def get_host_http_status(self, start_time, end_time):
"""网站http状态统计
"""
body = {
"query": {
"bool": {
"must": [{
"match": {
"key": "web-log-http_status_count"
}
}, {
"range": {
"time": {
"gte": start_time
}
}
}, {
"range": {
"time": {
"lt": end_time
}
}
}]
}
},
"aggs": {
"top_host": {
"top_hits": {
"sort": [{
"data.web_log_http_status_total_count": {
"order": "desc"
}
}],
"_source": {},
"size":
100
}
}
}
}
result = es_common.get_es_data(body, size=0)
domains = {}
if result:
hits = result.get('aggregations',
{}).get('top_host', {}).get("hits",
{}).get("hits", [])
for da in hits:
data = da.get("_source", {}).get("data", {})
# [{
# "count": 17,
# "web_log_http_status": 502
# },]
status_list = data.get("web_log_http_status_count", [])
domain = data.get("web_log_host", "")
if domain:
domains[domain] = status_list
return domains
def get_abnormal_throughput_peak(self, start_time, end_time):
"""异常流量峰值,一小时
"""
body = {
"query": {
"bool": {
"must": [{
"match": {
"key": "network-abnormal_throughput_peak"
}
}, {
"range": {
"time": {
"gte": start_time
}
}
}, {
"range": {
"time": {
"lt": end_time
}
}
}]
}
},
"aggs": {
"mydata": {
"max": {
"field": "data.network_max_in_bytes"
}
}
}
}
result = es_common.get_es_data(body, size=0, days=2)
if result:
data = result.get("aggregations", {}).get("mydata",
{}).get("value")
if not data:
data = 0
return data
def hole_assets(agent, company):
"漏洞资产指数"
net_device_count = models.NetDevice.objects.filter(
idc__agent=agent, company=company).count()
server_count = models.Server.objects.filter(idc__agent=agent,
company=company).count()
terminal_count = models.Terminal.objects.filter(asset__agent=agent,
company=company).count()
total_assets = net_device_count + server_count + terminal_count
start_time = (datetime.datetime.now() - datetime.timedelta(days=1)).date()
str_start_time = datetime.datetime.strftime(start_time,
'%Y-%m-%d') + ' 00:00:00'
end_time = (datetime.datetime.now() - datetime.timedelta(days=0)).date()
str_end_time = datetime.datetime.strftime(end_time,
'%Y-%m-%d') + ' 00:00:00'
body = {
"query": {
"bool": {
"must": [{
"match": {
"key": "vul-vul_total_count"
}
}, {
"range": {
"time": {
"gte": str_start_time
}
}
}, {
"range": {
"time": {
"lt": str_end_time
}
}
}]
}
},
"sort": {
"time": {
"order": "desc"
}
},
}
result = get_es_data(body, size=24)
data = result.get("hits").get('hits')
hole_total = 0
for source in data:
if source.get("_source") and source.get("_source").get('data'):
es_data = source.get("_source").get('data')
hole_total = hole_total + es_data.get("vul_total_count")
hole_assets_num = 0
if total_assets:
hole_assets_num = float(hole_total) / total_assets
if hole_assets_num > 1:
hole_assets_num = 1
logger.warning(
"this user who 'agent_id={0}' hole_total is more than total_assets !!!"
.format(agent.id))
return 100 - int(hole_assets_num * 100)
def business_visit(agent, company):
"""
业务访问指数
攻击接口返回值 200 400 500之类 ==>TODO
"""
start_time = (datetime.datetime.now() - datetime.timedelta(days=1)).date()
str_start_time = datetime.datetime.strftime(start_time,
'%Y-%m-%d') + ' 00:00:00'
end_time = (datetime.datetime.now() - datetime.timedelta(days=0)).date()
str_end_time = datetime.datetime.strftime(end_time,
'%Y-%m-%d') + ' 00:00:00'
body = {
"query": {
"bool": {
"must": [{
"match": {
"key": "web-log-http_status_count"
}
}, {
"range": {
"time": {
"gte": str_start_time
}
}
}, {
"range": {
"time": {
"lt": str_end_time
}
}
}]
}
},
"aggs": {
"mydata": {
"terms": {
"field": "data.web_log_host",
"size": 0,
"order": {
"mycount.value": "desc"
}
},
"aggs": {
"mycount": {
"sum": {
"field": "data.web_log_http_status_total_count"
}
}
}
}
},
}
result = get_es_data(body, size=0)
domains = []
domain_dict = {}
if result.get('aggregations') and result.get('aggregations').get(
'mydata') and result.get('aggregations').get('mydata').get(
"buckets"):
data = result.get('aggregations').get('mydata').get("buckets")
for da in data:
domains.append(da.get('key'))
domain_dict[da.get('key')] = {
"2xx": 0,
"3xx": 0,
"4xx": 0,
"5xx": 0
}
# 先取出访问量最大的网站 再分辨算出网站具体访问状态的数据
for domain in domains:
body = {
"query": {
"bool": {
"must": [{
"match": {
"key": "web-log-http_status_count"
}
}, {
"range": {
"time": {
"gte": str_start_time
}
}
}, {
"match": {
"data.web_log_host": domain
}
}, {
"range": {
"time": {
"lt": str_end_time
}
}
}]
}
}
}
result = get_es_data(body, size=cycle)
data = result.get('hits').get('hits')
for da in data:
for d in da.get('_source').get('data').get(
'web_log_http_status_count'):
if str(d.get('web_log_http_status')).startswith('2'):
domain_dict[domain]['2xx'] += d.get('count')
if str(d.get('web_log_http_status')).startswith('3'):
domain_dict[domain]['3xx'] += d.get('count')
if str(d.get('web_log_http_status')).startswith('4'):
