value, e);
} }
for (DosEventLog dosEventLog:finalResults){ if (finalResult != null){
if (dosEventLog != null){ out.collect(finalResult);
out.collect(dosEventLog);
}
} }
} }
@@ -125,7 +119,7 @@ public class DosDetection extends BroadcastProcessFunction<DosSketchLog,Map<Stri
return getDosEventLog(value, base, diff, BASELINE_CONDITION_TYPE, SESSIONS_TAG); return getDosEventLog(value, base, diff, BASELINE_CONDITION_TYPE, SESSIONS_TAG);
} }
private ArrayList<DosEventLog> getDosEventLogByStaticThreshold(DosSketchLog value, DosDetectionThreshold threshold) throws CloneNotSupportedException { private DosEventLog getDosEventLogByStaticThreshold(DosSketchLog value, DosDetectionThreshold threshold) throws CloneNotSupportedException {
long base = threshold.getSessionsPerSec(); long base = threshold.getSessionsPerSec();
long diff = value.getSketch_sessions() - base; long diff = value.getSketch_sessions() - base;
DosEventLog result = getDosEventLog(value, base, diff, STATIC_CONDITION_TYPE, SESSIONS_TAG); DosEventLog result = getDosEventLog(value, base, diff, STATIC_CONDITION_TYPE, SESSIONS_TAG);
@@ -139,6 +133,7 @@ public class DosDetection extends BroadcastProcessFunction<DosSketchLog,Map<Stri
result = getDosEventLog(value, base, diff, STATIC_CONDITION_TYPE, BITS_TAG); result = getDosEventLog(value, base, diff, STATIC_CONDITION_TYPE, BITS_TAG);
} }
} }
/*
ArrayList<DosEventLog> dosEventLogs = new ArrayList<>(); ArrayList<DosEventLog> dosEventLogs = new ArrayList<>();
if (result != null){ if (result != null){
dosEventLogs.add(result); dosEventLogs.add(result);
@@ -152,7 +147,8 @@ public class DosDetection extends BroadcastProcessFunction<DosSketchLog,Map<Stri
} }
} }
} }
return dosEventLogs; */
return result;
} }
private DosEventLog getDosEventLog(DosSketchLog value, long base, long diff, int type, String tag) { private DosEventLog getDosEventLog(DosSketchLog value, long base, long diff, int type, String tag) {

2
src/main/java/com/zdjizhi/etl/ParseSketchLog.java
View File

@@ -51,7 +51,7 @@ public class ParseSketchLog {
long sketchStartTime = Long.parseLong(sketchSource.get("sketch_start_time").toString()); long sketchStartTime = Long.parseLong(sketchSource.get("sketch_start_time").toString());
long sketchDuration = Long.parseLong(sketchSource.get("sketch_duration").toString()); long sketchDuration = Long.parseLong(sketchSource.get("sketch_duration").toString());
String attackType = sketchSource.get("attack_type").toString(); String attackType = sketchSource.get("attack_type").toString();
int vsysId = Integer.parseInt(sketchSource.getOrDefault("common_t_vsys_id", 1).toString()); int vsysId = Integer.parseInt(sketchSource.getOrDefault("common_vsys_id", 1).toString());
ArrayList<HashMap<String, Object>> reportIpList = jsonMapperInstance.fromJson(jsonMapperInstance.toJson(sketchSource.get("report_ip_list")), listType); ArrayList<HashMap<String, Object>> reportIpList = jsonMapperInstance.fromJson(jsonMapperInstance.toJson(sketchSource.get("report_ip_list")), listType);
for (HashMap<String, Object> obj : reportIpList) { for (HashMap<String, Object> obj : reportIpList) {
DosSketchLog dosSketchLog = new DosSketchLog(); DosSketchLog dosSketchLog = new DosSketchLog();