星盘指标测试poc记录

山石防火墙端口扫描 514 100.18.18.18 2022-10-24
<190>Oct 31 13:11:06 2206409150000938(root) 44243624 Traffic@FLOW: SESSION: 100.18.18.18:62492->10.200.3.4:23(TCP), application WeChat-File-Transfer, interface aggregate1, vr trust-vr, policy 3, user -@-, host -, send packets 10,send bytes 1000,receive packets 9,receive bytes 7756,start time 2022-10-24 15:30:05,close time 2022-10-24 15:30:06,session end,TCP FIN
<190>Oct 31 13:11:06 2206409150000938(root) 44243624 Traffic@FLOW: SESSION: 100.18.18.18:62492->10.200.3.41:1521(TCP), application WeChat-File-Transfer, interface aggregate1, vr trust-vr, policy 3, user -@-, host -, send packets 10,send bytes 1000,receive packets 9,receive bytes 7756,start time 2022-10-24 15:30:05,close time 2022-10-24 15:30:06,session end,TCP FIN
<190>Oct 31 13:11:06 2206409150000938(root) 44243624 Traffic@FLOW: SESSION: 100.18.18.18:62492->10.200.3.42:22(TCP), application WeChat-File-Transfer, interface aggregate1, vr trust-vr, policy 3, user -@-, host -, send packets 10,send bytes 1000,receive packets 9,receive bytes 7756,start time 2022-10-24 15:30:05,close time 2022-10-24 15:30:06,session end,TCP FIN
<190>Oct 27 13:11:06 2206409150000938(root) 44243624 Traffic@FLOW: SESSION: 100.18.18.18:62492->10.200.3.43:3306(TCP), application WeChat-File-Transfer, interface aggregate1, vr trust-vr, policy 3, user -@-, host -, send packets 10,send bytes 1000,receive packets 9,receive bytes 7756,start time 2022-10-24 15:30:05,close time 2022-10-24 15:30:06,session end,TCP FIN
<190>Oct 27 13:11:06 2206409150000938(root) 44243624 Traffic@FLOW: SESSION: 100.18.18.18:62492->10.200.3.44:3389(TCP), application WeChat-File-Transfer, interface aggregate1, vr trust-vr, policy 3, user -@-, host -, send packets 10,send bytes 1000,receive packets 9,receive bytes 7756,start time 2022-10-24 15:30:05,close time 2022-10-24 15:30:06,session end,TCP FIN
<190>Oct 27 13:11:06 2206409150000938(root) 44243624 Traffic@FLOW: SESSION: 100.18.18.18:62492->10.200.3.45:9200(TCP), application WeChat-File-Transfer, interface aggregate1, vr trust-vr, policy 3, user -@-, host -, send packets 10,send bytes 1000,receive packets 9,receive bytes 7756,start time 2022-10-24 15:30:05,close time 2022-10-24 15:30:06,session end,TCP FIN
<190>Oct 27 13:11:06 2206409150000938(root) 44243624 Traffic@FLOW: SESSION: 100.18.18.18:62492->10.200.3.46:23(TCP), application WeChat-File-Transfer, interface aggregate1, vr trust-vr, policy 3, user -@-, host -, send packets 10,send bytes 1000,receive packets 9,receive bytes 7756,start time 2022-10-24 15:30:05,close time 2022-10-24 15:30:06,session end,TCP FIN
<190>Oct 27 13:11:06 2206409150000938(root) 44243624 Traffic@FLOW: SESSION: 100.18.18.18:62492->10.200.3.47:22(TCP), application WeChat-File-Transfer, interface aggregate1, vr trust-vr, policy 3, user -@-, host -, send packets 10,send bytes 1000,receive packets 9,receive bytes 7756,start time 2022-10-24 15:30:05,close time 2022-10-24 15:30:06,session end,TCP FIN
<190>Oct 27 13:11:06 2206409150000938(root) 44243624 Traffic@FLOW: SESSION: 100.18.18.18:62492->10.200.3.48:3389(TCP), application WeChat-File-Transfer, interface aggregate1, vr trust-vr, policy 3, user -@-, host -, send packets 10,send bytes 1000,receive packets 9,receive bytes 7756,start time 2022-10-24 15:30:05,close time 2022-10-24 15:30:06,session end,TCP FIN
<190>Oct 27 13:11:06 2206409150000938(root) 44243624 Traffic@FLOW: SESSION: 100.18.18.18:62492->10.200.3.49:3306(TCP), application WeChat-File-Transfer, interface aggregate1, vr trust-vr, policy 3, user -@-, host -, send packets 10,send bytes 1000,receive packets 9,receive bytes 7756,start time 2022-10-24 15:30:05,close time 2022-10-24 15:30:06,session end,TCP FIN
<190>Oct 27 13:11:06 2206409150000938(root) 44243624 Traffic@FLOW: SESSION: 100.18.18.18:62492->10.200.3.40:23(TCP), application WeChat-File-Transfer, interface aggregate1, vr trust-vr, policy 3, user -@-, host -, send packets 10,send bytes 1000,receive packets 9,receive bytes 7756,start time 2022-10-24 15:30:05,close time 2022-10-24 15:30:06,session end,TCP FIN
<190>Oct 27 13:11:06 2206409150000938(root) 44243624 Traffic@FLOW: SESSION: 100.18.18.18:62492->10.200.3.5:22(TCP), application WeChat-File-Transfer, interface aggregate1, vr trust-vr, policy 3, user -@-, host -, send packets 10,send bytes 1000,receive packets 9,receive bytes 7756,start time 2022-10-24 15:30:05,close time 2022-10-24 15:30:06,session end,TCP FIN
<190>Oct 27 13:11:06 2206409150000938(root) 44243624 Traffic@FLOW: SESSION: 100.18.18.18:62492->10.200.3.6:23(TCP), application WeChat-File-Transfer, interface aggregate1, vr trust-vr, policy 3, user -@-, host -, send packets 10,send bytes 1000,receive packets 9,receive bytes 7756,start time 2022-10-24 15:30:05,close time 2022-10-24 15:30:06,session end,TCP FIN
<190>Oct 27 13:11:06 2206409150000938(root) 44243624 Traffic@FLOW: SESSION: 100.18.18.18:62492->10.200.3.6:3389(TCP), application WeChat-File-Transfer, interface aggregate1, vr trust-vr, policy 3, user -@-, host -, send packets 10,send bytes 1000,receive packets 9,receive bytes 7756,start time 2022-10-24 15:30:05,close time 2022-10-24 15:30:06,session end,TCP FIN
<190>Oct 27 13:11:06 2206409150000938(root) 44243624 Traffic@FLOW: SESSION: 100.18.18.18:62492->10.200.3.7:22(TCP), application WeChat-File-Transfer, interface aggregate1, vr trust-vr, policy 3, user -@-, host -, send packets 10,send bytes 1000,receive packets 9,receive bytes 7756,start time 2022-10-24 15:30:05,close time 2022-10-24 15:30:06,session end,TCP FIN

绿盟IPS 516 2022-10-24
<5>time:2022-10-24 16:02:44;danger_degree:3;breaking_sighn:1;event:[24797]PHPUnit 远程代码执行漏洞(CVE-2017-9841);src_addr:http://192.168.50.10/#/sjgl/sjetl;src_port:43926;dst_addr:10.131.2.112;dst_port:80;proto:HTTP;user:
<5>time:2022-10-24 16:02:45;danger_degree:3;breaking_sighn:1;event:[24567]泛微e-cology OA系统远程代码执行漏洞;src_addr:100.12.12.12;src_port:46395;dst_addr:10.131.2.112;dst_port:80;proto:HTTP;user:
<5>time:2022-10-24 16:28:34;danger_degree:3;breaking_sighn:0;event:[29001]Web服务远程SQL注入攻击可疑行为(startracker);src_addr:100.12.12.12;src_port:40376;dst_addr:10.131.1.22;dst_port:80;proto:HTTP;user:
<5>time:2022-10-24 16:28:35;danger_degree:3;breaking_sighn:0;event:[60245]HTTP SQL注入尝试类型八;src_addr:100.12.12.12;src_port:40391;dst_addr:10.131.1.22;dst_port:80;proto:HTTP;user:
<5>time:2022-10-24 16:28:35;danger_degree:3;breaking_sighn:0;event:[41499]HTTP请求敏感路径访问尝试;src_addr:100.12.12.12;src_port:40388;dst_addr:10.131.1.22;dst_port:80;proto:HTTP;user:
<5>time:2022-10-24 16:28:35;danger_degree:3;breaking_sighn:1;event:[23135]GNU Bash 环境变量远程命令执行漏洞(CVE-2014-6271);src_addr:100.12.12.12;src_port:41508;dst_addr:10.131.1.22;dst_port:80;proto:HTTP;user:
<5>time:2022-10-24 16:28:35;danger_degree:3;breaking_sighn:1;event:[23135]GNU Bash 环境变量远程命令执行漏洞(CVE-2014-6271);src_addr:100.28.28.28;src_port:41508;dst_addr:10.131.1.22;dst_port:80;proto:HTTP;user:



绿盟WAF 5141 恶意扫描 2022-10-24
<11>Oct 27 17:25:40 localhost waf: tag:waf_log_websec site_id:1521092804 protect_id:2521094130 dst_ip:10.131.2.adm dst_port:80 src_ip:100.18.18.18 src_port:52074 method:GET domain:yun.edutest.cn uri:/user/eam/vib?id=/etc/passwd alertlevel:HIGH event_type:Path_Traversal stat_time:2022-10-24 17:25:39 policy_id:2359295 rule_id:18612236 action:Block block:No block_info:None http:GET /user/eam/vib?id=/etc/passwd HTTP/1.1 Host: yun.edutest.cn User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: application/json, text/plain, */* Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Cookie: edutestyuncookie=FEFAD4A135ED9A630FDA20BB449BBA10; SESSION=MzY1N2RkNzktMDlkOC00YzI5LWEyOWItYzAxMWIxMzgwNjdm Referer: http://yun.edutest.cn/ Accept-Encoding: gzip alertinfo:None proxy_info:None characters:33,14,1,3,11,id=/etc/passwd||||| count_num:1 protocol_type:HTTP wci:None wsi:None country:CNGM
<11>Oct 27 17:25:40 localhost waf: tag:waf_log_websec site_id:1521092804 protect_id:2521094130 dst_ip:10.131.2.adm dst_port:80 src_ip:100.18.18.18 src_port:53421 method:GET domain:yun.edutest.cn uri:/user/eam/vib?id=/etc/passwd alertlevel:HIGH event_type:Path_Traversal stat_time:2022-10-24 17:25:39 policy_id:2359295 rule_id:18612236 action:Block block:No block_info:None http:GET /user/eam/vib?id=/etc/passwd HTTP/1.1 Host: yun.edutest.cn User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: application/json, text/plain, */* Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Cookie: edutestyuncookie=FEFAD4A135ED9A630FDA20BB449BBA10; SESSION=MzY1N2RkNzktMDlkOC00YzI5LWEyOWItYzAxMWIxMzgwNjdm Referer: http://yun.edutest.cn/ Accept-Encoding: gzip alertinfo:None proxy_info:None characters:33,14,1,3,11,id=/etc/passwd||||| count_num:1 protocol_type:HTTP wci:None wsi:None country:China
<11>Oct 27 17:25:40 localhost waf: tag:waf_log_websec site_id:1521092804 protect_id:2521094130 dst_ip:10.131.2.adm dst_port:80 src_ip:100.18.18.18 src_port:53417 method:GET domain:yun.edutest.cn uri:/user/eam/vib?id=/etc/passwd alertlevel:HIGH event_type:Path_Traversal stat_time:2022-10-24 17:25:39 policy_id:2359295 rule_id:18612236 action:Block block:No block_info:None http:GET /user/eam/vib?id=/etc/passwd HTTP/1.1 Host: yun.edutest.cn User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: application/json, text/plain, */* Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Cookie: edutestyuncookie=FEFAD4A135ED9A630FDA20BB449BBA10; SESSION=MzY1N2RkNzktMDlkOC00YzI5LWEyOWItYzAxMWIxMzgwNjdm Referer: http://yun.edutest.cn/ Accept-Encoding: gzip alertinfo:None proxy_info:None characters:33,14,1,3,11,id=/etc/passwd||||| count_num:1 protocol_type:HTTP wci:None wsi:None country:China
