def post(self, request): """ 安全评分 """ day = datetime.now().strftime('%Y-%m-%d') index = 'all-event-{}-*'.format(day) sql = 'SELECT event_source,event_level,sum(event_total) count_ FROM {} where event_level>0 ' \ 'group by event_source,event_level order by event_source'.format(index) result = exec_es_sql(sql=sql) score, event_name, event_score = get_score(result) total_sql = 'SELECT sum(event_total) count_ FROM all-event-* where event_level>0 ' total_result = exec_es_sql(sql=total_sql) total_count = 0 if total_result: total_count = total_result[0]['count_'] today_sql = 'SELECT sum(event_total) count_ FROM all-event-{}-* where event_level>0 '.format( day) today_result = exec_es_sql(sql=today_sql) today_count = 0 if today_result: today_count = today_result[0]['count_'] up = 0.0 if total_count: up = today_count * 100 / total_count data = { "score": int(math.floor(score)), "total": int(math.floor(total_count)), "up": '{}%'.format(str(round(up, 2))) } return Response({"status": 200, "data": data})
def event_num_count(days): ''' 设备事件量占比 ''' index = ['all-event-{}-*'.format(day) for day in days] event_source_sql = 'select event_source,sum(event_total) count_ from {} ' \ 'where event_level>0 group by event_source order by count_ desc'.format(','.join(index)) event_source_result = exec_es_sql(sql=event_source_sql) event_source_data = [] source_name = [u'数据库审计', u'IDS', u'隔离设备', u'摆渡设备', u'终端', u'杀毒软件'] source_type = [3, 2, 5, 4, 7, 6] source_data = [0, 0, 0, 0, 0, 0] for item in event_source_result: if item['event_source'] in source_type: i = source_type.index(item['event_source']) source_data[i] += item['count_'] continue for i in range(len(source_name)): event_source_data.append({ 'name': source_name[i], 'data': [source_data[i]] }) # 防火墙 event_source_fw_sql = 'select event_host,sum(event_total) count_ from {} ' \ 'where event_level>0 and event_source=1 ' \ 'group by event_host order by count_ desc'.format(','.join(index)) event_source_fw_result = exec_es_sql(sql=event_source_fw_sql) for fw in event_source_fw_result: event_source_data.append({ 'name': u'防火墙{}'.format(fw['event_host']), 'data': [fw['count_']] }) result = {"labels": u"事件来源", "data": event_source_data} return result
def data(self): count_type = 1 day_list = get_day_list(count_type) new_result_dict = dict() data_tag_list = [ "event-firewall", "event-ids", "event-terminal", "event-db-audit", "event-anti" ] data_tag_name = { "event-firewall": "防火墙", "event-ids": "IDS", "event-terminal": "终端", "event-db-audit": "数据库审计", "event-anti": "360杀毒软件" } for data_tag in data_tag_list: new_result_dict[data_tag] = [] new_result_dict["隔离设备"] = [] new_result_dict["摆渡设备"] = [] for day in day_list: for data_tag in data_tag_list: index = data_tag + "-" + day + "*" sql = "SELECT sum(event_total) nums FROM {}".format(index) result_list = exec_es_sql(sql) if len(result_list) > 0: new_result_dict[data_tag].append( int(result_list[0]['nums'])) else: new_result_dict[data_tag].append(0) index = "event-security" + "-" + day + "*" sql = "SELECT sum(event_total) nums FROM {} where event_source like \'%隔离设备%\' ".format( index) result_list = exec_es_sql(sql) if len(result_list) > 0: new_result_dict["隔离设备"].append(int(result_list[0]['nums'])) else: new_result_dict["隔离设备"].append(0) index = "event-security" + "-" + day + "*" sql = "SELECT sum(event_total) nums FROM {} where event_source like '%摆渡设备%' ".format( index) result_list = exec_es_sql(sql) if len(result_list) > 0: new_result_dict["摆渡设备"].append(int(result_list[0]['nums'])) else: new_result_dict["摆渡设备"].append(0) event_type_list = [] for data_tag in data_tag_list: event_type_list.append({ 'name': data_tag_name[data_tag], 'data': new_result_dict[data_tag] }) event_type_list.append({ 'name': "隔离设备", 'data': new_result_dict["隔离设备"] }) event_type_list.append({ 'name': "摆渡设备", 'data': new_result_dict["摆渡设备"] }) return {"labels": day_list, "data": event_type_list}
