From 81ea0e2820bfe1c7d353d865b58e9dae9c167e5a Mon Sep 17 00:00:00 2001
From: chaochaoc <13051077615@126.com>
Date: Fri, 31 May 2024 15:38:41 +0800
Subject: feat: update logic

---
 src/main/resources/jobs/job3.yml | 74 +++++++++++++++++++++++++++++++++-------
 1 file changed, 61 insertions(+), 13 deletions(-)

diff --git a/src/main/resources/jobs/job3.yml b/src/main/resources/jobs/job3.yml
index 051dd4e..ec67fe7 100644
--- a/src/main/resources/jobs/job3.yml
+++ b/src/main/resources/jobs/job3.yml
@@ -2,8 +2,9 @@ job:
   name: A Stream Example
   parallelism: 1
   active-pipeline:
-    - stream1
-#    - stream3
+    - stream2
+    - stream3
+    - stream4
 
 source:
   - name: session-records
@@ -11,8 +12,9 @@ source:
     option:
       topic: SESSION-RECORD
       properties:
-        bootstrap.servers: 192.168.44.11:9092
-        group.id: easy-stream-tester
+        bootstrap.servers: 192.168.41.29:9092
+        group.id: easy-stream-tester9
+        client.id: easy-stream-tester9
     format: json
     schema:
       - name: session_id
@@ -21,7 +23,7 @@ source:
         data-type: BIGINT NOT NULL
       - name: start_timestamp
         for: TO_TIMESTAMP_LTZ(start_timestamp_ms, 3)
-        watermark: start_timestamp - INTERVAL '5' SECOND
+        watermark: start_timestamp - INTERVAL '5' MINUTE
       - name: end_timestamp_ms
         data-type: BIGINT NOT NULL
       - name: decoded_as
@@ -218,19 +220,55 @@ source:
 