<11>Oct 27 17:25:40 localhost waf: tag:waf_log_websec site_id:1521092804 protect_id:2521094130 dst_ip:10.131.2.adm dst_port:80 src_ip:100.18.18.18 src_port:52070 method:GET domain:yun.edutest.cn uri:/user/eam/vib?id=/etc/passwd alertlevel:HIGH event_type:Path_Traversal stat_time:2022-10-24 17:25:39 policy_id:2359295 rule_id:18612236 action:Block block:No block_info:None http:GET /user/eam/vib?id=/etc/passwd HTTP/1.1 Host: yun.edutest.cn User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: application/json, text/plain, */* Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Cookie: edutestyuncookie=FEFAD4A135ED9A630FDA20BB449BBA10; SESSION=MzY1N2RkNzktMDlkOC00YzI5LWEyOWItYzAxMWIxMzgwNjdm Referer: http://yun.edutest.cn/ Accept-Encoding: gzip alertinfo:None proxy_info:None characters:33,14,1,3,11,id=/etc/passwd||||| count_num:1 protocol_type:HTTP wci:None wsi:None country:China
<11>Oct 27 17:25:40 localhost waf: tag:waf_log_websec site_id:1521092804 protect_id:2521094130 dst_ip:10.131.2.adm dst_port:80 src_ip:100.18.18.18 src_port:52078 method:GET domain:yun.edutest.cn uri:/user/eam/vib?id=/etc/passwd alertlevel:HIGH event_type:Path_Traversal stat_time:2022-10-24 17:25:39 policy_id:2359295 rule_id:18612236 action:Block block:No block_info:None http:GET /user/eam/vib?id=/etc/passwd HTTP/1.1 Host: yun.edutest.cn User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: application/json, text/plain, */* Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Cookie: edutestyuncookie=FEFAD4A135ED9A630FDA20BB449BBA10; SESSION=MzY1N2RkNzktMDlkOC00YzI5LWEyOWItYzAxMWIxMzgwNjdm Referer: http://yun.edutest.cn/ Accept-Encoding: gzip alertinfo:None proxy_info:None characters:33,14,1,3,11,id=/etc/passwd||||| count_num:1 protocol_type:HTTP wci:None wsi:None country:China
<11>Oct 27 17:25:42 localhost waf: tag:waf_log_websec site_id:1521092804 protect_id:2521094130 dst_ip:10.131.2.adm dst_port:80 src_ip:100.18.18.18 src_port:53435 method:GET domain:yun.edutest.cn uri:/user/eam/vib?id=/etc/passwd alertlevel:HIGH event_type:Path_Traversal stat_time:2022-10-24 17:25:40 policy_id:2359295 rule_id:18612236 action:Block block:No block_info:None http:GET /user/eam/vib?id=/etc/passwd HTTP/1.1 Host: yun.edutest.cn User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: application/json, text/plain, */* Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Cookie: edutestyuncookie=FEFAD4A135ED9A630FDA20BB449BBA10; SESSION=MzY1N2RkNzktMDlkOC00YzI5LWEyOWItYzAxMWIxMzgwNjdm Referer: http://yun.edutest.cn/ Accept-Encoding: gzip alertinfo:None proxy_info:None characters:33,14,1,3,11,id=/etc/passwd||||| count_num:1 protocol_type:HTTP wci:None wsi:None country:China
<11>Oct 27 17:25:42 localhost waf: tag:waf_log_websec site_id:1521092804 protect_id:2521094130 dst_ip:10.131.2.adm dst_port:80 src_ip:100.18.18.18 src_port:53430 method:GET domain:yun.edutest.cn uri:/user/eam/vib?id=/etc/passwd alertlevel:HIGH event_type:Path_Traversal stat_time:2022-10-24 17:25:40 policy_id:2359295 rule_id:18612236 action:Block block:No block_info:None http:GET /user/eam/vib?id=/etc/passwd HTTP/1.1 Host: yun.edutest.cn User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: application/json, text/plain, */* Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Cookie: edutestyuncookie=FEFAD4A135ED9A630FDA20BB449BBA10; SESSION=MzY1N2RkNzktMDlkOC00YzI5LWEyOWItYzAxMWIxMzgwNjdm Referer: http://yun.edutest.cn/ Accept-Encoding: gzip alertinfo:None proxy_info:None characters:33,14,1,3,11,id=/etc/passwd||||| count_num:1 protocol_type:HTTP wci:None wsi:None country:China