def post(self, request): """ 设备状态 """ day = datetime.strftime(datetime.now(), "%Y-%m-%d") index = get_day7_index('statistics-*') sql = 'select log_source,count(distinct terminal) count_ from {0} ' \ 'group by log_source'.format(index) result = exec_es_sql(sql=sql) labes = [u'数据库审计', u'IDS', u'隔离设备', u'摆渡设备', u'360', u'终端'] event_source_type = [3, 2, 5, 4, 6, 7] for item in result: log_source = item['log_source'] if u'防火墙' in log_source and log_source not in labes: labes.append(log_source) event_source_type.append(1) data = [] for index, lab in enumerate(labes): assets_num, normal, off, abnormal = 0, 0, 0, 0 for item in result: if item['log_source'] == lab: assets_num = item['count_'] continue # 防火墙 where = '' if event_source_type[index] == 1: where = ' and event_host=\'\' '.format(lab.replace(u'防火墙', '')) assets_sql = 'SELECT event_source,count(distinct event_host) count_,sum(event_total) sum_ ' \ 'FROM all-event-{}-* where event_source={} {} ' \ 'group by event_source'.format(day, event_source_type[index], where) assets_count = exec_es_sql(sql=assets_sql) if assets_count: normal = assets_count[0]['count_'] abnormal = assets_count[0]['sum_'] if normal > assets_num: assets_num = normal off = 0 else: off = assets_num - normal if lab == '360': data.append({ "type": u'杀毒软件', "num": assets_num, "normal": normal, "off": off, "abnormal": abnormal }) else: data.append({ "type": lab, "num": assets_num, "normal": normal, "off": off, "abnormal": abnormal }) return Response({"status": 200, "data": data})
def post(self, request): ''' 事件统计 ''' index = get_day7_index('all-event') event_type_sql = 'select event_one_type,count(*) count_ from {0} ' \ 'where event_level>0 group by event_one_type order by count_ desc'.format(index) event_type_result = exec_es_sql(sql=event_type_sql) data, norule, attack, viruses = dict(), 0, 0, 0 for item in event_type_result: if item['event_one_type'] == u'攻击': attack = item['count_'] elif item['event_one_type'] == u'违规': norule = item['count_'] elif item['event_one_type'] == u'病毒': viruses = item['count_'] else: pass event_source_sql = 'select event_source,sum(event_total) count_ from {0} ' \ 'where event_level>0 group by event_source order by count_ desc'.format(index) event_source_result = exec_es_sql(sql=event_source_sql) event_source_data = [] source_name = [u'数据库审计', u'IDS', u'隔离设备', u'摆渡设备', u'终端', u'杀毒软件'] source_type = [3, 2, 5, 4, 7, 6] source_data = [0, 0, 0, 0, 0, 0] for item in event_source_result: if item['event_source'] in source_type: i = source_type.index(item['event_source']) source_data[i] += item['count_'] continue for i in range(len(source_name)): event_source_data.append({ 'name': source_name[i], 'value': source_data[i] }) # 防火墙 event_source_fw_sql = 'select event_host,sum(event_total) count_ from {0} ' \ 'where event_level>0 and event_source=1 ' \ 'group by event_host order by count_ desc'.format(index) event_source_fw_result = exec_es_sql(sql=event_source_fw_sql) for fw in event_source_fw_result: event_source_data.append({ 'name': '防火墙{}'.format(fw['event_host']), 'value': fw['count_'] }) data = { 'event_type': { 'norule': norule, 'attack': attack, 'viruses': viruses }, 'event_source': event_source_data } return Response({"status": 200, "data": data})
def asset_status(days): ''' 资产状态 ''' index = ['statistics-*-{}-*'.format(day) for day in days] sql = 'select log_source,count(distinct terminal) count_ from {} ' \ 'group by log_source'.format(','.join(index)) result = exec_es_sql(sql=sql) labes = [u'数据库审计', u'IDS', u'隔离设备', u'摆渡设备', u'360', u'终端'] event_source_type = [3, 2, 5, 4, 6, 7] for item in result: log_source = item['log_source'] if u'防火墙' in log_source and log_source not in labes: labes.append(log_source) event_source_type.append(1) data = [] for index, lab in enumerate(labes): assets_num, normal, off, abnormal = 0, 0, 0, 0 for item in result: if item['log_source'] == lab: assets_num = item['count_'] continue # 防火墙 where = '' if event_source_type[index] == 1: where = ' and event_host=\'\' '.format(lab.replace(u'防火墙', '')) event_index = ['all-event-{}-*'.format(day) for day in days] assets_sql = 'SELECT event_source,count(distinct event_host) count_,sum(event_total) sum_ ' \ 'FROM {} where event_source={} {} group by event_source ' \ ''.format(','.join(event_index), event_source_type[index], where) assets_count = exec_es_sql(sql=assets_sql) if assets_count: normal = assets_count[0]['count_'] abnormal = assets_count[0]['sum_'] if normal > assets_num: assets_num = normal off = 0 else: off = assets_num - normal if lab == '360': data.append([u'杀毒软件', assets_num, normal, off, abnormal]) else: data.append([lab, assets_num, normal, off, abnormal]) results = { "labels": [u'类型', u'数量 ', u'采集正常', u'采集断开', u'异常事件数'], "data": data } return results
def terminal_print_count(days): ''' 打印情况统计 ''' index = ['ssa-ag-all-terminal-{}-*'.format(day) for day in days] sql = 'SELECT term_ip,act_type,count(*) count_ FROM {} ' \ 'where log_type=5 and request_type=1 and act_type in (0,1,2,3,4,5,7) ' \ 'group by term_ip,act_type order by count_ desc limit 10'.format(','.join(index)) count_list = exec_es_sql(sql=sql) act_type_name = [ u"拒绝打印", u"同意打印", u"打印审计", u"强制使用", u"自行取消", u"中心超时取消", u"离线使用" ] act_type_value = ['0', '1', '2', '3', '4', '5', '7'] ips = [] for item in count_list: if item['term_ip'] not in ips: ips.append(item['term_ip']) row = [] for i, act_type in enumerate(act_type_value): act_type_count_list = [] for ip in ips: act_type_count = 0 for item in count_list: if ip == item['term_ip'] and act_type == str(item['act_type']): act_type_count = item['count_'] continue act_type_count_list.append(act_type_count) row.append({'name': act_type_name[i], 'data': act_type_count_list}) result = {"labels": ips, "data": row} return result
def terminal_login_fail_count(days): ''' 登录失败统计 ''' index = ['ssa-ag-all-terminal-{}-*'.format(day) for day in days] sql = 'SELECT login_ip,count(*) count_ FROM {} where log_type=2 and login_result=0 ' \ 'group by login_ip order by count_ desc limit 10'.format(','.join(index)) count_list = exec_es_sql(sql=sql) labels = [] for item in count_list: if item['login_ip'] not in labels: labels.append(item['login_ip']) flow_count = {'name': u'登录失败次数', 'data': []} for lab in labels: count_ = 0 for item in count_list: if lab == item['login_ip']: count_ = item['count_'] continue flow_count['data'].append(count_) result = { "labels": labels, "data": [flow_count] if len(labels) > 0 else [] } return result
