def report(self, oshVector, interaction): if self.acceptorEngine.accepts(interaction.srcNode) and self.acceptorEngine.accepts(interaction.dstNode)\ and (interaction.srcNode.ip, interaction.dstNode.ip) not in self.reportedLinks: trafficLinkOSH = modeling.createLinkOSH('traffic', interaction.srcNode.ipOsh, interaction.dstNode.ipOsh) if self.reportTrafficDetails: from appilog.common.system.types import AttributeStateHolder from appilog.common.system.types.vectors import StringVector octets = 0 packets = 0 portsSet = StringVector() connections = self.ipToIpConnections.get((interaction.srcNode.ip, interaction.dstNode.ip), []) for connection in connections: octets += connection.octetCount and int(connection.octetCount) or 0 packets += connection.packetCount and int(connection.packetCount) or 0 if portsSet.size() < self.maxPorts: portsSet.add(str(connection.srcPort)) if portsSet.size() < self.maxPorts: portsSet.add(str(connection.dstPort)) ash = AttributeStateHolder('traffic_portlist', portsSet) trafficLinkOSH.addAttributeToList(ash) trafficLinkOSH.setLongAttribute('traffic_octets', octets) trafficLinkOSH.setLongAttribute('traffic_pkts', packets) oshVector.add(trafficLinkOSH) self.reportedLinks.append((interaction.srcNode.ip, interaction.dstNode.ip))
def discover_private(self): maxPorts = Integer.parseInt(self.getParameterValue('maxPorts')) tcpOnly = Boolean.parseBoolean(self.getParameterValue('tcpOnly')) #WE ALWAYS CHECK ONLY ONE DIRECTION SINCE WE ALWAYS REPORT FLOWS IN BOTH DIRECTION SO #WE CAN COUNT CLIENTS ONLY ON ONE SIDE #WE ASSUME THAT NETFLOW ALWAYS REPORTS CONNECTIONS IN BOTH DIRECTIONS SO WE WILL GET #OCTETS AND PACKETS COUNT ALWAYS query = ' select SrcAddr ,DstAddr ,DstPort ,count(*) cnt, sum(dPkts) dPkts, sum(dOctets) dOctets, Prot,' query = query + ' case when Port is NULL then 0 else 1 end ListenPort ' query = query + ' from Agg_V5 left join Port_Process on DstAddr=ipaddress and DstPort=port and Prot = Protocol and listen ' if tcpOnly: query = query + ' where Prot=6 ' query = query + ' group by SrcAddr, DstAddr, DstPort ' #for each ip -> ip traffic we first wnat get ports that are listen, than which have more clients #after all ports which have more traffic query = query + ' order by SrcAddr, DstAddr, ListenPort desc, cnt desc, dOctets desc, dPkts desc' #here Prot is asc since TCP ports have higher priority on UDP ports query = query + ', Prot asc ' conn = self.Framework.getProbeDatabaseConnection('TCPDISCOVERY') st = None result = None try: st = conn.createStatement() result = st.executeQuery(query) currSrcAddr = None portsSet = StringVector() currDstAddr = None currLinkID = None octets = 0 packets = 0 dataFound = 0 while result.next(): dataFound = 1 srcAddr = str(result.getString('SrcAddr')) dstAddr = str(result.getString('DstAddr')) dstPort = result.getString('DstPort') cnt = result.getString('cnt') listenPort = result.getInt('ListenPort') if not self.isServerPort(cnt, listenPort, dstPort): continue if not self.shouldInclude(srcAddr, 0): continue if not self.shouldInclude(dstAddr, 1): continue linkID = self.createLinkID(srcAddr, dstAddr) if currLinkID == linkID: octets = octets + result.getInt('dOctets') packets = packets + result.getInt('dPkts') if portsSet.size() < maxPorts: portsSet.add(dstPort) continue elif currLinkID != None: self.addTraffic(currSrcAddr, currDstAddr, portsSet, octets, packets) currLinkID = linkID currSrcAddr = srcAddr currDstAddr = dstAddr portsSet = StringVector() portsSet.add(dstPort) octets = result.getInt('dOctets') packets = result.getInt('dPkts') if not dataFound: self.Framework.reportWarning("No data to process, please check if Host Resources jobs had already run") if currLinkID != None: self.addTraffic(currSrcAddr, currDstAddr, portsSet, octets, packets) finally: if result != None: try: result.close except: pass conn.close(st) conn.close()