domain_dict[domain]['4xx'] += d.get('count')
if str(d.get('web_log_http_status')).startswith('5'):
domain_dict[domain]['5xx'] += d.get('count')
total = 0
success = 0
for domain in domains:
total += domain_dict[domain]['2xx'] + domain_dict[domain]['3xx'] + domain_dict[domain]['4xx'] + \
domain_dict[domain]['5xx']
success += domain_dict[domain]['2xx']
if total:
return int(float(success) / total * 100)
return 0
def hole_serious(agent, company):
"漏洞严重指数"
start_time = (datetime.datetime.now() - datetime.timedelta(days=1)).date()
str_start_time = datetime.datetime.strftime(start_time,
'%Y-%m-%d') + ' 00:00:00'
end_time = (datetime.datetime.now() - datetime.timedelta(days=0)).date()
str_end_time = datetime.datetime.strftime(end_time,
'%Y-%m-%d') + ' 00:00:00'
body = {
"query": {
"bool": {
"must": [{
"match": {
"key": "vul-vul_level_count"
}
}, {
"range": {
"time": {
"gte": str_start_time
}
}
}, {
"range": {
"time": {
'lt': str_end_time
}
}
}]
}
},
"aggs": {
"mydata": {
"terms": {
"field": "data.vul_level",
"size": 0,
"order": {
"mycount.value": "desc"
}
},
"aggs": {
"mycount": {
"sum": {
"field": "data.count"
}
}
}
}
}
}
result = get_es_data(body, size=0)
serious = 0
total = 0
if result.get('aggregations') and result.get('aggregations').get(
'mydata') and result.get("aggregations").get("mydata").get(
"buckets"):
data = result.get("aggregations").get("mydata").get("buckets")
for da in data:
if da.get('key') == '严重':
serious += da.get('mycount').get('value')
total += da.get('mycount').get('value')
if total:
hole_serious_num = float(serious) / total
return 100 - int(hole_serious_num * 100)
return 100
def trojan(agent, company):
"""僵木蠕指数"""
start_time = (datetime.datetime.now() - datetime.timedelta(days=1)).date()
str_start_time = datetime.datetime.strftime(start_time,
'%Y-%m-%d') + ' 00:00:00'
end_time = (datetime.datetime.now() - datetime.timedelta(days=0)).date()
str_end_time = datetime.datetime.strftime(end_time,
'%Y-%m-%d') + ' 00:00:00'
body = {
"query": {
"bool": {
"must": [{
"match": {
"key": "virus-asset_top"
}
}, {
"range": {
"time": {
"gte": str_start_time
}
}
}, {
"range": {
"time": {
"lt": str_end_time
}
}
}]
}
},
"aggs": {
"mydata": {
"terms": {
"field": "data.virus_host_ip"
}
}
}
}
result = get_es_data(body, size=0)
trojan_total = 0
if result.get('aggregations') and result.get('aggregations').get(
'mydata') and result.get("aggregations").get("mydata").get(
"buckets"):
data = result.get("aggregations").get("mydata").get("buckets")
trojan_total = len(data)
net_device_count = models.NetDevice.objects.filter(
idc__agent=agent, company=company).count()
server_count = models.Server.objects.filter(idc__agent=agent,
company=company).count()
terminal_count = models.Terminal.objects.filter(asset__agent=agent,
company=company).count()
total_assets = net_device_count + server_count + terminal_count
trojan_total_num = 0
if total_assets:
trojan_total_num = float(trojan_total) / total_assets
if trojan_total_num > 1:
trojan_total_num = 1
logger.warning(
"this user who 'agent_id={0}' trojan_total_num is more than total_assets !!!"
.format(agent.id))
return 100 - int(trojan_total_num * 100)
def business_health(agent, company):
"""业务流康指数"""
# 攻击流量小于基础流量为100分 大于最大流量为0分 中间线性变化
max_fow = 10 * 1024 # 评分为0的流量上线 10G
base_flow = 1 # 基础流量 1M
start_time = (datetime.datetime.now() - datetime.timedelta(days=1)).date()
str_start_time = datetime.datetime.strftime(start_time,
'%Y-%m-%d') + ' 00:00:00'
end_time = (datetime.datetime.now() - datetime.timedelta(days=0)).date()
str_end_time = datetime.datetime.strftime(end_time,
'%Y-%m-%d') + ' 00:00:00'
body = {
"query": {
"bool": {
"must": [{
"match": {
"key": "anti-ddos-max_throughput"
}
}, {
"range": {
"time": {
"gte": str_start_time
}
}
}, {
"range": {
"time": {
"lt": str_end_time
}
}
}]
}
},
"sort": {
"time": {
"order": "desc"
}
},
"aggs": {
"mydata": {
"date_histogram": {
"field": "time",
"interval": "hour",
"format": "yyyy-MM-dd HH:mm:ss",
"min_doc_count": 0,
"extended_bounds": {
"min": str_start_time,
"max": str_end_time
}
},
"aggs": {
"mycount": {
"sum": {
"field": "data.anti_ddos_max_throughput"
}
}
}
}
}
}
result = get_es_data(body, size=0)
x = []
y = []
if result.get('aggregations') and result.get('aggregations').get(
'mydata') and result.get('aggregations').get('mydata').get(
"buckets"):
data = result.get('aggregations').get('mydata').get("buckets")
for da in data:
x.append(da.get('key_as_string'))
y.append(da.get('mycount').get('value'))
max_y = max(y)
max_y = float(max_y) / (1024 * 1024)
if max_y < base_flow:
business_health_number = 100
elif max_y > max_fow:
business_health_number = 0
else:
business_health_number = 80.0078 - 0.0078 * max_y
return int(business_health_number)