|
在系统总览面板-图形化报警,功能设计:如果某个特定的区域发现符合报警条件的情况,则产生告警。并且相应的图形显示为红色扩散状的小球。
系统默认用户为 j2开奖直播 ,密码为 123456 ,登录后建议管理员修改管理员密码。成功登录后,进入系统的主界面。如下图所示:
当点击相应的红色小球,则显示具体的报警信息,如图:
同时可以进入详细页面查看原始日志和标准化后的报警日志。
查看完报警信息后小球的颜色恢复到原来的蓝色,证明报警信息被网管人员处理过。如图:
图形化报警功能特别适合网管监控大屏幕显示,让安全事件发生源迅速形象的映入网管人员的视野。 报表功能 在安全报表中显示如图:
设置安全报表查询条件,包括:开始结束时间、扫描条数、是否有图形显示、显示图形的X轴和Y轴。
安全报表显示如图:
策略设置功能 如何进行策略创建和分发 在“规则和策略”中左边的策略项中可点击正则表达式配置。
点击其中的“对象”弹出如下:
数据库设计 (1)系统登陆表GSGSoft_System
(2)登陆日志GSGSoft_SiteLogin_log
(3)Root 表Common Event Format
GSGSoft服务器核心代码实现 编程工具:VC++ 平台:Windows 技术选型:IOCP架构 (Windows服务器要接收海量的日志一般技术架构是无法支持的) IocpUdpInstance IocpUdpInstance处理接收syslog UDP 54端口传输过来的日志数据。代码实现如下: #include"stdafx.h" #include"IocpUdpInstance.h" ////////////////////////////////////////////////////////////////////// //Construction/Destruction ////////////////////////////////////////////////////////////////////// CIocpUdpInstance::CIocpUdpInstance() { m_Port = 5353; m_Inited = FALSE; Lpbuf = m_buf; m_BufLen = BUF_LEN; m_FromLen = sizeof(SOCKADDR_IN); } CIocpUdpInstance::~CIocpUdpInstance() { Cleanup(); } BOOLCIocpUdpInstance::Initialize() { if(LpParent == NULL) return FALSE; if(m_Inited) return TRUE; Lpbuf = m_buf; m_BufLen= BUF_LEN; SOCKET s = INVALID_SOCKET; DWORD m_Result=0; int nRet=0; //创建SOCKET并建立侦听 if(!m_Socket.CreateSocket(SOCK_DGRAM,IPPROTO_UDP,WSA_FLAG_OVERLAPPED)) goto EXIT; if(!m_Socket.Bind(m_Port)) goto EXIT; m_Inited = TRUE; return TRUE; EXIT: Cleanup(); return FALSE; } BOOLCIocpUdpInstance::Doit() { if(LpParent == NULL ||!Initialize()) return FALSE; //帮定到IO完成端口 SOCKET s = m_Socket; if(!LpParent->Invoke(FN_IOCP_BIND,this,(HANDLE)s)) return FALSE; RecvHandler(0); return TRUE; } voidCIocpUdpInstance::Cleanup() { m_Inited = FALSE; m_Socket.Cleanup(); } voidCIocpUdpInstance::Release() { } BOOLCIocpUdpInstance::SetValue(DWORD m_Code,...) { va_list vl,va_base; va_start(vl,m_Code); va_base = (va_list)&m_Code; if(m_Code == BASE_VALIST) { vl = va_arg(vl,va_list); va_base = vl; m_Code =va_arg(vl,DWORD); } BOOL m_Resoult=TRUE; switch(m_Code) { case IOCP_BUFFER: { Lpbuf = va_arg(vl,LPSTR); m_BufLen=va_arg(vl,LONG); break; } case SOCK_PORT: { m_Port=va_arg(vl,int); break; } default: { m_Resoult=FALSE; } } if(!m_Resoult)//子类没有处理则调用父类的 { m_Resoult=CBase::SetValue(BASE_VALIST,va_base); } va_end(va_base); va_end(vl); return m_Resoult; } BOOLCIocpUdpInstance::GetValue(DWORD m_Code,...) { va_list vl,va_base; va_start(vl,m_Code); va_base = (va_list)&m_Code; if(m_Code == BASE_VALIST) { vl = va_arg(vl,va_list); va_base = vl; m_Code =va_arg(vl,DWORD); } BOOL m_Resoult=TRUE; switch(m_Code) { case IOCP_HANDLER: { LPWSAOVERLAPPEDLpolap = va_arg(vl,LPWSAOVERLAPPED); CBase**LpBase = va_arg(vl,CBase**); *LpBase = NULL; *LpBase =CONTAINING_RECORD(Lpolap, CIocpUdpInstance, m_olap); break; } case BASE_OBJECT: { *(va_arg(vl,HANDLE*))=(HANDLE)(SOCKET)m_Socket; break; } case SOCK_PORT: { *(va_arg(vl,int*))=m_Port; break; } default: { m_Resoult=FALSE; } } if(!m_Resoult)//子类没有处理则调用父类的 { m_Resoult=CBase::GetValue(BASE_VALIST,va_base); } va_end(va_base); va_end(vl); return m_Resoult; } DWORDCIocpUdpInstance::Invoke(DWORD m_Code,...) { va_list vl; va_start(vl,m_Code); DWORD m_Resoult = TRUE; switch(m_Code) { case FN_IOCP_HANDLER: { DWORDm_szTrans = va_arg(vl,DWORD); RecvHandler(m_szTrans); break; } default: { m_Resoult=FALSE; } } va_end(vl); return m_Resoult; } BOOLCIocpUdpInstance::RecvHandler(DWORD m_szTrans) { if(m_szTrans > 0 &&LpContainer) { CBase *t_Tmp =LpContainer->Alloc(); if(t_Tmp) { t_Tmp->Initialize(); t_Tmp->SetValue(BASE_OBJECT,&m_Socket); t_Tmp->SetValue(BASE_PARENT,(CBase*)this); t_Tmp->SetValue(BASE_HANDLER,LpHandler); if(!t_Tmp->Invoke(FN_INVOKE,Lpbuf, m_szTrans)) { if(!t_Tmp->Recycle())t_Tmp->Release(); } } } INITBUF(m_WBuf,Lpbuf,m_BufLen); memset(&m_olap,0,sizeof(m_olap));m_FromLen=sizeof(SOCKADDR_IN); int nRet =m_Socket.RecvEx(&m_WBuf,0,(sockaddr*)&m_SockAddr,&m_FromLen,&m_olap); if(nRet==SOCKET_ERROR) { DWORD m_Result =WSAGetLastError(); if(m_Result !=ERROR_IO_PENDING) { returnFALSE; } } return TRUE; } #include"StdAfx.h" #include"IocpUdpHandler.h" CIocpUdpHandler::CIocpUdpHandler(void) { hIocp = NULL; m_Policy_p = NULL; } CIocpUdpHandler::~CIocpUdpHandler(void) { } BOOLCIocpUdpHandler::Initialize() { if(LpParent == NULL) return FALSE; CBase *t_Base = NULL; hIocp = NULL; LpParent->GetValue(BASE_PARENT,&t_Base); if(t_Base) //CIocpBase { t_Base->GetValue(BASE_OBJECT,&hIocp); // CAppInstance if(t_Base->GetValue(BASE_PARENT,&t_Base) && t_Base) { t_Base->GetValue(BASE_OBJECT,OBJECT_POLICY, &m_Policy_p); } } return (hIocp &&m_Policy_p); } voidCIocpUdpHandler::Cleanup() { m_Event.clear(); } BOOLCIocpUdpHandler::GetValue(DWORD m_Code,...) { va_list vl,va_base; va_start(vl,m_Code); va_base = (va_list)&m_Code; if(m_Code == BASE_VALIST) { vl = va_arg(vl,va_list); va_base = vl; m_Code =va_arg(vl,DWORD); } BOOL m_Resoult=TRUE; switch(m_Code) { case BASE_CLASSTYPE: { *(va_arg(vl,DWORD*))=0x00000019; break; } default: { m_Resoult=FALSE; } } if(!m_Resoult) { m_Resoult=CBase::GetValue(BASE_VALIST,va_base); } va_end(va_base); va_end(vl); return m_Resoult; } DWORDCIocpUdpHandler::Invoke(DWORD m_Code,...) { va_list vl; va_start(vl, m_Code); DWORD m_Resoult = TRUE; switch(m_Code) { case FN_INVOKE: { m_Event = va_arg(vl, LPCSTR); ULONG t_Size= va_arg(vl, ULONG); m_Resoult =PostQueuedCompletionStatus(hIocp, t_Size, (ULONG_PTR)this, NULL); break; } case FN_IOCP_HANDLER: { // returnFALSE 不能加 break; if(m_Policy_p) { std::stringt_Event_o; if(m_Policy_p->GetValue(BASE_AVAILABLE,&m_Event, &t_Event_o)) { LpHandler->Invoke(ITEM_ADD,&t_Event_o); } } } default: { m_Resoult =FALSE; } } va_end(vl); return m_Resoult; } IocpUdpHandler IocpUdpHandler处理接收过来的数据,实现代码如下: #include"StdAfx.h" #include"IocpUdpHandler.h" CIocpUdpHandler::CIocpUdpHandler(void) { hIocp = NULL; m_Policy_p = NULL; } CIocpUdpHandler::~CIocpUdpHandler(void) { } BOOLCIocpUdpHandler::Initialize() { if(LpParent == NULL) return FALSE; CBase *t_Base = NULL; hIocp = NULL; LpParent->GetValue(BASE_PARENT,&t_Base); if(t_Base) //CIocpBase { t_Base->GetValue(BASE_OBJECT,&hIocp); // CAppInstance if(t_Base->GetValue(BASE_PARENT,&t_Base) && t_Base) { t_Base->GetValue(BASE_OBJECT,OBJECT_POLICY, &m_Policy_p); } } return (hIocp &&m_Policy_p); } voidCIocpUdpHandler::Cleanup() { m_Event.clear(); } BOOLCIocpUdpHandler::GetValue(DWORD m_Code,...) { va_list vl,va_base; va_start(vl,m_Code); va_base = (va_list)&m_Code; if(m_Code == BASE_VALIST) { vl = va_arg(vl,va_list); va_base = vl; m_Code =va_arg(vl,DWORD); } BOOL m_Resoult=TRUE; switch(m_Code) { case BASE_CLASSTYPE: { *(va_arg(vl,DWORD*))=0x00000019; break; } default: { m_Resoult=FALSE; } } if(!m_Resoult) { m_Resoult=CBase::GetValue(BASE_VALIST,va_base); } va_end(va_base); va_end(vl); return m_Resoult; } DWORDCIocpUdpHandler::Invoke(DWORD m_Code,...) { va_list vl; va_start(vl, m_Code); DWORD m_Resoult = TRUE; switch(m_Code) { case FN_INVOKE: { m_Event = va_arg(vl, LPCSTR); ULONG t_Size= va_arg(vl, ULONG); m_Resoult =PostQueuedCompletionStatus(hIocp, t_Size, (ULONG_PTR)this, NULL); break; } case FN_IOCP_HANDLER: { // returnFALSE 不能加 break; if(m_Policy_p) { std::stringt_Event_o; if(m_Policy_p->GetValue(BASE_AVAILABLE,&m_Event, &t_Event_o)) { LpHandler->Invoke(ITEM_ADD,&t_Event_o); } } } default: { m_Resoult =FALSE; } } va_end(vl); return m_Resoult; } Policys正则匹配 CPolicys::CPolicys(void) { m_EventHandler = NULL; } CPolicys::~CPolicys(void) { } BOOLCPolicys::Initialize() { if(LpParent == NULL) return FALSE; std::string t_FileName, t_Tmp; LpParent->GetValue(BASE_FILENAME,&t_FileName); t_FileName += POLICY_NAME; LpParent->GetValue(BASE_OBJECT,BASE_EVENT, &m_EventHandler); HANDLE hFile =CreateFile(t_FileName.c_str(), GENERIC_READ, FILE_SHARE_READ |FILE_SHARE_WRITE, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL); if(hFile == INVALID_HANDLE_VALUE) { return FALSE; } ULONG t_Size = GetFileSize(hFile, NULL); t_Tmp.resize(t_Size); if(ReadFile(hFile,(LPSTR)t_Tmp.c_str(), t_Size, &t_Size, NULL)) { m_Policys.clear(); CWorkSpace::XmlContextt_Context; t_Context.m_Type = XML_WORK_GROUP; t_Context.LpGroup = &m_Policys; t_Context.LpMitem = NULL; SplitXml(t_Tmp.c_str()," ", " ", " ", XmlCallback, &t_Context); } CloseHandle(hFile); return TRUE; } void WINAPICPolicys::XmlCallback(LPCSTR LpStr, size_t nLen, LPVOID m_Context) { if(LpStr == NULL || nLen == 0 ||m_Context == NULL) return; std::string t_Tmp; CStringParse m_Parse; m_Parse.SetBuffer(LpStr, nLen); m_Parse.SetPartition(NULL,"\" "); m_Parse.SetTrim('"'); m_Parse.Parse(); CPolicy t_Policy; t_Tmp =m_Parse.GetValue("pid"); if(t_Tmp.empty()) return; t_Policy.SetPolicyID(ATOUL(t_Tmp.c_str())); t_Tmp =m_Parse.GetValue("eventid"); t_Policy.SetEventID(ATOUL(t_Tmp.c_str())); t_Tmp =m_Parse.GetValue("name"); t_Policy.SetName(t_Tmp); t_Tmp =m_Parse.GetValue("field"); t_Policy.SetFields(t_Tmp); t_Tmp =m_Parse.GetValue("table"); t_Policy.SetTable(t_Tmp); t_Tmp =m_Parse.GetValue("regexmatch"); t_Policy.SetRegexMatch(t_Tmp); t_Tmp =m_Parse.GetValue("regexsplit"); t_Policy.SetRegexSplit(t_Tmp); CWorkSpace::XmlContext *t_Ctx_p; t_Ctx_p =(CWorkSpace::XmlContext*)m_Context; POLICY *t_Policy_p =(POLICY*)t_Ctx_p->LpGroup; if(t_Policy_p) { t_Policy_p->insert(POLICY_PAIR(t_Policy.GetPolicyID(),t_Policy)); } } BOOLCPolicys::GetValue(DWORD m_Code,...) { va_list vl,va_base; va_start(vl,m_Code); va_base = (va_list)&m_Code; if(m_Code == BASE_VALIST) { vl = va_arg(vl,va_list); va_base = vl; m_Code =va_arg(vl,DWORD); } BOOL t_Resoult = TRUE; switch(m_Code) { case BASE_AVAILABLE: { t_Resoult =FALSE; std::string*t_Event_i, *t_Event_o; t_Event_i =va_arg(vl,std::string*); t_Event_o =va_arg(vl,std::string*); if(t_Event_i== NULL || t_Event_o == NULL) break; t_Event_o->clear(); CLockSectiont_Lock(m_Section); POLICY_ITERitra = m_Policys.begin(); for(; itra!= m_Policys.end(); itra++) { std::stringt_Match, t_Split; t_Match= itra->second.GetRegexMatch(); t_Split= itra->second.GetRegexSplit(); if(t_Match.empty()|| t_Split.empty()) { continue; } //正则表达式是否匹配 boost::regexexpression(t_Match.c_str()); boost::cmatchwhat; if(boost::regex_match(t_Event_i->c_str(),what, expression)) { t_Lock.UnLock();t_Resoult = TRUE; if(m_EventHandler&& g_App.GetViewEvent()) // 加入到显示队列 { m_EventHandler->Invoke(ITEM_ADD,itra->second.GetEventID(), t_Event_i); } //用正则表达式进行解析 boost::regexe(t_Split.c_str()); FIELDl; FIELDITER itrb; boost::regex_split(std::back_inserter(l),*t_Event_i, e); for(itrb= l.begin(); itrb != l.end(); itrb++) { if(!t_Event_o->empty()) { *t_Event_o+= ','; } *t_Event_o+= '\"'; *t_Event_o+= *itrb; *t_Event_o+= '\"'; } break; } } break; } default: { t_Resoult=FALSE; } } if(!t_Resoult)//子类没有处理则调用父类的 { t_Resoult =CBase::GetValue(BASE_VALIST,va_base); } va_end(va_base); va_end(vl); return t_Resoult; } 服务器端处理 (1)、首先通过解析DeviceIdentifier.xml,首先确定是否为支持的设备,支持的设备可以通过xml看出来。代码如下: ^\d\d\d\d-\d\d-\d\d\d\d\:\d\d\:\d\d \S+ \d+\.\d+\.\d+\.\d+ \S+ \S+ \S+ \d+ \S+ \d+\.\d+\.\d+\.\d+\S+ \d+ \d+ \d+$ (责任编辑:本港台直播) |
