def post(self, request):
"""
安全评分
"""
day = datetime.now().strftime('%Y-%m-%d')
index = 'all-event-{}-*'.format(day)
sql = 'SELECT event_source,event_level,sum(event_total) count_ FROM {} where event_level>0 ' \
'group by event_source,event_level order by event_source'.format(index)
result = exec_es_sql(sql=sql)
score, event_name, event_score = get_score(result)
total_sql = 'SELECT sum(event_total) count_ FROM all-event-* where event_level>0 '
total_result = exec_es_sql(sql=total_sql)
total_count = 0
if total_result:
total_count = total_result[0]['count_']
today_sql = 'SELECT sum(event_total) count_ FROM all-event-{}-* where event_level>0 '.format(
day)
today_result = exec_es_sql(sql=today_sql)
today_count = 0
if today_result:
today_count = today_result[0]['count_']
up = 0.0
if total_count:
up = today_count * 100 / total_count
data = {
"score": int(math.floor(score)),
"total": int(math.floor(total_count)),
"up": '{}%'.format(str(round(up, 2)))
}
return Response({"status": 200, "data": data})
def event_num_count(days):
'''
设备事件量占比
'''
index = ['all-event-{}-*'.format(day) for day in days]
event_source_sql = 'select event_source,sum(event_total) count_ from {} ' \
'where event_level>0 group by event_source order by count_ desc'.format(','.join(index))
event_source_result = exec_es_sql(sql=event_source_sql)
event_source_data = []
source_name = [u'数据库审计', u'IDS', u'隔离设备', u'摆渡设备', u'终端', u'杀毒软件']
source_type = [3, 2, 5, 4, 7, 6]
source_data = [0, 0, 0, 0, 0, 0]
for item in event_source_result:
if item['event_source'] in source_type:
i = source_type.index(item['event_source'])
source_data[i] += item['count_']
continue
for i in range(len(source_name)):
event_source_data.append({
'name': source_name[i],
'data': [source_data[i]]
})
# 防火墙
event_source_fw_sql = 'select event_host,sum(event_total) count_ from {} ' \
'where event_level>0 and event_source=1 ' \
'group by event_host order by count_ desc'.format(','.join(index))
event_source_fw_result = exec_es_sql(sql=event_source_fw_sql)
for fw in event_source_fw_result:
event_source_data.append({
'name': u'防火墙{}'.format(fw['event_host']),
'data': [fw['count_']]
})
result = {"labels": u"事件来源", "data": event_source_data}
return result
def data(self):
count_type = 1
day_list = get_day_list(count_type)
new_result_dict = dict()
data_tag_list = [
"event-firewall", "event-ids", "event-terminal", "event-db-audit",
"event-anti"
]
data_tag_name = {
"event-firewall": "防火墙",
"event-ids": "IDS",
"event-terminal": "终端",
"event-db-audit": "数据库审计",
"event-anti": "360杀毒软件"
}
for data_tag in data_tag_list:
new_result_dict[data_tag] = []
new_result_dict["隔离设备"] = []
new_result_dict["摆渡设备"] = []
for day in day_list:
for data_tag in data_tag_list:
index = data_tag + "-" + day + "*"
sql = "SELECT sum(event_total) nums FROM {}".format(index)
result_list = exec_es_sql(sql)
if len(result_list) > 0:
new_result_dict[data_tag].append(
int(result_list[0]['nums']))
else:
new_result_dict[data_tag].append(0)
index = "event-security" + "-" + day + "*"
sql = "SELECT sum(event_total) nums FROM {} where event_source like \'%隔离设备%\' ".format(
index)
result_list = exec_es_sql(sql)
if len(result_list) > 0:
new_result_dict["隔离设备"].append(int(result_list[0]['nums']))
else:
new_result_dict["隔离设备"].append(0)
index = "event-security" + "-" + day + "*"
sql = "SELECT sum(event_total) nums FROM {} where event_source like '%摆渡设备%' ".format(
index)
result_list = exec_es_sql(sql)
if len(result_list) > 0:
new_result_dict["摆渡设备"].append(int(result_list[0]['nums']))
