From 4976560821e698d57550db770ec55a5b54d4a4be Mon Sep 17 00:00:00 2001
From: wanglihui <949764788@qq.com>
Date: Thu, 9 Sep 2021 10:46:29 +0800
Subject: 新增敏感阈值过滤报警信息
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 src/main/java/com/zdjizhi/bolt/DosDetectionBolt.java   | 15 ++++++++-------
 src/main/java/com/zdjizhi/bolt/MiddleStreamBolt.java   |  4 ++++
 src/main/java/com/zdjizhi/bolt/ParseSketchLogBolt.java |  6 +++---
 3 files changed, 15 insertions(+), 10 deletions(-)

diff --git a/src/main/java/com/zdjizhi/bolt/DosDetectionBolt.java b/src/main/java/com/zdjizhi/bolt/DosDetectionBolt.java
index 273b561..49ac8b3 100644
--- a/src/main/java/com/zdjizhi/bolt/DosDetectionBolt.java
+++ b/src/main/java/com/zdjizhi/bolt/DosDetectionBolt.java
@@ -120,29 +120,30 @@ public class DosDetectionBolt extends BaseBasicBolt {
 
     private DosEventLog mergeFinalResult(Tuple2<Severity, DosEventLog> eventLogByBaseline, Tuple2<Severity, DosEventLog> eventLogByStaticThreshold) {
         if (eventLogByBaseline._1.score > eventLogByStaticThreshold._1.score) {
-            mergeCondition(eventLogByBaseline._2, eventLogByStaticThreshold._2);
             logger.info("merge eventLogByBaseline {} \neventLogByStaticThreshold {}",eventLogByBaseline,eventLogByStaticThreshold);
-            return eventLogByBaseline._2;
+            return mergeCondition(eventLogByBaseline._2, eventLogByStaticThreshold._2);
         } else {
-            mergeCondition(eventLogByStaticThreshold._2, eventLogByBaseline._2);
             logger.info("merge eventLogByStaticThreshold {} \neventLogByBaseline {}",eventLogByStaticThreshold,eventLogByBaseline);
-            return eventLogByStaticThreshold._2;
+            return mergeCondition(eventLogByStaticThreshold._2, eventLogByBaseline._2);
         }
     }
 
-    private void mergeCondition(DosEventLog log1, DosEventLog log2) {
+    private DosEventLog mergeCondition(DosEventLog log1, DosEventLog log2) {
         if (log1 != null && log2 != null) {
             String conditions1 = log1.getConditions();
             String conditions2 = log2.getConditions();
             log1.setConditions(conditions1 + " and " + conditions2);
+        }else if (log1 == null && log2 != null){
+            log1 = log2;
         }
+        return log1;
     }
 
     private Tuple2<Severity, DosEventLog> getDosEventLogByBaseline(DosSketchLog value, String destinationIp, String attackType) {
         Tuple2<ArrayList<Integer>, Integer> floodTypeTup = baselineMap.get(destinationIp).get(attackType);
         Integer base = getBaseValue(floodTypeTup, value);
-        long diff = value.getSketch_sessions() - base;
-        return getDosEventLog(value, base, diff, "baseline");
+        long sketchSessions = value.getSketch_sessions();
+        return sketchSessions > CommonConfig.SENSITIVITY_THRESHOLD ? getDosEventLog(value, base, sketchSessions - base, "baseline"):io.vavr.Tuple.of(Severity.NORMAL, null);
     }
 
     private Tuple2<Severity, DosEventLog> getDosEventLogByStaticThreshold(DosSketchLog value, Map<String, DosDetectionThreshold> thresholdMap) {
diff --git a/src/main/java/com/zdjizhi/bolt/MiddleStreamBolt.java b/src/main/java/com/zdjizhi/bolt/MiddleStreamBolt.java
index 85a075a..5aea1f6 100644
--- a/src/main/java/com/zdjizhi/bolt/MiddleStreamBolt.java
+++ b/src/main/java/com/zdjizhi/bolt/MiddleStreamBolt.java
@@ -36,6 +36,10 @@ public class MiddleStreamBolt extends BaseBasicBolt {
             if (TupleUtils.isTick(input)) {
                 for (Tuple2<String, String> keys : middleStreamResult.keySet()) {
                     DosSketchLog sketchLog = middleStreamResult.get(keys);
+                    long sketchDuration = sketchLog.getSketch_duration();
+                    sketchLog.setSketch_sessions(sketchLog.getSketch_sessions()/sketchDuration);
+                    sketchLog.setSketch_packets(sketchLog.getSketch_packets()/sketchDuration);
+                    sketchLog.setSketch_bytes(sketchLog.getSketch_bytes()/sketchDuration);
                     collector.emit(new Values(sketchLog));
                 }
                 logger.debug("中间结果计算完毕,共计: {}条", middleStreamResult.size());
diff --git a/src/main/java/com/zdjizhi/bolt/ParseSketchLogBolt.java b/src/main/java/com/zdjizhi/bolt/ParseSketchLogBolt.java
index e519f51..64b30df 100644
--- a/src/main/java/com/zdjizhi/bolt/ParseSketchLogBolt.java
+++ b/src/main/java/com/zdjizhi/bolt/ParseSketchLogBolt.java
@@ -71,9 +71,9 @@ public class ParseSketchLogBolt extends BaseBasicBolt {
                 long sketchBytes = Long.parseLong(obj.get("sketch_bytes").toString());
                 dosSketchLog.setSource_ip(sourceIp);
                 dosSketchLog.setDestination_ip(destinationIp);
-                dosSketchLog.setSketch_sessions(sketchSessions / sketchDuration);
-                dosSketchLog.setSketch_packets(sketchPackets / sketchDuration);
-                dosSketchLog.setSketch_bytes(sketchBytes * 8 / sketchDuration);
+                dosSketchLog.setSketch_sessions(sketchSessions);
+                dosSketchLog.setSketch_packets(sketchPackets);
+                dosSketchLog.setSketch_bytes(sketchBytes);
                 collector.emit(new Values(attackType,destinationIp,dosSketchLog));
                 logger.debug("数据解析成功：{}", dosSketchLog.toString());
             }
-- 
cgit v1.2.3