Last active
March 6, 2018 03:42
-
-
Save Howard-Chang/2706561f3ad078d63f64fc463d39fc01 to your computer and use it in GitHub Desktop.
輔大syslog.conf
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 1.把type是anomaly的syslog抓出來,包含其IPV4_SRC_ADDR、IPV4_DST_ADDR、time. | |
| GET _search | |
| { | |
| "_source": { | |
| "includes": [ "IPV4_SRC_ADDR","IPV4_DST_ADDR","msg","time","attack"] | |
| }, | |
| "query":{ | |
| "bool": { | |
| "must":[ | |
| { | |
| "range":{ | |
| "@timestamp":{ | |
| "gte":"2017-08-01T11:00:00", | |
| "lt":"now" | |
| } | |
| } | |
| }, | |
| { | |
| "match" : { | |
| "type":"anomaly" | |
| } | |
| } | |
| ] | |
| } | |
| } | |
| } | |
| 回傳的結果: | |
| { | |
| "took": 8, | |
| "timed_out": false, | |
| "_shards": { | |
| "total": 6, | |
| "successful": 6, | |
| "skipped": 0, | |
| "failed": 0 | |
| }, | |
| "hits": { | |
| "total": 44, | |
| "max_score": 10.89842, | |
| "hits": [ | |
| { | |
| "_index": "logstash-2018.03.05", | |
| "_type": "anomaly", | |
| "_id": "AWH2GBUNP6fb8E2rThzM", | |
| "_score": 10.89842, | |
| "_source": { | |
| "msg": "anomaly: ip_dst_session, 27225 > threshold 5000, repeats 4415 times", | |
| "IPV4_SRC_ADDR": "140.136.43.176", | |
| "IPV4_DST_ADDR": "140.136.200.8" | |
| } | |
| }, | |
| { | |
| "_index": "logstash-2018.03.05", | |
| "_type": "anomaly", | |
| "_id": "AWH2GtkXP6fb8E2rTsRh", | |
| "_score": 10.89842, | |
| "_source": { | |
| "msg": "anomaly: ip_dst_session, 28187 > threshold 5000, repeats 5064 times", | |
| "IPV4_SRC_ADDR": "140.136.47.244", | |
| "IPV4_DST_ADDR": "140.136.200.8" | |
| } | |
| }, | |
| { | |
| "_index": "logstash-2018.03.05", | |
| "_type": "anomaly", | |
| "_id": "AWH2Ipx_P6fb8E2rUIdc", | |
| "_score": 10.89842, | |
| "_source": { | |
| "msg": "anomaly: udp_dst_session, 29763 > threshold 5000, repeats 4330 times", | |
| "IPV4_SRC_ADDR": "140.136.3.113", | |
| "IPV4_DST_ADDR": "140.136.200.8" | |
| } | |
| }, | |
| { | |
| "_index": "logstash-2018.03.05", | |
| "_type": "anomaly", | |
| "_id": "AWH2MUQ5P6fb8E2rVAxz", | |
| "_score": 10.89842, | |
| "_source": { | |
| "msg": "anomaly: udp_dst_session, 26688 > threshold 5000, repeats 4881 times", | |
| "IPV4_SRC_ADDR": "140.136.18.12", | |
| "IPV4_DST_ADDR": "140.136.200.8" | |
| } | |
| } | |
| -----以下省略----- | |
| 2.把有anomaly type的IP抓出來,並看它總共有幾個session超量的syslog doc | |
| GET _search | |
| { | |
| "size": 0, | |
| "query":{ | |
| "bool": { | |
| "must":[ | |
| { | |
| "range":{ | |
| "@timestamp":{ | |
| "gte":"2017-08-01T11:00:00", | |
| "lt":"now" | |
| } | |
| } | |
| }, | |
| { | |
| "match" : { | |
| "IPV4_DST_ADDR":"140.136.200.8" //根據需求這邊也可以改成"IPV4_SRC_ADDR" | |
| } | |
| }, | |
| { | |
| "match" : { | |
| "type":"anomaly" | |
| } | |
| } | |
| ] | |
| } | |
| } | |
| } | |
| 原則上會有session超量的問題一定是SRC_IP、DST_IP都是lan端,或是SRC_IP是在lan端、DST_IP在wan端. | |
| 回傳結果: | |
| { | |
| "took": 15, | |
| "timed_out": false, | |
| "_shards": { | |
| "total": 6, | |
| "successful": 6, | |
| "skipped": 0, | |
| "failed": 0 | |
| }, | |
| "hits": { | |
| "total": 49, //只需取其 total值 | |
| "max_score": 0, | |
| "hits": [] | |
| } | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment