nanChen/ai-security-xdr
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

关联分析规则-数据降噪

Browse Source
This commit is contained in:
nanChen
2026-03-18 18:00:25 +08:00
parent cf6b89ea94
commit c0063a5a44
64 changed files with 6642 additions and 2007 deletions
Download Patch File Download Diff File Expand all files Collapse all files

54
haobang-security-xdr/logs/syslog-serve.log
View File

@@ -1,31 +1,23 @@
2026-01-10 13:26:58.023 [main] INFO com.SyslogServeMainApp - Starting SyslogServeMainApp using Java 1.8.0_121 on LAPTOP-ARDUR3N0 with PID 26480 (E:\GIT_GOSAME\haobang-security-xdr\syslog-serve\target\classes started by chenc in E:\GIT_GOSAME\haobang-security-xdr)
2026-01-10 13:26:58.023 [background-preinit] INFO o.h.validator.internal.util.Version - HV000001: Hibernate Validator 6.2.5.Final
2026-01-10 13:26:58.029 [main] INFO com.SyslogServeMainApp - No active profile set, falling back to 1 default profile: "default"
2026-01-10 13:26:59.839 [main] INFO o.s.d.r.c.RepositoryConfigurationDelegate - Multiple Spring Data modules found, entering strict repository configuration mode
2026-01-10 13:26:59.839 [main] INFO o.s.d.r.c.RepositoryConfigurationDelegate - Bootstrapping Spring Data Redis repositories in DEFAULT mode.
2026-01-10 13:27:00.011 [main] INFO o.s.d.r.c.RepositoryConfigurationDelegate - Finished Spring Data repository scanning in 153 ms. Found 0 Redis repository interfaces.
2026-01-10 13:27:00.592 [main] INFO o.s.b.w.e.tomcat.TomcatWebServer - Tomcat initialized with port(s): 8189 (http)
2026-01-10 13:27:00.604 [main] INFO o.a.coyote.http11.Http11NioProtocol - Initializing ProtocolHandler ["http-nio-8189"]
2026-01-10 13:27:00.604 [main] INFO o.a.catalina.core.StandardService - Starting service [Tomcat]
2026-01-10 13:27:00.604 [main] INFO o.a.catalina.core.StandardEngine - Starting Servlet engine: [Apache Tomcat/9.0.65]
2026-01-10 13:27:00.971 [main] INFO o.a.c.c.C.[.[.[/syslogserve] - Initializing Spring embedded WebApplicationContext
2026-01-10 13:27:00.971 [main] INFO o.s.b.w.s.c.ServletWebServerApplicationContext - Root WebApplicationContext: initialization completed in 2874 ms
2026-01-10 13:27:04.637 [main] INFO o.a.coyote.http11.Http11NioProtocol - Starting ProtocolHandler ["http-nio-8189"]
2026-01-10 13:27:04.652 [main] INFO o.s.b.w.e.tomcat.TomcatWebServer - Tomcat started on port(s): 8189 (http) with context path '/syslogserve'
2026-01-10 13:27:04.662 [main] INFO com.SyslogServeMainApp - Started SyslogServeMainApp in 7.133 seconds (JVM running for 12.488)
2026-01-10 13:27:04.693 [main] INFO com.SyslogServeMainApp - Application SyslogServer start !
