nanChen/ai-security-xdr
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

1、修改算子运算结果后入库BUG

Browse Source 
2、根据设备ID获取设备IP、设备厂商、设备名称 信息补全标准化表
3、完善告警表字段内容:syslog_normal_alarm: http_url ->alarm: victim_web_url
This commit is contained in:
nanChen
2026-01-26 15:20:46 +08:00
parent 6603c6f4a1
commit cf6b89ea94
23 changed files with 1941 additions and 52 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
haobang-security-xdr/syslog-consumer/src/main/java/com/common/mapper/AlarmMapper.java
View File

@@ -14,11 +14,11 @@ public interface AlarmMapper {
@Insert({"<script>",
"INSERT INTO alarm (",
"id, created_at, alarm_name, alarm_level, alarm_type, ",
"alarm_major_type, alarm_minor_type,alarm_area_id, attack_ip, victim_ip, ",
"alarm_major_type, alarm_minor_type,alarm_area_id, attack_ip, victim_ip, victim_web_url, ",
"device_id, comment,origin_log_ids,log_start_at, log_end_at, http_status, ",
"attack_port, victim_port, attack_method, etl_time, log_count, ",
"attack_chain_phase, disposition_advice, attack_direction, ",
"judged_state, disposed_state, attack_result, fall, payload, " ,
"judged_state, disposed_state, attack_result, fall, payload, engine_type, " ,
"http_req_header , http_req_body,http_resp_header , http_resp_body ",
") VALUES ",
"<foreach collection='list' item='item' separator=','>",
@@ -26,6 +26,7 @@ public interface AlarmMapper {
"#{item.alarmType}, #{item.alarmMajorType}, #{item.alarmMinorType}, #{item.alarmAreaId}, ",
"#{item.attackIp, typeHandler=com.Modules.etl.handler.ArrayStringTypeHandler}, ",
"#{item.victimIp, typeHandler=com.Modules.etl.handler.ArrayStringTypeHandler}, ",
"#{item.victimWebUrl, typeHandler=com.Modules.etl.handler.ArrayStringTypeHandler}, ",
"#{item.deviceId, typeHandler=com.Modules.etl.handler.ArrayIntegerTypeHandler}, ",
"#{item.comment}, " ,
"#{item.originLogIds, typeHandler=com.Modules.etl.handler.ArrayStringTypeHandler}, ",
@@ -36,7 +37,7 @@ public interface AlarmMapper {
"#{item.attackChainPhase, typeHandler=com.Modules.etl.handler.ArrayIntegerTypeHandler}, ",
"#{item.dispositionAdvice}, #{item.attackDirection}, ",
"#{item.judgedState}, #{item.disposedState}, #{item.attackResult}, #{item.fall}, ",
"#{item.payload}, ",
"#{item.payload}, #{item.engineType}, ",
"#{item.httpReqHeaders, typeHandler=com.Modules.etl.handler.ArrayStringTypeHandler}, ",
"#{item.httpReqBodys, typeHandler=com.Modules.etl.handler.ArrayStringTypeHandler}, ",
"#{item.httpRespHeaders, typeHandler=com.Modules.etl.handler.ArrayStringTypeHandler}, ",
@@ -50,17 +51,18 @@ public interface AlarmMapper {
*/
@Insert("INSERT INTO alarm (" +
"id, created_at, alarm_name, alarm_level, alarm_type, " +
"alarm_major_type, alarm_minor_type,alarm_area_id, attack_ip, victim_ip, " +
"alarm_major_type, alarm_minor_type,alarm_area_id, attack_ip, victim_ip, victim_web_url, " +
"device_id, comment,origin_log_ids, log_start_at, log_end_at, http_status, " +
"attack_port, victim_port, attack_method, etl_time, log_count, " +
"attack_chain_phase, disposition_advice, attack_direction, " +
"judged_state, disposed_state, attack_result, fall, payload, " +
"judged_state, disposed_state, attack_result, fall, payload, engine_type, " +
"http_req_header , http_req_body,http_resp_header , http_resp_body " +
") VALUES (" +
"#{id}, #{createdAt}, #{alarmName}, #{alarmLevel}, " +
"#{alarmType}, #{alarmMajorType}, #{alarmMinorType}, #{alarmAreaId}, " +
"#{attackIp, typeHandler=com.Modules.etl.handler.ArrayStringTypeHandler}, " +
"#{victimIp, typeHandler=com.Modules.etl.handler.ArrayStringTypeHandler}, " +
"#{victimWebUrl, typeHandler=com.Modules.etl.handler.ArrayStringTypeHandler}, "+
"#{deviceId, typeHandler=com.Modules.etl.handler.ArrayIntegerTypeHandler}, " +
"#{comment}, " +
"#{originLogIds, typeHandler=com.Modules.etl.handler.ArrayStringTypeHandler}, " +
@@ -70,7 +72,7 @@ public interface AlarmMapper {
"#{attackMethod}, #{etlTime}, #{logCount}, " +
"#{attackChainPhase, typeHandler=com.Modules.etl.handler.ArrayIntegerTypeHandler}, " +
"#{dispositionAdvice}, #{attackDirection}, " +
"#{judgedState}, #{disposedState}, #{attackResult}, #{fall}, #{payload}, " +
"#{judgedState}, #{disposedState}, #{attackResult}, #{fall}, #{payload}, #{engineType}, " +
"#{httpReqHeaders, typeHandler=com.Modules.etl.handler.ArrayStringTypeHandler}, " +
"#{httpReqBodys, typeHandler=com.Modules.etl.handler.ArrayStringTypeHandler}, " +
"#{httpRespHeaders, typeHandler=com.Modules.etl.handler.ArrayStringTypeHandler}, " +