def get(self, request): """ 查询人员信息 """ search = request.query_params.get("search") tag = request.query_params.get("data_tag") index = get_index(tag) base_sql = "select * from {}* ".format(index) where_sql = "" if search: where_sql = "where src_ip like '%%%s%%' " \ "or attack_user like '%%%s%%'" % (search, search) # 取前五 query_sql = base_sql + where_sql + "limit 5" result = exec_es_sql(query_sql) data = [] for i in result[:5]: data.append({ "name": i.get('attack_user'), "ip": i.get('src_ip'), "port": i.get('src_port'), "location": i.get('attack_city'), "dst_ip": i.get('dst_ip'), "dst_port": i.get('dst_port'), "dst_location": i.get('attacked_city'), "ip_addr": "--", "device_type": "--", "device": "--", "asset": "--" }) return Response({"status": 200, "msg": "成功", "data": data})
def data(self): count_type = 1 data = [] data_tag_list = ["event-anti"] event_type_list = [] new_result_dict = dict() for data_tag in data_tag_list: start_time, end_time, indexs = get_index_by_count_type( count_type, data_tag) sql = "SELECT sum(event_total) nums FROM {} group by event_type".format( ",".join(indexs)) result_list = exec_es_sql(sql) if len(result_list) > 0: for result in result_list: event_type = result['event_type'] if event_type != "正常事件": new_result_dict[event_type] = int(result['nums']) new_result_dict = sorted(new_result_dict.items(), lambda x, y: cmp(x[1], y[1]), reverse=True) if self.top != "": new_result_dict = new_result_dict[0:self.top] for k, v in new_result_dict: event_type_list.append(k) data.append(v) return report_data_rule1(data, event_type_list, "病毒事件类型统计")
def post(self, request): """ 数据标签列表 """ agent_now = request.user.userinfo.agent company_now = request.user.userinfo.company q = request.DATA.get("q", '') data_list = models.SSADataTag.objects.filter(name__contains=q) \ .filter(Q(agent=agent_now, company=company_now) | Q(agent=None, company=None)) \ .values("id", "name") new_data_list = [] for data in data_list: try: start_time, end_time, es_sql_url, sql, indexs, data_tag = self.parsed_post(request, data['id']) sql = "select count(*) nums from {} {} ".format(", ".join(indexs), sql) result_list = exec_es_sql(sql) if len(result_list) == 1: all_count = result_list[0]['nums'] else: all_count = 0 data['all_count'] = all_count new_data_list.append(data) except ValueError as e: data['all_count'] = 0 new_data_list.append(data) print(e) result = select2_filter(request, new_data_list) return Response(result)
def firewall_flow_count(days): ''' 防火墙流量趋势 ''' index = ['all-event-{}-*'.format(day) for day in days] sql = 'SELECT sum(flow) sum_ FROM {} where event_source=1 and event_level>0 ' \ 'group by date_histogram(field=\'@timestamp\', \'interval\'=\'day\', \'format\'=\'yyyy-MM-dd\')' \ ''.format(','.join(index)) count_list = exec_es_sql(sql=sql) labels = [] for item in count_list: day = item[ 'date_histogram(field=@timestamp,interval=day,format=yyyy-MM-dd)'] if day not in labels: labels.append(day) flow_count = {'name': u'流量', 'data': []} for lab in labels: sum_ = 0 for item in count_list: day = item[ 'date_histogram(field=@timestamp,interval=day,format=yyyy-MM-dd)'] if lab == day: sum_ = item['sum_'] continue flow_count['data'].append(sum_) result = { "labels": labels, "data": [flow_count] if len(labels) > 0 else [] } return result