2026-01-10 13:27:04.694 [main] INFO com.netty.SyslogServer - Starting Syslog server with TCP port 514 and UDP port 514
2026-01-10 13:27:05.069 [pool-3-thread-2] INFO com.netty.SyslogServer - TCP Syslog server started on port 514
2026-01-10 13:27:05.069 [pool-3-thread-1] INFO com.netty.SyslogServer - UDP Syslog server started on port 514
2026-01-10 13:27:05.069 [main] INFO com.netty.SyslogServer - Both TCP and UDP Syslog servers are running
2026-01-10 13:38:58.993 [nioEventLoopGroup-5-1] INFO com.netty.SyslogMessageHandler - Received syslog from 192.168.0.103:65442: <0> 2026-01-10T05:28:32+08:00 ubuntu log_forward[3419]: {"timestamp":"2026-01-10T05:28:32.806781+0800","flow_id":1671852309144385,"community_id":"uLeKRLkXu9m0D0DNn6wIg7CcdOs=","serial_num":"CJFBT92","origin":"eno4","xdr_log_type":"http","vxlan_vni":256,"src_ip":"172.16.121.137","src_port":51114,"dest_ip":"110.43.89.7","dest_port":80,"proto":"TCP","app_proto":"http","tcp_sequence":3553898360,"tcp_ack_sequence":3537707565,"ether":{"src_mac":"90:f1:b0:fb:81:a1","dest_mac":"a4:7b:2c:21:03:79"},"host":"rq.lbcct.cloud.duba.net","host_md5":"51cfa6d0981c8eb355a9b3af716da08d","uri":"/query?1767994112","uri_md5":"f28f2c62d0dd01c355caa05815d93d99","referer":"","method":"POST","protocol":"HTTP/1.1","status":200,"req_content_type":"application/x-www-form-urlencoded","request_headers":"host: rq.lbcct.cloud.duba.net\r\naccept: */*\r\ncontent-length: 85\r\ncontent-type: application/x-www-form-urlencoded\r\n","rsp_content_type":"text/plain","response_headers":"server: Tengine/1.5.2\r\ndate: Fri, 09 Jan 2026 21:28:32 GMT\r\ncontent-type: text/plain\r\nContent-Length: 54\r\nConnection: keep-alive\r\nContent-Tag: 1936292435\r\n"}
2026-01-10 13:38:59.375 [nioEventLoopGroup-5-1] INFO com.zaxxer.hikari.HikariDataSource - HikariPool-1 - Starting...
2026-01-10 13:38:59.994 [nioEventLoopGroup-5-1] INFO com.zaxxer.hikari.HikariDataSource - HikariPool-1 - Start completed.
2026-01-10 13:39:00.321 [nioEventLoopGroup-5-1] ERROR com.Modules.Device.DeviceProcess - 设备请求的Host IP非系统注册请联系管理员添加设备信息
2026-01-10 13:39:00.321 [nioEventLoopGroup-5-1] INFO com.netty.SyslogMessageHandler - syslog message 的请求设备IP:192.168.0.103非系统注册,暂不做处理!
2026-01-10 13:39:00.579 [nioEventLoopGroup-5-1] INFO c.c.s.impl.DeviceUnknownServiceImpl - 更新设备最后发现时间成功ID: 16
2026-01-10 13:59:49.596 [HikariPool-1 housekeeper] WARN com.zaxxer.hikari.pool.HikariPool - HikariPool-1 - Thread starvation or clock leap detected (housekeeper delta=5m51s158ms35µs500ns).
2026-01-10 14:08:50.222 [nioEventLoopGroup-5-2] INFO com.netty.SyslogMessageHandler - Received syslog from 192.168.0.103:59772: <0> 2026-01-10T05:28:32+08:00 ubuntu log_forward[3419]: {"timestamp":"2026-01-10T05:28:32.806781+0800","flow_id":1671852309144385,"community_id":"uLeKRLkXu9m0D0DNn6wIg7CcdOs=","serial_num":"CJFBT92","origin":"eno4","xdr_log_type":"http","vxlan_vni":256,"src_ip":"172.16.121.137","src_port":51114,"dest_ip":"110.43.89.7","dest_port":80,"proto":"TCP","app_proto":"http","tcp_sequence":3553898360,"tcp_ack_sequence":3537707565,"ether":{"src_mac":"90:f1:b0:fb:81:a1","dest_mac":"a4:7b:2c:21:03:79"},"host":"rq.lbcct.cloud.duba.net","host_md5":"51cfa6d0981c8eb355a9b3af716da08d","uri":"/query?1767994112","uri_md5":"f28f2c62d0dd01c355caa05815d93d99","referer":"","method":"POST","protocol":"HTTP/1.1","status":200,"req_content_type":"application/x-www-form-urlencoded","request_headers":"host: rq.lbcct.cloud.duba.net\r\naccept: */*\r\ncontent-length: 85\r\ncontent-type: application/x-www-form-urlencoded\r\n","rsp_content_type":"text/plain","response_headers":"server: Tengine/1.5.2\r\ndate: Fri, 09 Jan 2026 21:28:32 GMT\r\ncontent-type: text/plain\r\nContent-Length: 54\r\nConnection: keep-alive\r\nContent-Tag: 1936292435\r\n"}
2026-01-10 14:08:55.232 [nioEventLoopGroup-5-2] WARN com.zaxxer.hikari.pool.PoolBase - HikariPool-1 - Failed to validate connection org.postgresql.jdbc.PgConnection@53953cd1 (This connection has been closed.). Possibly consider using a shorter maxLifetime value.