8
haobang-security-xdr/syslog-consumer/src/main/java/com/common/mapper/AlarmVisitMapper.java
View File

@@ -18,11 +18,11 @@ public interface AlarmVisitMapper {
@Insert({"<script>",
"INSERT INTO alarm_visit (",
"id, created_at, alarm_name, alarm_level, alarm_type, ",
"alarm_major_type, alarm_minor_type,alarm_area_id, attack_ip, victim_ip, ",
"alarm_major_type, alarm_minor_type,alarm_area_id, attack_ip, victim_ip, victim_web_url, ",
"device_id, comment,origin_log_ids,log_start_at, log_end_at, http_status, ",
"attack_port, victim_port, attack_method, etl_time, log_count, ",
"attack_chain_phase, disposition_advice, attack_direction, ",
"judged_state, disposed_state, attack_result, fall, payload, " ,
"judged_state, disposed_state, attack_result, fall, payload, " ,
"http_req_header , http_req_body,http_resp_header , http_resp_body ",
") VALUES ",
"<foreach collection='list' item='item' separator=','>",
@@ -30,6 +30,7 @@ public interface AlarmVisitMapper {
"#{item.alarmType}, #{item.alarmMajorType}, #{item.alarmMinorType}, #{item.alarmAreaId}, ",
"#{item.attackIp, typeHandler=com.Modules.etl.handler.ArrayStringTypeHandler}, ",
"#{item.victimIp, typeHandler=com.Modules.etl.handler.ArrayStringTypeHandler}, ",
"#{item.victimWebUrl, typeHandler=com.Modules.etl.handler.ArrayStringTypeHandler}, ",
"#{item.deviceId, typeHandler=com.Modules.etl.handler.ArrayIntegerTypeHandler}, ",
"#{item.comment}, " ,
"#{item.originLogIds, typeHandler=com.Modules.etl.handler.ArrayStringTypeHandler}, ",
@@ -54,7 +55,7 @@ public interface AlarmVisitMapper {
*/
@Insert("INSERT INTO alarm_visit (" +
"id, created_at, alarm_name, alarm_level, alarm_type, " +
"alarm_major_type, alarm_minor_type,alarm_area_id, attack_ip, victim_ip, " +
"alarm_major_type, alarm_minor_type,alarm_area_id, attack_ip, victim_ip, victim_web_url, " +
"device_id, comment,origin_log_ids, log_start_at, log_end_at, http_status, " +
"attack_port, victim_port, attack_method, etl_time, log_count, " +
"attack_chain_phase, disposition_advice, attack_direction, " +
@@ -65,6 +66,7 @@ public interface AlarmVisitMapper {
"#{alarmType}, #{alarmMajorType}, #{alarmMinorType}, #{alarmAreaId}, " +
"#{attackIp, typeHandler=com.Modules.etl.handler.ArrayStringTypeHandler}, " +
"#{victimIp, typeHandler=com.Modules.etl.handler.ArrayStringTypeHandler}, " +
"#{victimWebUrl, typeHandler=com.Modules.etl.handler.ArrayStringTypeHandler}, "+
"#{deviceId, typeHandler=com.Modules.etl.handler.ArrayIntegerTypeHandler}, " +
"#{comment}, " +
"#{originLogIds, typeHandler=com.Modules.etl.handler.ArrayStringTypeHandler}, " +

93
haobang-security-xdr/syslog-consumer/src/main/java/com/common/mapper/DeviceDeviceMapper.java Normal file
View File

@@ -0,0 +1,93 @@
package com.common.mapper;
import com.common.entity.DeviceDevice;
import org.apache.ibatis.annotations.Mapper;
import org.apache.ibatis.annotations.Param;
import java.util.List;
import java.util.Map;
@Mapper
public interface DeviceDeviceMapper {
/**
* 根据ID查询设备
*/
DeviceDevice selectById(Integer id);
/**
* 查询所有设备
*/
List<DeviceDevice> selectAll();
/**
* 根据IP地址查询设备
*/
List<DeviceDevice> selectByIp(String ip);
/**
* 根据设备名称模糊查询
*/
List<DeviceDevice> selectByNameLike(String name);
/**
* 根据设备组查询
*/
List<DeviceDevice> selectByDeviceGroup(Integer deviceGroup);
/**
* 根据设备类型查询
*/
List<DeviceDevice> selectByDeviceType(Integer deviceType);
/**
* 根据组织ID查询
*/
List<DeviceDevice> selectByOrganizationId(Integer organizationId);
/**
* 根据状态查询设备
*/
List<DeviceDevice> selectByStatus(Short status);
/**
* 多条件组合查询
*/
List<DeviceDevice> selectByCondition(DeviceDevice condition);
/**
* 动态条件查询
*/
List<DeviceDevice> selectByMap(Map<String, Object> params);
/**
* 分页查询
*/
List<DeviceDevice> selectByPage(@Param("offset") int offset, @Param("limit") int limit);
/**
* 统计设备数量
*/
Long count();
/**
* 根据条件统计数量
*/
Long countByCondition(DeviceDevice condition);
/**
* 查询监控中的设备
*/
List<DeviceDevice> selectMonitoringDevices();
/**
* 查询未删除的设备del_flag = '0'
*/
List<DeviceDevice> selectActiveDevices();
/**
* 根据厂商查询设备
*/
List<DeviceDevice> selectByVendor(String vendor);
}

46
haobang-security-xdr/syslog-consumer/src/main/java/com/common/mapper/NormalizeRuleStatsMapper.java Normal file
View File