else:
new_result_dict["摆渡设备"].append(0)
event_type_list = []
for data_tag in data_tag_list:
event_type_list.append({
'name': data_tag_name[data_tag],
'data': new_result_dict[data_tag]
})
event_type_list.append({
'name': "隔离设备",
'data': new_result_dict["隔离设备"]
})
event_type_list.append({
'name': "摆渡设备",
'data': new_result_dict["摆渡设备"]
})
return {"labels": day_list, "data": event_type_list}
def post(self, request):
"""
设备状态
"""
day = datetime.strftime(datetime.now(), "%Y-%m-%d")
index = get_day7_index('statistics-*')
sql = 'select log_source,count(distinct terminal) count_ from {0} ' \
'group by log_source'.format(index)
result = exec_es_sql(sql=sql)
labes = [u'数据库审计', u'IDS', u'隔离设备', u'摆渡设备', u'360', u'终端']
event_source_type = [3, 2, 5, 4, 6, 7]
for item in result:
log_source = item['log_source']
if u'防火墙' in log_source and log_source not in labes:
labes.append(log_source)
event_source_type.append(1)
data = []
for index, lab in enumerate(labes):
assets_num, normal, off, abnormal = 0, 0, 0, 0
for item in result:
if item['log_source'] == lab:
assets_num = item['count_']
continue
# 防火墙
where = ''
if event_source_type[index] == 1:
where = ' and event_host=\'\' '.format(lab.replace(u'防火墙', ''))
assets_sql = 'SELECT event_source,count(distinct event_host) count_,sum(event_total) sum_ ' \
'FROM all-event-{}-* where event_source={} {} ' \
'group by event_source'.format(day, event_source_type[index], where)
assets_count = exec_es_sql(sql=assets_sql)
if assets_count:
normal = assets_count[0]['count_']
abnormal = assets_count[0]['sum_']
if normal > assets_num:
assets_num = normal
off = 0
else:
off = assets_num - normal
if lab == '360':
data.append({
"type": u'杀毒软件',
"num": assets_num,
"normal": normal,
"off": off,
"abnormal": abnormal
})
else:
data.append({
"type": lab,
"num": assets_num,
"normal": normal,
"off": off,
"abnormal": abnormal
})
return Response({"status": 200, "data": data})
def post(self, request):
'''
事件统计
'''
index = get_day7_index('all-event')
event_type_sql = 'select event_one_type,count(*) count_ from {0} ' \
'where event_level>0 group by event_one_type order by count_ desc'.format(index)
event_type_result = exec_es_sql(sql=event_type_sql)
data, norule, attack, viruses = dict(), 0, 0, 0
for item in event_type_result:
if item['event_one_type'] == u'攻击':
attack = item['count_']
elif item['event_one_type'] == u'违规':
norule = item['count_']
elif item['event_one_type'] == u'病毒':
viruses = item['count_']
else:
pass
event_source_sql = 'select event_source,sum(event_total) count_ from {0} ' \
'where event_level>0 group by event_source order by count_ desc'.format(index)
event_source_result = exec_es_sql(sql=event_source_sql)
event_source_data = []
source_name = [u'数据库审计', u'IDS', u'隔离设备', u'摆渡设备', u'终端', u'杀毒软件']
source_type = [3, 2, 5, 4, 7, 6]
source_data = [0, 0, 0, 0, 0, 0]
for item in event_source_result:
if item['event_source'] in source_type:
i = source_type.index(item['event_source'])
source_data[i] += item['count_']
continue
for i in range(len(source_name)):
event_source_data.append({
'name': source_name[i],
'value': source_data[i]
})
# 防火墙
event_source_fw_sql = 'select event_host,sum(event_total) count_ from {0} ' \
'where event_level>0 and event_source=1 ' \
'group by event_host order by count_ desc'.format(index)
event_source_fw_result = exec_es_sql(sql=event_source_fw_sql)
for fw in event_source_fw_result:
event_source_data.append({
'name': '防火墙{}'.format(fw['event_host']),
'value': fw['count_']
})
data = {
'event_type': {
'norule': norule,
'attack': attack,
'viruses': viruses
},
'event_source': event_source_data
}
return Response({"status": 200, "data": data})
def asset_status(days):
'''
资产状态
'''
index = ['statistics-*-{}-*'.format(day) for day in days]
sql = 'select log_source,count(distinct terminal) count_ from {} ' \
'group by log_source'.format(','.join(index))
result = exec_es_sql(sql=sql)
labes = [u'数据库审计', u'IDS', u'隔离设备', u'摆渡设备', u'360', u'终端']
event_source_type = [3, 2, 5, 4, 6, 7]
for item in result:
log_source = item['log_source']
if u'防火墙' in log_source and log_source not in labes:
labes.append(log_source)
event_source_type.append(1)
data = []
for index, lab in enumerate(labes):
assets_num, normal, off, abnormal = 0, 0, 0, 0
for item in result:
if item['log_source'] == lab:
assets_num = item['count_']
continue
# 防火墙
where = ''
if event_source_type[index] == 1:
where = ' and event_host=\'\' '.format(lab.replace(u'防火墙', ''))
event_index = ['all-event-{}-*'.format(day) for day in days]
assets_sql = 'SELECT event_source,count(distinct event_host) count_,sum(event_total) sum_ ' \
'FROM {} where event_source={} {} group by event_source ' \
''.format(','.join(event_index), event_source_type[index], where)
assets_count = exec_es_sql(sql=assets_sql)
if assets_count:
normal = assets_count[0]['count_']
abnormal = assets_count[0]['sum_']
if normal > assets_num:
assets_num = normal
off = 0
else:
off = assets_num - normal
if lab == '360':
data.append([u'杀毒软件', assets_num, normal, off, abnormal])
else:
data.append([lab, assets_num, normal, off, abnormal])
results = {
"labels": [u'类型', u'数量 ', u'采集正常', u'采集断开', u'异常事件数'],
"data": data
}
return results
def terminal_print_count(days):
'''
打印情况统计
'''
index = ['ssa-ag-all-terminal-{}-*'.format(day) for day in days]
sql = 'SELECT term_ip,act_type,count(*) count_ FROM {} ' \
'where log_type=5 and request_type=1 and act_type in (0,1,2,3,4,5,7) ' \
'group by term_ip,act_type order by count_ desc limit 10'.format(','.join(index))
count_list = exec_es_sql(sql=sql)
act_type_name = [
u"拒绝打印", u"同意打印", u"打印审计", u"强制使用", u"自行取消", u"中心超时取消", u"离线使用"
]
act_type_value = ['0', '1', '2', '3', '4', '5', '7']
ips = []
for item in count_list:
if item['term_ip'] not in ips:
ips.append(item['term_ip'])
row = []
for i, act_type in enumerate(act_type_value):
act_type_count_list = []
for ip in ips:
act_type_count = 0
for item in count_list:
if ip == item['term_ip'] and act_type == str(item['act_type']):
act_type_count = item['count_']
continue
act_type_count_list.append(act_type_count)
row.append({'name': act_type_name[i], 'data': act_type_count_list})
result = {"labels": ips, "data": row}
return result
def terminal_login_fail_count(days):
'''
登录失败统计
'''
index = ['ssa-ag-all-terminal-{}-*'.format(day) for day in days]
sql = 'SELECT login_ip,count(*) count_ FROM {} where log_type=2 and login_result=0 ' \
'group by login_ip order by count_ desc limit 10'.format(','.join(index))
count_list = exec_es_sql(sql=sql)
labels = []
for item in count_list:
if item['login_ip'] not in labels:
labels.append(item['login_ip'])
flow_count = {'name': u'登录失败次数', 'data': []}
for lab in labels:
count_ = 0
for item in count_list:
if lab == item['login_ip']:
count_ = item['count_']
continue
flow_count['data'].append(count_)
result = {
"labels": labels,
"data": [flow_count] if len(labels) > 0 else []
}
return result
def get(self, request):
"""
查询人员信息
"""
search = request.query_params.get("search")
tag = request.query_params.get("data_tag")
index = get_index(tag)
base_sql = "select * from {}* ".format(index)
where_sql = ""
if search:
where_sql = "where src_ip like '%%%s%%' " \
"or attack_user like '%%%s%%'" % (search, search)
# 取前五
query_sql = base_sql + where_sql + "limit 5"
result = exec_es_sql(query_sql)
data = []
for i in result[:5]:
data.append({
"name": i.get('attack_user'),
"ip": i.get('src_ip'),
"port": i.get('src_port'),
"location": i.get('attack_city'),
"dst_ip": i.get('dst_ip'),
"dst_port": i.get('dst_port'),
"dst_location": i.get('attacked_city'),
"ip_addr": "--",
"device_type": "--",
"device": "--",
"asset": "--"
})
return Response({"status": 200, "msg": "成功", "data": data})
def data(self):
count_type = 1
data = []
data_tag_list = ["event-anti"]
event_type_list = []
new_result_dict = dict()
for data_tag in data_tag_list:
start_time, end_time, indexs = get_index_by_count_type(
count_type, data_tag)
sql = "SELECT sum(event_total) nums FROM {} group by event_type".format(
",".join(indexs))
result_list = exec_es_sql(sql)
if len(result_list) > 0:
for result in result_list:
event_type = result['event_type']
if event_type != "正常事件":
new_result_dict[event_type] = int(result['nums'])
new_result_dict = sorted(new_result_dict.items(),
lambda x, y: cmp(x[1], y[1]),
reverse=True)
if self.top != "":
new_result_dict = new_result_dict[0:self.top]
for k, v in new_result_dict:
event_type_list.append(k)
data.append(v)
return report_data_rule1(data, event_type_list, "病毒事件类型统计")
def post(self, request):
"""
数据标签列表
"""
agent_now = request.user.userinfo.agent
company_now = request.user.userinfo.company
q = request.DATA.get("q", '')
data_list = models.SSADataTag.objects.filter(name__contains=q) \
.filter(Q(agent=agent_now, company=company_now) | Q(agent=None, company=None)) \
.values("id", "name")
new_data_list = []
for data in data_list:
try:
start_time, end_time, es_sql_url, sql, indexs, data_tag = self.parsed_post(request, data['id'])
sql = "select count(*) nums from {} {} ".format(", ".join(indexs), sql)
result_list = exec_es_sql(sql)
if len(result_list) == 1:
all_count = result_list[0]['nums']
else:
all_count = 0
data['all_count'] = all_count
new_data_list.append(data)
except ValueError as e:
data['all_count'] = 0
new_data_list.append(data)
print(e)
result = select2_filter(request, new_data_list)
return Response(result)
def firewall_flow_count(days):
'''
防火墙流量趋势
'''
index = ['all-event-{}-*'.format(day) for day in days]
sql = 'SELECT sum(flow) sum_ FROM {} where event_source=1 and event_level>0 ' \
'group by date_histogram(field=\'@timestamp\', \'interval\'=\'day\', \'format\'=\'yyyy-MM-dd\')' \
''.format(','.join(index))
count_list = exec_es_sql(sql=sql)
labels = []
for item in count_list:
day = item[
'date_histogram(field=@timestamp,interval=day,format=yyyy-MM-dd)']
if day not in labels:
labels.append(day)
flow_count = {'name': u'流量', 'data': []}
for lab in labels:
sum_ = 0
for item in count_list:
day = item[
'date_histogram(field=@timestamp,interval=day,format=yyyy-MM-dd)']
if lab == day:
sum_ = item['sum_']
continue
flow_count['data'].append(sum_)
result = {
"labels": labels,
"data": [flow_count] if len(labels) > 0 else []
}
return result
def terminal_txt_list(days, term_id):
'''
明文存储详情
'''
index = ['ssa-event-terminal-{}-*'.format(day) for day in days]
sql = 'SELECT terminal,remark,organization,term_duty FROM {} ' \
'where event_type = \'明文存储\' and term_group_id=\'{}\' ' \
'order by event_time desc'.format(','.join(index), term_id)
count_list = exec_es_sql(sql=sql)
row = []
for i, item in enumerate(count_list):
remark = item['remark']
if is_json(remark):
remark = json.loads(remark)
if isinstance(remark, dict):
term_name = "其他部门"
term_list = TermGroup.objects.filter(
term_group_id=term_id).values('term_group_name')
if term_list:
term_name = term_list.first()['term_group_name']
row.append([
i + 1, item['terminal'], item['term_duty'], term_name,
remark['word'], remark['sm_content']
])
result = {
"labels": [u"序号", u'IP', u'终端负责人', u'用户组名称', u'明文', u'文件目录'],
"data": row
}
return result
def ids_event_count(days):
'''
IDS监测事件名称占比
'''
index = ['ssa-ag-ids-{}-*'.format(day) for day in days]
sql = 'SELECT event_name,count(*) count_ FROM {} ' \
'group by event_name'.format(','.join(index))
count_list = exec_es_sql(sql=sql)
labels = []
for item in count_list:
if item['event_name'] not in labels:
labels.append(item['event_name'])
flow_count = {'name': u'事件名称', 'data': []}
for lab in labels:
count_ = 0
for item in count_list:
if lab == item['event_name']:
count_ = item['count_']
continue
flow_count['data'].append(count_)
result = {
"labels": labels,
"data": [flow_count] if len(labels) > 0 else []
}
return result
def ids_attack_count(days):
'''
IDS监测攻击趋势
'''
index = ['ssa-ag-ids-{}-*'.format(day) for day in days]
sql = 'SELECT sum(event_count) sum_ FROM {} ' \
'group by date_histogram(field=\'@timestamp\', \'interval\'=\'day\', \'format\'=\'yyyy-MM-dd\')' \
''.format(','.join(index))
count_list = exec_es_sql(sql=sql)
labels = []
for item in count_list:
day = item[
'date_histogram(field=@timestamp,interval=day,format=yyyy-MM-dd)']
if day not in labels:
labels.append(day)
flow_count = {'name': u'攻击次数', 'data': []}
for lab in labels:
sum_ = 0
for item in count_list:
day = item[
'date_histogram(field=@timestamp,interval=day,format=yyyy-MM-dd)']
if lab == day:
sum_ = item['sum_']
continue
flow_count['data'].append(sum_)
result = {
"labels": labels,
"data": [flow_count] if len(labels) > 0 else []
}
return result
def gl_type_count(days):
'''
隔离事件类型统计
'''
index = ['all-event-{}-*'.format(day) for day in days]
sql = 'SELECT event_three_type,count(*) count_ FROM {} ' \
'where event_source=5 and event_level>0 ' \
'group by event_three_type'.format(','.join(index))
count_list = exec_es_sql(sql=sql)
labels = []
for item in count_list:
if item['event_three_type'] not in labels:
labels.append(item['event_three_type'])
type_count = {'name': u'数量', 'data': []}
for lab in labels:
sum_ = 0
for item in count_list:
if lab == item['event_three_type']:
sum_ = item['count_']
continue
type_count['data'].append(sum_)
result = {
"labels": labels,
"data": [type_count] if len(labels) > 0 else []
}
return result
def gl_dst_ip_flow_count(days):
'''
隔离设备目标IP接收流量统计TOP10
'''
index = ['ssa-ag-gl-{}-*'.format(day) for day in days]
sql = 'select dst_ip,sum(recv_flow_statis) sum_ from {} ' \
'group by dst_ip order by sum_ desc limit 10'.format(','.join(index))
count_list = exec_es_sql(sql=sql)
labels = []
for item in count_list:
if item['dst_ip'] not in labels:
labels.append(item['dst_ip'])
flow_count = {"name": u"流量", "data": []}
for lab in labels:
count_ = 0
for item in count_list:
if lab == item['dst_ip']:
count_ = item['sum_']
continue
flow_count['data'].append(count_)
result = {
"labels": labels,
"data": [flow_count] if len(labels) > 0 else []
}
return result
def gl_flow_count(days):
'''
隔离设备接收发送流量趋势
'''
index = ['ssa-ag-gl-{}-*'.format(day) for day in days]
sql = 'select sum(recv_flow_statis) sum_recv,sum(send_flow_statis) sum_send from {} ' \
'group by date_histogram(field=\'@timestamp\', \'interval\'=\'day\', \'format\'=\'yyyy-MM-dd\')' \
''.format(','.join(index))
count_list = exec_es_sql(sql=sql)
labels = []
for item in count_list:
day = item[
'date_histogram(field=@timestamp,interval=day,format=yyyy-MM-dd)']
if day not in labels:
labels.append(day)
row = [{"name": u"接收流量", "data": []}, {"name": u"发送流量", "data": []}]
for lab in labels:
sum_recv, sum_send = 0, 0
for item in count_list:
day = item[
'date_histogram(field=@timestamp,interval=day,format=yyyy-MM-dd)']
if lab == day:
sum_recv = item['sum_recv']
sum_send = item['sum_send']
continue
row[0]['data'].append(sum_recv)
row[1]['data'].append(sum_send)
result = {"labels": labels, "data": row}
return result
def get(self, request):
"""
查询人员信息
"""
name = request.query_params.get("name")
ip = request.query_params.get('ip')
port = request.query_params.get('port')
tag = request.query_params.get('tag')
index = get_index(tag)
# 查询
sql = "select * from {}* where src_ip='%s' and src_port='%s' and attack_user='******' limit 1".format(
index)
query_sql = sql % (ip, port, name)
result = exec_es_sql(query_sql)
if not result:
return Response({"status": 500, "msg": "查询不到数据"})
res = result[0]
data = {
"name": res.get('username'),
"ip": res.get('src_ip'),
"port": res.get('src_port'),
"location": res.get('attack_city'),
"dst_ip": res.get('dst_ip'),
"dst_port": res.get('dst_port'),
"dst_location": res.get('attacked_city'),
"ip_addr": "--",
"device_type": "--",
"device": "--",
"asset": "--"
}
return Response({"status": 200, "msg": "成功", "data": data})
def terminal_print_list(days, term_id):
'''
各部门打印详情
'''
index = ['ssa-ag-all-terminal-{}-*'.format(day) for day in days]
sql = 'SELECT term_ip,term_duty,term_group_name,act_time,act_type FROM {} ' \
'where log_type=5 and request_type=1 and act_type in (0,1,2,3,4,5,7) ' \
'and term_group_id=\'{}\' order by act_time desc'.format(','.join(index), term_id)
count_list = exec_es_sql(sql=sql)
act_type_name = [
u"拒绝打印", u"同意打印", u"打印审计", u"强制使用", u"自行取消", u"中心超时取消", u"离线使用"
]
act_type_value = ['0', '1', '2', '3', '4', '5', '7']
row = []
for i, item in enumerate(count_list):
act_time = datetime.strptime(
item['act_time'], "%Y%m%d%H%M%S").strftime("%Y-%m-%d %H:%M:%S")
term_name = "其他部门"
term_list = TermGroup.objects.filter(
term_group_id=term_id).values('term_group_name')
if term_list:
term_name = term_list.first()['term_group_name']
act_type = act_type_name[act_type_value.index(str(item['act_type']))]
row.append([
i + 1, item['term_ip'], item['term_duty'], term_name, act_time,
act_type
])
result = {
"labels": [u"序号", u"IP", u"终端负责人", u"用户组名称", u"打印时间", u"违规类型"],
"data": row
}
return result
def ids_attack_dst_count(days):
'''
IDS监测终端被攻击次数统计TOP10
'''
index = ['ssa-ag-ids-{}-*'.format(day) for day in days]
sql = 'SELECT src_ip,sum(event_count) sum_ FROM {} ' \
'group by src_ip order by sum_ desc limit 10'.format(','.join(index))
count_list = exec_es_sql(sql=sql)
labels = []
for item in count_list:
if item['src_ip'] not in labels:
labels.append(item['src_ip'])
flow_count = {'name': u'被攻击次数', 'data': []}
for lab in labels:
sum_ = 0
for item in count_list:
if lab == item['src_ip']:
sum_ = item['sum_']
continue
flow_count['data'].append(sum_)
result = {
"labels": labels,
"data": [flow_count] if len(labels) > 0 else []
}
return result
def viruses_ip_count(days):
'''
感染病毒终端统计
'''
index = ['ssa-ag-360-{}-*'.format(day) for day in days]
sql = 'select host_ip,virustype,infectedfileinfo_filepath,count(*) ' \
'from {} group by host_ip,virustype,infectedfileinfo_filepath ' \
'order by host_ip,virustype,infectedfileinfo_filepath'.format(','.join(index))
count_list = exec_es_sql(sql=sql)
ips, orgs = [], []
for item in count_list:
host_ip = item['host_ip']
if host_ip not in ips:
ips.append(host_ip)
org = ''
assets_list = Assets.objects.filter(
ip=host_ip).values('term_group_id')
if assets_list:
term_list = TermGroup.objects.filter(
term_group_id=assets_list.first()['term_group_id']).values(
'term_group_name')
if term_list:
org = term_list.first()['term_group_name']
orgs.append(org)
row = []
for item in count_list:
i = ips.index(item['host_ip'])
if orgs[i]:
row.append([
orgs[i], item['host_ip'], item['virustype'],
item['infectedfileinfo_filepath']
])
result = {"labels": [u"单位名称", u"终端IP", u"病毒类型", u"感染目录"], "data": row}
return result
def terminal_uninstall_count(days):
'''
卸载统计
'''
index = ['ssa-event-terminal-{}-*'.format(day) for day in days]
sql = 'SELECT terminal,count(*) count_ FROM {} ' \
'where event_type = \'TMS卸载\' ' \
'group by terminal order by count_ desc limit 10'.format(','.join(index))
count_list = exec_es_sql(sql=sql)
labels = []
for item in count_list:
if item['terminal'] not in labels:
labels.append(item['terminal'])
term_count = {'name': "次数", 'data': []}
for lab in labels:
count_ = 0
for item in count_list:
if item['terminal'] == lab:
count_ = item['count_']
term_count['data'].append(count_)
result = {
"labels": labels,
"data": [term_count] if len(labels) > 0 else []
}
return result
def post(self, request):
'''
部门风险统计
'''
index = get_day7_index('ssa-event-terminal')
sql = 'select organization,event_level,count(*) count_ from {0} ' \
'group by organization,event_level'.format(index)
result = exec_es_sql(sql=sql)
data, org = [], dict()
for item in result:
if item['organization'] not in org:
org[item['organization']] = 0
if item['event_level'] == 1:
org[item['organization']] += item['count_'] * 0.2
elif item['event_level'] == 2:
org[item['organization']] += item['count_'] * 0.3
elif item['event_level'] == 3:
org[item['organization']] += item['count_'] * 0.5
else:
pass
for key in org:
data.append({"name": key, "value": int(org[key])})
data = sorted(data, key=lambda s: s['value'], reverse=True)
if len(data) >= 5:
data = data[0:5]
lables, series = [], []
for item in data:
lables.append(item['name'])
series.append(item['value'])
ret_data = {'lables': lables, 'series': series}
return Response({"status": 200, "data": ret_data})
def firewall_prot_flow_count(days):
'''
防火墙协议流量统计
'''
index = ['ssa-ag-fw-{}-*'.format(day) for day in days]
sql = 'select protocol,sum(flow) sum_ from {} ' \
'group by protocol order by sum_ desc'.format(','.join(index))
count_list = exec_es_sql(sql=sql)
labels = []
for item in count_list:
if item['protocol'] not in labels:
labels.append(item['protocol'])
flow_count = {'name': u'流量', 'data': []}
for lab in labels:
sum_ = 0
for item in count_list:
if lab == item['protocol']:
sum_ = item['sum_']
continue
flow_count['data'].append(sum_)
result = {
"labels": labels,
"data": [flow_count] if len(labels) > 0 else []
}
return result
def attack_ip_count(days):
'''
被攻击终端统计
'''
index = ['all-event-{}-*'.format(day) for day in days]
sql = 'select dst_ip,event_three_type,count(*) count_ ' \
'from {} where event_level>0 and event_one_type=\'攻击\' ' \
'group by dst_ip,event_three_type order by count_ desc'.format(','.join(index))
count_list = exec_es_sql(sql=sql)
ips, orgs = [], []