2026-01-10 14:25:15.953 [nioEventLoopGroup-5-3] INFO com.netty.SyslogMessageHandler - Received syslog from 192.168.0.103:65302: <0> 2026-01-10T13:47:27+08:00 ubuntu log_forward[3419]: {"timestamp":"2026-01-10T13:47:27.249503+0800","flow_id":767115114538067,"community_id":"fFU2gDB2+pyUS6xQpAqqLdPLG4k=","serial_num":"CJFBT92","origin":"eno4","xdr_log_type":"http","vxlan_vni":256,"src_ip":"192.168.2.81","src_port":51018,"dest_ip":"120.241.131.42","dest_port":80,"proto":"TCP","app_proto":"http","tcp_sequence":423808413,"tcp_ack_sequence":3371175627,"ether":{},"host":"szextshort.weixin.qq.com","host_md5":"d7745538302ebc766b77ca8a4f3dd735","uri":"/mmtls/1abfe317","uri_md5":"e889825636e4d22b1d364b6bd6400ad5","agent":"MicroMessenger Client","referer":"","method":"POST","protocol":"HTTP/1.1","req_content_type":"application/octet-stream","request_headers":"accept: */*\r\ncache-control: no-cache\r\nconnection: Keep-Alive\r\ncontent-length: 2579\r\ncontent-type: application/octet-stream\r\nHost: szextshort.weixin.qq.com\r\nUpgrade: mmtls\r\nUser-Agent: MicroMessenger Client\r\n","rsp_content_type":"","response_headers":""}
2026-01-10 14:48:21.561 [nioEventLoopGroup-5-4] INFO com.netty.SyslogMessageHandler - Received syslog from 192.168.0.103:64558: <0> 2026-01-10T05:28:32+08:00 ubuntu log_forward[3419]: {"timestamp":"2026-01-10T05:28:32.806781+0800","flow_id":1671852309144385,"community_id":"uLeKRLkXu9m0D0DNn6wIg7CcdOs=","serial_num":"CJFBT92","origin":"eno4","xdr_log_type":"http","vxlan_vni":256,"src_ip":"172.16.121.137","src_port":51114,"dest_ip":"110.43.89.7","dest_port":80,"proto":"TCP","app_proto":"http","tcp_sequence":3553898360,"tcp_ack_sequence":3537707565,"ether":{"src_mac":"90:f1:b0:fb:81:a1","dest_mac":"a4:7b:2c:21:03:79"},"host":"rq.lbcct.cloud.duba.net","host_md5":"51cfa6d0981c8eb355a9b3af716da08d","uri":"/query?1767994112","uri_md5":"f28f2c62d0dd01c355caa05815d93d99","referer":"","method":"POST","protocol":"HTTP/1.1","status":200,"req_content_type":"application/x-www-form-urlencoded","request_headers":"host: rq.lbcct.cloud.duba.net\r\naccept: */*\r\ncontent-length: 85\r\ncontent-type: application/x-www-form-urlencoded\r\n","rsp_content_type":"text/plain","response_headers":"server: Tengine/1.5.2\r\ndate: Fri, 09 Jan 2026 21:28:32 GMT\r\ncontent-type: text/plain\r\nContent-Length: 54\r\nConnection: keep-alive\r\nContent-Tag: 1936292435\r\n"}
2026-03-09 18:21:20.224 [background-preinit] INFO o.h.validator.internal.util.Version - HV000001: Hibernate Validator 6.2.5.Final
2026-03-09 18:21:20.224 [main] INFO com.SyslogServeMainApp - Starting SyslogServeMainApp using Java 1.8.0_121 on LAPTOP-ARDUR3N0 with PID 10428 (E:\GIT_GOSAME\ai-security-xdr\haobang-security-xdr\syslog-serve\target\classes started by chenc in E:\GIT_GOSAME\ai-security-xdr\haobang-security-xdr)
2026-03-09 18:21:20.234 [main] INFO com.SyslogServeMainApp - No active profile set, falling back to 1 default profile: "default"
2026-03-09 18:21:22.016 [main] INFO o.s.d.r.c.RepositoryConfigurationDelegate - Multiple Spring Data modules found, entering strict repository configuration mode
2026-03-09 18:21:22.021 [main] INFO o.s.d.r.c.RepositoryConfigurationDelegate - Bootstrapping Spring Data Redis repositories in DEFAULT mode.
