我正在尝试使用SQL数据库中的netflow数据创建DoS检测程序。到目前为止,我对如何实现这一点有一般的想法,但需要一些指导。
到目前为止,该计划的流程是:
<?php
$run = 'true';
$servername = "10.1.80.50";
$username = "netflow";
$password = "********";
$dbname = "netflow";
$flowQuery = 'SELECT distinct TIMESTAMP, SRCADDR, DSTADDR, SRCPORT, DSTPORT, PROT FROM netflow.flows ORDER BY DSTADDR ASC';
// Query flows for unique timed flows
$conn = mysqli_connect($servername, $username, $password, $dbname);
if (!$conn) {
die("Connection failed: " . mysqli_connect_error());
}
$flows = mysqli_query($conn, $flowQuery);
// Begin creating baseline data
while ($run == 'true') {
while($row = $flows->fetch_assoc()) {
$baselineQuery = 'SELECT FROM_UNIXTIME((UNIX_TIMESTAMP(TIMESTAMP) div (5*60))*(5*60)+(5*60)) as timeIntervals,
ROUND(SUM(DPKTS),0) as PACKETDATA,
MIN(DPKTS) AS MINPACKETS,
MAX(DPKTS) AS MAXPACKETS,
ROUND(SUM(DOCTETS),0) as OCTETDATA,
MIN(DOCTETS) AS MINOCTETS,
MAX(DOCTETS) AS MAXOCTETS
FROM (
SELECT FLOW_ID,TIMESTAMP,EXADDR,SRCADDR,DSTADDR,SRCPORT,DSTPORT,DPKTS,DOCTETS
FROM netflow.flows WHERE SRCADDR = "'.$row["SRCADDR"].'" AND DSTADDR = "'.$row["DSTADDR"].'" AND DSTPORT = "'.$row["DSTPORT"].'" AND SRCPORT = "'.$row["SRCPORT"].'" AND PROT = "'.$row["PROT"].'"
ORDER BY FLOW_ID DESC LIMIT 500
) AS custom
GROUP BY 1 ORDER BY timeIntervals DESC
LIMIT 240';
$baselines = mysqli_query($conn, $baselineQuery);
}
usleep(60000000);
}
print_r($baselines);
?>
我的逻辑是:
我知道代码远未完成,可能非常草率,但任何帮助都非常感谢!