def terminal_txt_list(days, term_id): ''' 明文存储详情 ''' index = ['ssa-event-terminal-{}-*'.format(day) for day in days] sql = 'SELECT terminal,remark,organization,term_duty FROM {} ' \ 'where event_type = \'明文存储\' and term_group_id=\'{}\' ' \ 'order by event_time desc'.format(','.join(index), term_id) count_list = exec_es_sql(sql=sql) row = [] for i, item in enumerate(count_list): remark = item['remark'] if is_json(remark): remark = json.loads(remark) if isinstance(remark, dict): term_name = "其他部门" term_list = TermGroup.objects.filter( term_group_id=term_id).values('term_group_name') if term_list: term_name = term_list.first()['term_group_name'] row.append([ i + 1, item['terminal'], item['term_duty'], term_name, remark['word'], remark['sm_content'] ]) result = { "labels": [u"序号", u'IP', u'终端负责人', u'用户组名称', u'明文', u'文件目录'], "data": row } return result
def ids_event_count(days): ''' IDS监测事件名称占比 ''' index = ['ssa-ag-ids-{}-*'.format(day) for day in days] sql = 'SELECT event_name,count(*) count_ FROM {} ' \ 'group by event_name'.format(','.join(index)) count_list = exec_es_sql(sql=sql) labels = [] for item in count_list: if item['event_name'] not in labels: labels.append(item['event_name']) flow_count = {'name': u'事件名称', 'data': []} for lab in labels: count_ = 0 for item in count_list: if lab == item['event_name']: count_ = item['count_'] continue flow_count['data'].append(count_) result = { "labels": labels, "data": [flow_count] if len(labels) > 0 else [] } return result
def ids_attack_count(days): ''' IDS监测攻击趋势 ''' index = ['ssa-ag-ids-{}-*'.format(day) for day in days] sql = 'SELECT sum(event_count) sum_ FROM {} ' \ 'group by date_histogram(field=\'@timestamp\', \'interval\'=\'day\', \'format\'=\'yyyy-MM-dd\')' \ ''.format(','.join(index)) count_list = exec_es_sql(sql=sql) labels = [] for item in count_list: day = item[ 'date_histogram(field=@timestamp,interval=day,format=yyyy-MM-dd)'] if day not in labels: labels.append(day) flow_count = {'name': u'攻击次数', 'data': []} for lab in labels: sum_ = 0 for item in count_list: day = item[ 'date_histogram(field=@timestamp,interval=day,format=yyyy-MM-dd)'] if lab == day: sum_ = item['sum_'] continue flow_count['data'].append(sum_) result = { "labels": labels, "data": [flow_count] if len(labels) > 0 else [] } return result
def gl_type_count(days): ''' 隔离事件类型统计 ''' index = ['all-event-{}-*'.format(day) for day in days] sql = 'SELECT event_three_type,count(*) count_ FROM {} ' \ 'where event_source=5 and event_level>0 ' \ 'group by event_three_type'.format(','.join(index)) count_list = exec_es_sql(sql=sql) labels = [] for item in count_list: if item['event_three_type'] not in labels: labels.append(item['event_three_type']) type_count = {'name': u'数量', 'data': []} for lab in labels: sum_ = 0 for item in count_list: if lab == item['event_three_type']: sum_ = item['count_'] continue type_count['data'].append(sum_) result = { "labels": labels, "data": [type_count] if len(labels) > 0 else [] } return result
def gl_dst_ip_flow_count(days): ''' 隔离设备目标IP接收流量统计TOP10 ''' index = ['ssa-ag-gl-{}-*'.format(day) for day in days] sql = 'select dst_ip,sum(recv_flow_statis) sum_ from {} ' \ 'group by dst_ip order by sum_ desc limit 10'.format(','.join(index)) count_list = exec_es_sql(sql=sql) labels = [] for item in count_list: if item['dst_ip'] not in labels: labels.append(item['dst_ip']) flow_count = {"name": u"流量", "data": []} for lab in labels: count_ = 0 for item in count_list: if lab == item['dst_ip']: count_ = item['sum_'] continue flow_count['data'].append(count_) result = { "labels": labels, "data": [flow_count] if len(labels) > 0 else [] } return result
def gl_flow_count(days): ''' 隔离设备接收发送流量趋势 ''' index = ['ssa-ag-gl-{}-*'.format(day) for day in days] sql = 'select sum(recv_flow_statis) sum_recv,sum(send_flow_statis) sum_send from {} ' \ 'group by date_histogram(field=\'@timestamp\', \'interval\'=\'day\', \'format\'=\'yyyy-MM-dd\')' \ ''.format(','.join(index)) count_list = exec_es_sql(sql=sql) labels = [] for item in count_list: day = item[ 'date_histogram(field=@timestamp,interval=day,format=yyyy-MM-dd)'] if day not in labels: labels.append(day) row = [{"name": u"接收流量", "data": []}, {"name": u"发送流量", "data": []}] for lab in labels: sum_recv, sum_send = 0, 0 for item in count_list: day = item[ 'date_histogram(field=@timestamp,interval=day,format=yyyy-MM-dd)'] if lab == day: sum_recv = item['sum_recv'] sum_send = item['sum_send'] continue row[0]['data'].append(sum_recv) row[1]['data'].append(sum_send) result = {"labels": labels, "data": row} return result
def get(self, request): """ 查询人员信息 """ name = request.query_params.get("name") ip = request.query_params.get('ip') port = request.query_params.get('port') tag = request.query_params.get('tag') index = get_index(tag) # 查询 sql = "select * from {}* where src_ip='%s' and src_port='%s' and attack_user='******' limit 1".format( index) query_sql = sql % (ip, port, name) result = exec_es_sql(query_sql) if not result: return Response({"status": 500, "msg": "查询不到数据"}) res = result[0] data = { "name": res.get('username'), "ip": res.get('src_ip'), "port": res.get('src_port'), "location": res.get('attack_city'), "dst_ip": res.get('dst_ip'), "dst_port": res.get('dst_port'), "dst_location": res.get('attacked_city'), "ip_addr": "--", "device_type": "--", "device": "--", "asset": "--" } return Response({"status": 200, "msg": "成功", "data": data})
def terminal_print_list(days, term_id): ''' 各部门打印详情 ''' index = ['ssa-ag-all-terminal-{}-*'.format(day) for day in days] sql = 'SELECT term_ip,term_duty,term_group_name,act_time,act_type FROM {} ' \ 'where log_type=5 and request_type=1 and act_type in (0,1,2,3,4,5,7) ' \ 'and term_group_id=\'{}\' order by act_time desc'.format(','.join(index), term_id) count_list = exec_es_sql(sql=sql) act_type_name = [ u"拒绝打印", u"同意打印", u"打印审计", u"强制使用", u"自行取消", u"中心超时取消", u"离线使用" ] act_type_value = ['0', '1', '2', '3', '4', '5', '7'] row = [] for i, item in enumerate(count_list): act_time = datetime.strptime( item['act_time'], "%Y%m%d%H%M%S").strftime("%Y-%m-%d %H:%M:%S") term_name = "其他部门" term_list = TermGroup.objects.filter( term_group_id=term_id).values('term_group_name') if term_list: term_name = term_list.first()['term_group_name'] act_type = act_type_name[act_type_value.index(str(item['act_type']))] row.append([ i + 1, item['term_ip'], item['term_duty'], term_name, act_time, act_type ]) result = { "labels": [u"序号", u"IP", u"终端负责人", u"用户组名称", u"打印时间", u"违规类型"], "data": row } return result
def ids_attack_dst_count(days): ''' IDS监测终端被攻击次数统计TOP10 ''' index = ['ssa-ag-ids-{}-*'.format(day) for day in days] sql = 'SELECT src_ip,sum(event_count) sum_ FROM {} ' \ 'group by src_ip order by sum_ desc limit 10'.format(','.join(index)) count_list = exec_es_sql(sql=sql) labels = [] for item in count_list: if item['src_ip'] not in labels: labels.append(item['src_ip']) flow_count = {'name': u'被攻击次数', 'data': []} for lab in labels: sum_ = 0 for item in count_list: if lab == item['src_ip']: sum_ = item['sum_'] continue flow_count['data'].append(sum_) result = { "labels": labels, "data": [flow_count] if len(labels) > 0 else [] } return result