 pipeline:
   - name: stream1
-    category: PRINT
-    on: 'stream2.c2 attack'
-  - name: stream3
-    category: PRINT
-    on: session-records
-  - name: stream2
     category: MULTI-RULE
     on: session-records
     parallelism: 10
     rule:
       - name: 'c2 attack'
         type: CONDITION
-        when: server_ip_tags.arrayContainsAny("Loki Password Stealer (PWS)", "IcedID")
+        when: |
+          server_ip_tags.arrayContainsAny("Loki Password Stealer (PWS)", "IcedID", "QakBot", "Mirai", "BazarBackdoor", 
+          "NjRAT", "CryptBot", "BitRAT", "RedLine Stealer", "Nanocore RAT", "DCRat", "Cobalt Strike", "AsyncRAT", 
+          "ostap", "Vidar", "magecart", "Hancitor", "SystemBC", "SmokeLoader", "Remcos", "Amadey", "Ficker Stealer", 
+          "Get2", "ISFB", "Dridex", "Pony", "Azorult","NetWire RC", "Mozi", "Raccoon", "Quasar RAT", "Emotet", "Numando", 
+          "Oski Stealer", "Ave Maria", "NetSupportManager RAT","STRRAT", "Orcus RAT", "Vjw0rm", "Ghost RAT", "LimeRAT", 
+          "Astaroth", "Unknown malware", "TrickBot", "IcedID Downloader","BetaBot", "Agent Tesla", "Bashlite", "DanaBot", 
+          "Snake", "Gozi", "PoshC2", "Houdini", "BlackNET RAT", "Revenge RAT","ServHelper", "Alien", "N-W0rm", "LokiBot",
+          "Zloader", "Crimson RAT", "Grandoreiro", "Buer", "Qealler", "FastCash","CyberGate", "Formbook", "Hydra", "Arkei Stealer", 
+          "Tsunami", "AdWind", "Dofloo", "MrBlack", "XLoader", "Anatsa","TeamBot", "DiamondFox", "BillGates", "Kinsing", 
+          "CCleaner Backdoor", "JSOutProx", "SharkBot", "Empire Downloader","solarmarker", "FireBird RAT", "XpertRAT", 
+          "RMS", "GCleaner", "Unidentified Linux 001", "Ousaban", "sLoad", "PerlBot","SectopRAT", "Loda", "Coinminer", 
+          "DarkSide", "404 Keylogger", "Cpuminer", "MooBot", "Parallax RAT", "XOR DDoS","Vulturi", "Taurus Stealer", 
+          "Cutwail", "Metamorfo", "GootLoader", "Meterpreter", "BumbleBee", "Tofsee", "Socelars","Squirrelwaffle", 
+          "Roaming Mantis", "Alfonso Stealer", "DarkComet", "STOP", "MoqHao", "CollectorGoomba", "Prometei","Cerberus", 
+          "Spectre Rat", "Unidentified 001", "FluBot", "BlackRock", "CryptoNight", "Kronos", "Winnti", "Korlia",
+          "Monero Miner", "Anubis", "MirrorBlast", "Banload", "FlawedGrace", "DoppelDridex", "Mispadu", "Mekotio", 
+          "Ozone RAT","StealthWorker Go", "SilverFish", "NodeJS Ransomware", "Ryuk", "QNAPCrypt", "Venom RAT", 
+          "BlackMatter", "Janeleiro","Chrysaor", "PurpleFox", "Mars Stealer", "Matanbuchus", "FFDroider", "BlackGuard", 
+          "SMSspy", "TitanStealer", "BianLian","Deimos", "Sliver", "Aurora Stealer", "Stealc", "Gomorrah stealer", 
+          "RecordBreaker", "Brute Ratel C4", "LaplasClipper","XWorm", "PhotoLoader", "Kimsuky", "Rhadamanthys", 
+          "Nighthawk", "Fabookie", "Lumma Stealer", "Kaiji", "ClipBanker","PrivateLoader", "ViperSoftX", "Phonk", 
+          "PlugX", "HyperBro", "SideWinder", "Coper", "Specter", "Kaiten", "Bitter RAT","BATLOADER", "ACBackdoor", 
+          "BKA Trojaner", "JSSLoader", "PureCrypter", "SpyNote", "S.O.V.A.", "Ginzo Stealer","PennyWise Stealer", 
+          "DOUBLEBACK", "FAKEUPDATES", "Nova Stealer", "RisePro", "ERMAC", "DarkGate", "Havoc", "Responder","Nimplant", 
+          "ShadowPad", "Erbium Stealer", "Hook", "Pikabot", "IRATA", "Xtreme RAT", "ClearFake", "Ares", "Socks5 Systemz", 
+          "Mystic Stealer", "CloudEyE", "Bisonal", "Joker", "pupy", "MetaStealer", "AMOS", "Bandit Stealer", "Godfather", 
+          "Serpent","WikiLoader", "Meduza Stealer", "Poison Ivy", "TeamSpy", "BBtok", "Viper RAT", "win.icexloader", 
+          "SpyBanker", "DUCKTAIL","VBREVSHELL", "Magniber", "DarkVNC", "DBatLoader", "Sorano", "Darktrack RAT", 
+          "Octopus", "Yellow Cockatoo RAT", "Hajime","Nymaim", "X-Files Stealer", "Saint Bot", "LockBit", "BRATA", 
+          "Bandook", "Confucius", "Raspberry Robin", "DeepRAT","Spyder", "Colibri Loader", "RM3", "Parrot TDS", 
+          "JanelaRAT", "Konni", "jSpy", "stealler", "Dark Nexus", "Silence","Choziosi", "zgRAT", "HijackLoader", 
+          "DeimosC2", "Andromeda", "ModernLoader", "Bahamut", "Medusa","WhiteSnake Stealer", "powershell_web_backdoor", 
+          "Rafel RAT", "Lilith", "Sality", "MintStealer", "Plurox", "Kutaki","GhostLocker", "Serpent Stealer", "WpBruteBot", 
+          "CopperStealer", "FlawedAmmyy", "FakeGram", "Nemesis", "Minodo","AresLoader", "lampion", "NetDooka", "FakeUpdateRU", 
+          "ZStealer", "Cerber", "ZeroAccess", "Sakula RAT", "ObserverStealer","Nexus", "EvilExtractor", "Running RAT", 
+          "Godzilla Loader", "Lucifer", "BlackCat", "Triada", "Conti", "FTCODE", "xmrig","DONOT", "PowerShellRunner", 
+          "StrelaStealer", "CustomerLoader", "Sorillus RAT", "BluStealer", "AcridRain", "SparkRAT","BlueFox", "AllcomeClipper", 
+          "TinyNuke", "Basbanke", "Eternity Stealer", "POWERTRASH", "Glupteba", "Xenomorph", "Lu0Bot","ConnectBack", 
+          "LgoogLoader", "Unidentified 111 (Latrodectus)", "Phemedrone Stealer", "OLDBAIT", "xxmm", "CapraRAT",
+          "unidentified_001", "SVCReady", "Luca Stealer", "Unidentified 022 (Ransom)", "AhMyth", "ROMCOM RAT", 
+          "KrBanker", "KEKW","ReverseRAT", "WannaCryptor", "Ramnit", "ExoBot", "LDR4", "Phorpiex", "More_eggs", 
+          "Phoenix Keylogger", "EVILNUM", "Scarab Ransomware", "Borat RAT", "SupremeBot")
       - name: 'http error'
         type: AGGREGATE
         when: decoded_as == 'HTTP' && http_host.isNotNull && http_status_code != 200
@@ -241,7 +279,8 @@ pipeline:
         slide-step: 30 second
       - name: 'psiphon connecting'
         type: AGGREGATE
-        aggregate: COLLECT(DISTINCT server_ip) AS ips, COUNT(DISTINCT server_ip) AS cnt
+        when: app_transition.like('%Psiphon-Server%')
+        aggregate: COLLECT_SET(server_ip) AS ips, COUNT(DISTINCT server_ip) AS cnt
         group-by: client_ip
         having: cnt > 10
         with-in: 1 minute
@@ -263,3 +302,12 @@ pipeline:
           - A AS REGEXP(dns_qname, '.*akamai[.]net.*') OR REGEXP(dns_qname, '.*fastly[.]net') OR dns_qname = 'b-cdn.net'
           - B AS decoded_as IN ('HTTP', 'SSL') AND REGEXP(app_transition, '.*heartbeat.*')
         with-in: 1 minute
+  - name: stream2
+    category: PRINT
+    on: 'stream1.http error'
+  - name: stream3
+    category: PRINT
+    on: 'stream1.psiphon connecting'
+  - name: stream4
+    category: PRINT
+    on: 'stream1.psiphon cdn domain fronting'
\ No newline at end of file
-- 
cgit v1.2.3