for item in count_list:
dst_ip = item['dst_ip']
if dst_ip not in ips:
ips.append(dst_ip)
org = ''
assets_list = Assets.objects.filter(
ip=dst_ip).values('term_group_id')
if assets_list:
term_list = TermGroup.objects.filter(
term_group_id=assets_list.first()['term_group_id']).values(
'term_group_name')
if term_list:
org = term_list.first()['term_group_name']
orgs.append(org)
row = []
for item in count_list:
i = ips.index(item['dst_ip'])
if orgs[i]:
row.append([orgs[i], item['dst_ip'], item['event_three_type']])
result = {"labels": [u"单位名称", u"终端IP", u"攻击类型"], "data": row}
return result
def data(self):
count_type = 1
day_list = get_day_list(count_type)
new_result_dict = dict()
data_tag = "all-event"
for day in day_list:
index = data_tag + "-" + day + "*"
sql = "SELECT sum(event_total) nums FROM {}".format(index)
result_list = exec_es_sql(sql)
if len(result_list) > 0:
nums = result_list[0]['nums']
else:
nums = 0
if day in new_result_dict and new_result_dict[day]:
new_result_dict[day] = int(nums) + int(new_result_dict[day])
else:
new_result_dict[day] = int(nums)
day_nums_list = []
for day in day_list:
if day in new_result_dict:
day_nums = new_result_dict[day]
else:
day_nums = 0
day_nums_list.append(day_nums)
return {
"labels": day_list,
"data": [{
"name": "事件统计",
"data": day_nums_list
}]
}
def terminal_on_off_count(days, term_id):
'''
终端开关机情况
'''
index = ['ssa-ag-all-terminal-{}-*'.format(day) for day in days]
sql = 'SELECT term_group_name,login_ip,term_duty,act_time,login_type ' \
'FROM {} where log_type = 2 and (login_type=4 or login_type=5) ' \
'and term_group_id=\'{}\' order by act_time desc'.format(','.join(index), term_id)
count_list = exec_es_sql(sql=sql)
row = []
for i, item in enumerate(count_list):
act_time = datetime.strptime(
item['act_time'], "%Y%m%d%H%M%S").strftime("%Y-%m-%d %H:%M:%S")
term_name = "其他部门"
term_list = TermGroup.objects.filter(
term_group_id=term_id).values('term_group_name')
if term_list:
term_name = term_list.first()['term_group_name']
if item['login_type'] == 4:
row.append([
i + 1, item['login_ip'], item['term_duty'], term_name,
act_time, ""
])
elif item['login_type'] == 5:
row.append([
i + 1, item['login_ip'], item['term_duty'], term_name, "",
act_time
])
result = {
"labels": [u"序号", u"IP", u"终端负责人", u"用户组名称", u"开机时间", u"关机时间"],
"data": row
}
return result
def attack_source_count(days):
'''
攻击源统计
'''
index = ['all-event-{}-*'.format(day) for day in days]
sql = 'select src_ip,count(*) count_ ' \
'from {} where event_level>0 and event_one_type=\'攻击\' ' \
'group by src_ip order by count_ desc limit 10'.format(','.join(index))
count_list = exec_es_sql(sql=sql)
labels = []
for item in count_list:
if item['src_ip'] not in labels:
labels.append(item['src_ip'])
flow_count = {'name': u'次数', 'data': []}
for lab in labels:
count_ = 0
for item in count_list:
if lab == item['src_ip']:
count_ = item['count_']
continue
flow_count['data'].append(count_)
result = {
"labels": labels,
"data": [flow_count] if len(labels) > 0 else []
}
return result
def post(self, request):
'''
风险IP和风险部门数量统计
'''
index = get_day7_index('all-event')
org_sql = 'SELECT organization,count(*) FROM {} where event_level>0 ' \
'group by organization'.format(index)
org_list = exec_es_sql(sql=org_sql)
ip_sql = 'SELECT event_host,count(*) FROM {} where event_level>0 ' \
'group by event_host'.format(index)
ip_list = exec_es_sql(sql=ip_sql)
result = {'org_size': len(org_list), 'ip_size': len(ip_list)}
return Response({"status": 200, "data": result})