2026-03-09 18:21:22.197 [main] INFO o.s.d.r.c.RepositoryConfigurationDelegate - Finished Spring Data repository scanning in 163 ms. Found 0 Redis repository interfaces.
2026-03-09 18:21:22.765 [main] INFO o.s.b.w.e.tomcat.TomcatWebServer - Tomcat initialized with port(s): 8189 (http)
2026-03-09 18:21:22.771 [main] INFO o.a.coyote.http11.Http11NioProtocol - Initializing ProtocolHandler ["http-nio-8189"]
2026-03-09 18:21:22.771 [main] INFO o.a.catalina.core.StandardService - Starting service [Tomcat]
2026-03-09 18:21:22.771 [main] INFO o.a.catalina.core.StandardEngine - Starting Servlet engine: [Apache Tomcat/9.0.65]
2026-03-09 18:21:23.163 [main] INFO o.a.c.c.C.[.[.[/syslogserve] - Initializing Spring embedded WebApplicationContext
2026-03-09 18:21:23.163 [main] INFO o.s.b.w.s.c.ServletWebServerApplicationContext - Root WebApplicationContext: initialization completed in 2858 ms
2026-03-09 18:21:27.379 [main] INFO o.a.coyote.http11.Http11NioProtocol - Starting ProtocolHandler ["http-nio-8189"]
2026-03-09 18:21:27.389 [main] INFO o.s.b.w.e.tomcat.TomcatWebServer - Tomcat started on port(s): 8189 (http) with context path '/syslogserve'
2026-03-09 18:21:27.401 [main] INFO com.SyslogServeMainApp - Started SyslogServeMainApp in 7.592 seconds (JVM running for 12.693)
2026-03-09 18:21:27.437 [main] INFO com.SyslogServeMainApp - Application SyslogServer start !
2026-03-09 18:21:27.437 [main] INFO com.netty.SyslogServer - Starting Syslog server with TCP port 514 and UDP port 514
2026-03-09 18:21:27.959 [pool-3-thread-2] INFO com.netty.SyslogServer - TCP Syslog server started on port 514
2026-03-09 18:21:27.959 [pool-3-thread-1] INFO com.netty.SyslogServer - UDP Syslog server started on port 514
2026-03-09 18:21:27.960 [main] INFO com.netty.SyslogServer - Both TCP and UDP Syslog servers are running
2026-03-09 18:21:32.274 [nioEventLoopGroup-5-1] INFO com.netty.SyslogMessageHandler - Received syslog from 192.168.1.19:55610: <0> 2026-01-12T14:37:53+08:00 ubuntu log_forward[3419]: {"flow_id": 1028204815001825, "serial_num": "CJFBT92", "src_ip": "120.238.245.132", "src_port": 60838, "dest_ip": "211.136.192.6", "dest_port": 53, "proto": "UDP", "app_proto": "dns", "direction": "CTS", "attacker_ip": "120.238.245.132", "victim_ip": "211.136.192.6", "rule_id": "0x20001e", "rule_name": "???????????DNS???????", "attack_type": "???????", "severity": "1", "bulletin": "??????????????????????????????????", "detail_info": "????????????????DNSLOG?????????", "vuln_type": "???????", "vuln_desc": "????????????????DNSLOG?????????", "vuln_harm": "????????????????DNSLOG?????????", "tags": "dnslog", "cnnvd_id": null, "cve_id": null, "killchain": "??????", "enable": "????", "attack_result": "???", "attack_method": "???", "site_app": null, "code_language": "???", "att_ck": "TA0002", "timestamp": "2026-01-12T14:37:53.588+0800", "custom": "{}", "feature_field": "", "feature_payload": "", "": null, "payload": "SQkBAAABAAAAAAAAB3BvbGxpbmcHb2FzdGlmeQNjb20AAAEAAQ==", "packet_size": 37, "pcap_file": ""}
2026-03-09 18:21:32.533 [nioEventLoopGroup-5-1] INFO com.zaxxer.hikari.HikariDataSource - HikariPool-1 - Starting...
2026-03-09 18:21:33.099 [nioEventLoopGroup-5-1] INFO com.zaxxer.hikari.HikariDataSource - HikariPool-1 - Start completed.