@@ -0,0 +1,46 @@
package com.common.mapper;
import com.common.entity.RuleHitTimeDTO;
import org.apache.ibatis.annotations.*;
import java.time.LocalDateTime;
import java.util.List;
import java.util.Map;
@Mapper
public interface NormalizeRuleStatsMapper {
@Select("SELECT normalize_rule_id AS normalizeRuleId, " +
" MAX(log_time) AS maxLogTime " +
"FROM syslog_normal_data " +
"WHERE created_at >= #{startDate} " +
"GROUP BY normalize_rule_id")
List<RuleHitTimeDTO> selectMaxHitTimeFromNormalData(
@Param("startDate") LocalDateTime startDate
);
@Select("SELECT normalize_rule_id AS normalizeRuleId, " +
" MAX(log_time) AS maxLogTime " +
"FROM syslog_normal_alarm " +
"WHERE created_at >= #{startDate} " +
"GROUP BY normalize_rule_id")
List<RuleHitTimeDTO> selectMaxHitTimeFromNormalAlarm(
@Param("startDate") LocalDateTime startDate
);
@Select("SELECT id FROM dm_normalize_rule " +
"WHERE del_flag = '0' " +
"ORDER BY id")
List<Long> selectActiveRuleIds();
@Update("UPDATE dm_normalize_rule " +
"SET updated_at = NOW(), " +
" first_data_saved_at = #{hitTime} " +
"WHERE id = #{ruleId} " +
" AND (first_data_saved_at IS NULL OR first_data_saved_at < #{hitTime})")
int updateRuleHitTime(
@Param("ruleId") Long ruleId,
@Param("hitTime") LocalDateTime hitTime
);
}

4
haobang-security-xdr/syslog-consumer/src/main/java/com/common/mapper/SyslogNormalAlarmMapper.java
View File

@@ -49,16 +49,18 @@ public interface SyslogNormalAlarmMapper {
*/
@Select("SELECT " +
"to_char(log_time, 'YYYYMMDD') as log_date, " +
" MIN(origin_event_type) AS first_event_type, " +
"ARRAY_AGG(DISTINCT host(src_ip)::text) as attack_ips, " +
"origin_event_name, " +
"MAX(attack_result) as attack_result, " +
"MIN(log_time) as min_log_time, " +
"MAX(log_time) as max_log_time, " +
"COUNT(1) as log_count, " +
"ARRAY_AGG(DISTINCT host(dest_ip)::text) as victim_ips, " +
"ARRAY_AGG(DISTINCT http_url) as victim_web_urls, " +
"ARRAY_AGG(DISTINCT device_id) as device_ids, " +
"ARRAY_AGG(DISTINCT id) as origin_log_ids, " +
"MAX(event_level) as max_event_level, " +
"MIN(origin_event_type) AS first_event_type, " +
"MAX(origin_event_type) as event_type, " +
"MIN(event_type) as min_event_type, " +
"ARRAY_AGG(DISTINCT src_port::int4) as attack_ports, " +

4
haobang-security-xdr/syslog-consumer/src/main/java/com/common/mapper/SyslogNormalDataMapper.java
View File

@@ -46,16 +46,18 @@ public interface SyslogNormalDataMapper {
*/
@Select("SELECT " +
"to_char(log_time, 'YYYYMMDD') as log_date, " +
" MIN(origin_event_type) AS first_event_type, " +
"ARRAY_AGG(DISTINCT host(src_ip)::text) as attack_ips, " +
"origin_event_name, " +
"MAX(attack_result) as attack_result, " +
"MIN(log_time) as min_log_time, " +
"MAX(log_time) as max_log_time, " +
"COUNT(1) as log_count, " +
"ARRAY_AGG(DISTINCT host(dest_ip)::text) as victim_ips, " +
"ARRAY_AGG(DISTINCT http_url) as victim_web_urls, " +
"ARRAY_AGG(DISTINCT device_id) as device_ids, " +
"ARRAY_AGG(DISTINCT id) as origin_log_ids, " +
"MAX(event_level) as max_event_level, " +
"MIN(origin_event_type) AS first_event_type, " +
"MAX(origin_event_type) as event_type, " +
"MIN(event_type) as min_event_type, " +
"ARRAY_AGG(DISTINCT src_port::int4) as attack_ports, " +