-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathtest.drl
204 lines (184 loc) · 6.54 KB
/
test.drl
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
//package com.rules.trojan
import com.model.problem.Trojan
import com.model.other.Time
import com.model.other.Type
import com.model.other.Item
// This rule is a naive simple to detect Trojan
// Key Logic:
// 1. Usually a host machine within trojan upload more frequently than download
// 1. 通常来说在木马发作期间,感染木马的机器上传数据的次数比下载数据的次数多
// 2. Usually a host machine within trojan upload package with larger size then dowonload
// 2. 通常来说在木马发作期间,感染木马的机器上传数据的总量比下载数据的总量大
// 3. Usually a host machine within trojan upload package with larger size then which without trojan
// 3. 通常来说在木马发作期间,感染木马的机器上传数据的次数,比其他机器的平均上传次数多
// 4. Usually a host machine within trojan upload more frequently than which without trojan
// 4. 通常来说在木马发作期间,感染木马的机器上传数据的总量,比其他机器的平均上传总量大
// Only when the data suits all four key logic, then the host machine would be detected as the trojan infected
//=========================================================================
// Set the runtime environment
//=========================================================================
rule "SET: begin detection time"
salience 100
lock-on-active true
dialect "mvel"
when
$time : Time()
then
$time.setbeginTime(1490630400)
System.out.println(" [Rule] SET: begin detection time 1490630400")
update($time)
end
rule "SET: end detection time"
salience 100
lock-on-active true
dialect "mvel"
when
$time : Time()
then
$time.setendTime(1490634000)
System.out.println(" [Rule] SET: end detection time 1490634000")
update($time)
end
rule "VERIFY: verify the time operation"
//lock-on-active true
dialect "mvel"
when
$time : Time(beginTime == 1490630400 && endTime == 1490634000)
then
System.out.println(" [Rule] VERIFY: verify the time operation :Correct")
end
rule "SET: detection type"
lock-on-active true
dialect "mvel"
when
$type : Type()
then
$type.setType("Trojan")
System.out.println(" [Rule] SET: end detection type Trojan")
update($type)
end
//==========================================================================
// Set the statistical data required for judgement
//=========================================================================
rule "Action: Acquire the TCP upload flow amount for each IP"
lock-on-active true
salience 10
dialect "mvel"
when
$item : Item()
$time : Time()
then
$item.SS_TCP_UPLOAD_SIZE_SRCIP($time,"Default")
System.out.println(" [Rule] Action: Acquire the TCP upload flow amount: "+$item.obj)
//update($item)
end
rule "Action: Acquire the TCP download flow amount for each IP"
lock-on-active true
salience 10
dialect "mvel"
when
$item : Item()
$time : Time()
then
$item.SS_TCP_DOWNLOAD_SIZE_DSTIP($time,"Default")
System.out.println(" [Rule] Action: Acquire the TCP download flow amount: "+$item.obj)
//update($item)
end
rule "Action: Acquire the TCP upload flow times for each IP"
lock-on-active true
salience 10
dialect "mvel"
when
$item : Item()
$time : Time()
then
$item.SS_TCP_UPLOAD_COUNT_SRCIP($time,"Default")
System.out.println(" [Rule] Action: Acquire the TCP upload flow times: "+$item.obj)
//update($item)
end
rule "Action: Acquire the TCP download flow times for each IP"
lock-on-active true
salience 10
dialect "mvel"
when
$item : Item()
$time : Time()
then
$item.SS_TCP_DOWNLOAD_COUNT_DSTIP($time,"Default")
System.out.println(" [Rule] Action: Acquire the TCP download flow times: "+$item.obj)
//update($item)
end
rule "Action: Acquire the average TCP upload flow size for all IP"
lock-on-active true
salience 10
dialect "mvel"
when
$item : Item()
$time : Time()
then
$item.SA_TCP_UPLOAD_SIZE_AVERAGE_SRCIP($time,"Default")
System.out.println(" [Rule] Action: Acquire the average TCP upload flow size: "+$item.obj)
//update($item)
end
rule "Action: Acquire the average TCP download flow size for all IP"
lock-on-active true
salience 10
dialect "mvel"
when
$item : Item() && $time : Time()
then
$item.SA_TCP_UPLOAD_COUNT_AVERAGE_SRCIP($time,"Default")
System.out.println(" [Rule] Action: Acquire the average TCP download flow size: "+$item.obj)
//update($item)
end
//==========================================================================
// Finish the comparison between different data
//==========================================================================
rule "Comparison: Compare the TCP upload flow and TCP download flow size"
lock-on-active true
salience 0
dialect "mvel"
when
$item : Item()
$time : Time()
then
$item.SC_TCP_DOWLOAD_UPLOAD_RATIO($time,"upload-download-size","5","TCP upload size is obviously larger than download size")
System.out.println(" [Rule] Comparison: Compare the TCP upload flow and TCP download flow size "+$item.obj)
update($item)
end
rule "Comparison: Compare the TCP upload flow and TCP download flow times"
lock-on-active true
salience 0
dialect "mvel"
when
$item : Item()
$time : Time()
then
$item.SC_TCP_DOWLOAD_UPLOAD_RATIO($time,"upload-download-count","3","TCP upload times is obviously more than download times")
System.out.println(" [Rule] Comparison: Compare the TCP upload flow and TCP download flow times: "+$item.obj)
update($item)
end
rule "Comparison: Compare the TCP upload flow and average upload flow size"
lock-on-active true
salience 0
dialect "mvel"
when
$item : Item()
$time : Time()
then
$item.SC_TCP_DOWLOAD_UPLOAD_RATIO($time,"upload-average-size","5","TCP upload size is obviously larger than average size")
System.out.println(" [Rule] Comparison: Compare the TCP upload flow and average upload flow size: "+$item.obj)
update($item)
end
rule "Comparison: Compare the TCP upload flow and average upload flow times"
lock-on-active true
salience 0
dialect "mvel"
when
$item : Item()
$time : Time()
then
$item.SC_TCP_DOWLOAD_UPLOAD_RATIO($time,"upload-average-count","3","TCP upload times is obviously more than average times")
System.out.println(" [Rule] Comparison: Compare the TCP upload flow and average upload flow times: "+$item.obj)
update($item)
end