从MySQL中提取netflow数据并检测异常

时间:2015-02-08 02:49:05

标签: php mysql arrays ddos netflow

我正在尝试使用SQL数据库中的netflow数据创建DoS检测程序。到目前为止,我对如何实现这一点有一般的想法,但需要一些指导。

到目前为止,该计划的流程是:

<?php
$run = 'true';
$servername = "10.1.80.50";
$username = "netflow";
$password = "********";
$dbname = "netflow";
$flowQuery = 'SELECT distinct TIMESTAMP, SRCADDR, DSTADDR, SRCPORT, DSTPORT, PROT FROM netflow.flows ORDER BY DSTADDR ASC';

// Query flows for unique timed flows

$conn = mysqli_connect($servername, $username, $password, $dbname);
if (!$conn) {
die("Connection failed: " . mysqli_connect_error());
}

$flows = mysqli_query($conn, $flowQuery);

// Begin creating baseline data

while ($run == 'true') {
    while($row = $flows->fetch_assoc()) {
        $baselineQuery = 'SELECT FROM_UNIXTIME((UNIX_TIMESTAMP(TIMESTAMP) div (5*60))*(5*60)+(5*60)) as timeIntervals, 
        ROUND(SUM(DPKTS),0) as PACKETDATA,
        MIN(DPKTS) AS MINPACKETS, 
        MAX(DPKTS) AS MAXPACKETS,
        ROUND(SUM(DOCTETS),0) as OCTETDATA,
        MIN(DOCTETS) AS MINOCTETS, 
        MAX(DOCTETS) AS MAXOCTETS
        FROM (
        SELECT FLOW_ID,TIMESTAMP,EXADDR,SRCADDR,DSTADDR,SRCPORT,DSTPORT,DPKTS,DOCTETS 
        FROM netflow.flows WHERE SRCADDR = "'.$row["SRCADDR"].'" AND DSTADDR = "'.$row["DSTADDR"].'" AND DSTPORT = "'.$row["DSTPORT"].'" AND SRCPORT = "'.$row["SRCPORT"].'" AND PROT = "'.$row["PROT"].'" 
        ORDER BY FLOW_ID DESC LIMIT 500
        ) AS custom
        GROUP BY 1 ORDER BY timeIntervals DESC 
        LIMIT 240';
    $baselines = mysqli_query($conn, $baselineQuery);
    }        
usleep(60000000);
}

print_r($baselines);

?>

我的逻辑是:

  1. 查找过去8小时内的所有独特流量。
  2. 使用此数据可查找每个独特流程的所有流量数据。
  3. 将创建的数组拆分为每个流的子数组或单个数组。
  4. 每个流都有自己的数组,平均数据包和数据得到伪基线。
  5. 将最新的流量输入与这些平均值进行比较,并确定是否存在异常(一个方向的数据流量增加/减少超过200%)。
  6. 如果检测到异常,请拍摄提示有关该事件的电子邮件。
  7. 等待60秒并恢复循环。
  8. 我知道代码远未完成,可能非常草率,但任何帮助都非常感谢!

0 个答案:

没有答案