def viruses_ip_count(days): ''' 感染病毒终端统计 ''' index = ['ssa-ag-360-{}-*'.format(day) for day in days] sql = 'select host_ip,virustype,infectedfileinfo_filepath,count(*) ' \ 'from {} group by host_ip,virustype,infectedfileinfo_filepath ' \ 'order by host_ip,virustype,infectedfileinfo_filepath'.format(','.join(index)) count_list = exec_es_sql(sql=sql) ips, orgs = [], [] for item in count_list: host_ip = item['host_ip'] if host_ip not in ips: ips.append(host_ip) org = '' assets_list = Assets.objects.filter( ip=host_ip).values('term_group_id') if assets_list: term_list = TermGroup.objects.filter( term_group_id=assets_list.first()['term_group_id']).values( 'term_group_name') if term_list: org = term_list.first()['term_group_name'] orgs.append(org) row = [] for item in count_list: i = ips.index(item['host_ip']) if orgs[i]: row.append([ orgs[i], item['host_ip'], item['virustype'], item['infectedfileinfo_filepath'] ]) result = {"labels": [u"单位名称", u"终端IP", u"病毒类型", u"感染目录"], "data": row} return result
def terminal_uninstall_count(days): ''' 卸载统计 ''' index = ['ssa-event-terminal-{}-*'.format(day) for day in days] sql = 'SELECT terminal,count(*) count_ FROM {} ' \ 'where event_type = \'TMS卸载\' ' \ 'group by terminal order by count_ desc limit 10'.format(','.join(index)) count_list = exec_es_sql(sql=sql) labels = [] for item in count_list: if item['terminal'] not in labels: labels.append(item['terminal']) term_count = {'name': "次数", 'data': []} for lab in labels: count_ = 0 for item in count_list: if item['terminal'] == lab: count_ = item['count_'] term_count['data'].append(count_) result = { "labels": labels, "data": [term_count] if len(labels) > 0 else [] } return result
def post(self, request): ''' 部门风险统计 ''' index = get_day7_index('ssa-event-terminal') sql = 'select organization,event_level,count(*) count_ from {0} ' \ 'group by organization,event_level'.format(index) result = exec_es_sql(sql=sql) data, org = [], dict() for item in result: if item['organization'] not in org: org[item['organization']] = 0 if item['event_level'] == 1: org[item['organization']] += item['count_'] * 0.2 elif item['event_level'] == 2: org[item['organization']] += item['count_'] * 0.3 elif item['event_level'] == 3: org[item['organization']] += item['count_'] * 0.5 else: pass for key in org: data.append({"name": key, "value": int(org[key])}) data = sorted(data, key=lambda s: s['value'], reverse=True) if len(data) >= 5: data = data[0:5] lables, series = [], [] for item in data: lables.append(item['name']) series.append(item['value']) ret_data = {'lables': lables, 'series': series} return Response({"status": 200, "data": ret_data})
def firewall_prot_flow_count(days): ''' 防火墙协议流量统计 ''' index = ['ssa-ag-fw-{}-*'.format(day) for day in days] sql = 'select protocol,sum(flow) sum_ from {} ' \ 'group by protocol order by sum_ desc'.format(','.join(index)) count_list = exec_es_sql(sql=sql) labels = [] for item in count_list: if item['protocol'] not in labels: labels.append(item['protocol']) flow_count = {'name': u'流量', 'data': []} for lab in labels: sum_ = 0 for item in count_list: if lab == item['protocol']: sum_ = item['sum_'] continue flow_count['data'].append(sum_) result = { "labels": labels, "data": [flow_count] if len(labels) > 0 else [] } return result
def attack_ip_count(days): ''' 被攻击终端统计 ''' index = ['all-event-{}-*'.format(day) for day in days] sql = 'select dst_ip,event_three_type,count(*) count_ ' \ 'from {} where event_level>0 and event_one_type=\'攻击\' ' \ 'group by dst_ip,event_three_type order by count_ desc'.format(','.join(index)) count_list = exec_es_sql(sql=sql) ips, orgs = [], [] for item in count_list: dst_ip = item['dst_ip'] if dst_ip not in ips: ips.append(dst_ip) org = '' assets_list = Assets.objects.filter( ip=dst_ip).values('term_group_id') if assets_list: term_list = TermGroup.objects.filter( term_group_id=assets_list.first()['term_group_id']).values( 'term_group_name') if term_list: org = term_list.first()['term_group_name'] orgs.append(org) row = [] for item in count_list: i = ips.index(item['dst_ip']) if orgs[i]: row.append([orgs[i], item['dst_ip'], item['event_three_type']]) result = {"labels": [u"单位名称", u"终端IP", u"攻击类型"], "data": row} return result
def data(self): count_type = 1 day_list = get_day_list(count_type) new_result_dict = dict() data_tag = "all-event" for day in day_list: index = data_tag + "-" + day + "*" sql = "SELECT sum(event_total) nums FROM {}".format(index) result_list = exec_es_sql(sql) if len(result_list) > 0: nums = result_list[0]['nums'] else: nums = 0 if day in new_result_dict and new_result_dict[day]: new_result_dict[day] = int(nums) + int(new_result_dict[day]) else: new_result_dict[day] = int(nums) day_nums_list = [] for day in day_list: if day in new_result_dict: day_nums = new_result_dict[day] else: day_nums = 0 day_nums_list.append(day_nums) return { "labels": day_list, "data": [{ "name": "事件统计", "data": day_nums_list }] }
def terminal_on_off_count(days, term_id): ''' 终端开关机情况 ''' index = ['ssa-ag-all-terminal-{}-*'.format(day) for day in days] sql = 'SELECT term_group_name,login_ip,term_duty,act_time,login_type ' \ 'FROM {} where log_type = 2 and (login_type=4 or login_type=5) ' \ 'and term_group_id=\'{}\' order by act_time desc'.format(','.join(index), term_id) count_list = exec_es_sql(sql=sql) row = [] for i, item in enumerate(count_list): act_time = datetime.strptime( item['act_time'], "%Y%m%d%H%M%S").strftime("%Y-%m-%d %H:%M:%S") term_name = "其他部门" term_list = TermGroup.objects.filter( term_group_id=term_id).values('term_group_name') if term_list: term_name = term_list.first()['term_group_name'] if item['login_type'] == 4: row.append([ i + 1, item['login_ip'], item['term_duty'], term_name, act_time, "" ]) elif item['login_type'] == 5: row.append([ i + 1, item['login_ip'], item['term_duty'], term_name, "", act_time ]) result = { "labels": [u"序号", u"IP", u"终端负责人", u"用户组名称", u"开机时间", u"关机时间"], "data": row } return result
def attack_source_count(days): ''' 攻击源统计 ''' index = ['all-event-{}-*'.format(day) for day in days] sql = 'select src_ip,count(*) count_ ' \ 'from {} where event_level>0 and event_one_type=\'攻击\' ' \ 'group by src_ip order by count_ desc limit 10'.format(','.join(index)) count_list = exec_es_sql(sql=sql) labels = [] for item in count_list: if item['src_ip'] not in labels: labels.append(item['src_ip']) flow_count = {'name': u'次数', 'data': []} for lab in labels: count_ = 0 for item in count_list: if lab == item['src_ip']: count_ = item['count_'] continue flow_count['data'].append(count_) result = { "labels": labels, "data": [flow_count] if len(labels) > 0 else [] } return result
def post(self, request): ''' 风险IP和风险部门数量统计 ''' index = get_day7_index('all-event') org_sql = 'SELECT organization,count(*) FROM {} where event_level>0 ' \ 'group by organization'.format(index) org_list = exec_es_sql(sql=org_sql) ip_sql = 'SELECT event_host,count(*) FROM {} where event_level>0 ' \ 'group by event_host'.format(index) ip_list = exec_es_sql(sql=ip_sql) result = {'org_size': len(org_list), 'ip_size': len(ip_list)} return Response({"status": 200, "data": result})