<11>Oct 27 17:25:56 localhost waf: tag:waf_log_websec site_id:1521092804 protect_id:2521094130 dst_ip:10.131.2.adm dst_port:80 src_ip:100.18.18.18 src_port:59513 method:GET domain:yun.edutest.cn uri:/lib///....//....//....//....//....//....//....//....//etc//passwd alertlevel:HIGH event_type:Web_Server_Bug stat_time:2022-10-24 17:25:52 policy_id:524287 rule_id:27526130 action:Block block:No block_info:None http:GET /lib///....//....//....//....//....//....//....//....//etc//passwd HTTP/1.1 Host: yun.edutest.cn User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Cookie: edutestyuncookie=FEFAD4A135ED9A630FDA20BB449BBA10; SESSION=MzY1N2RkNzktMDlkOC00YzI5LWEyOWItYzAxMWIxMzgwNjdm Upgrade-Insecure-Requests: 1 Accept-Encoding: gzip alertinfo:None proxy_info:None characters:7,55,1,7,3,/lib/..../..../..../..../..../..../..../..../etc/passwd||||| count_num:1 protocol_type:HTTP wci:None wsi:None country:CNGM4
<11>Oct 27 17:25:56 localhost waf: tag:waf_log_websec site_id:1521092804 protect_id:2521094130 dst_ip:10.131.2.adm dst_port:80 src_ip:100.18.18.18 src_port:60864 method:GET domain:yun.edutest.cn uri:/user/lib///....//....//....//....//....//....//....//....//etc//passwd alertlevel:HIGH event_type:Web_Server_Bug stat_time:2022-10-24 17:25:54 policy_id:524287 rule_id:27526130 action:Block block:No block_info:None http:GET /user/lib///....//....//....//....//....//....//....//....//etc//passwd HTTP/1.1 Host: yun.edutest.cn User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: application/json, text/plain, */* Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Cookie: edutestyuncookie=FEFAD4A135ED9A630FDA20BB449BBA10; SESSION=MzY1N2RkNzktMDlkOC00YzI5LWEyOWItYzAxMWIxMzgwNjdm Referer: http://yun.edutest.cn/ Accept-Encoding: gzip alertinfo:None proxy_info:None characters:7,60,1,12,3,/user/lib/..../..../..../..../..../..../..../..../etc/passwd||||| count_num:1 protocol_type:HTTP wci:None wsi:None country:China
<11>Oct 27 17:25:56 localhost waf: tag:waf_log_websec site_id:1521092804 protect_id:2521094130 dst_ip:10.131.2.adm dst_port:80 src_ip:100.18.18.18 src_port:59513 method:GET domain:yun.edutest.cn uri:/lib///....//....//....//....//....//....//....//....//etc//passwd alertlevel:HIGH event_type:Web_Server_Bug stat_time:2022-10-24 17:25:52 policy_id:524287 rule_id:27526130 action:Block block:No block_info:None http:GET /lib///....//....//....//....//....//....//....//....//etc//passwd HTTP/1.1 Host: yun.edutest.cn User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Cookie: edutestyuncookie=FEFAD4A135ED9A630FDA20BB449BBA10; SESSION=MzY1N2RkNzktMDlkOC00YzI5LWEyOWItYzAxMWIxMzgwNjdm Upgrade-Insecure-Requests: 1 Accept-Encoding: gzip alertinfo:None proxy_info:None characters:7,55,1,7,3,/lib/..../..../..../..../..../..../..../..../etc/passwd||||| count_num:1 protocol_type:HTTP wci:None wsi:None country:CNGM4
<11>Oct 27 17:25:42 localhost waf: tag:waf_log_websec site_id:1521092804 protect_id:2521094130 dst_ip:10.131.2.adm dst_port:80 src_ip:100.18.18.18 src_port:53426 method:GET domain:yun.edutest.cn uri:/user/eam/vib?id=/etc/passwd alertlevel:HIGH event_type:Path_Traversal stat_time:2022-10-24 17:25:40 policy_id:2359295 rule_id:18612236 action:Block block:No block_info:None http:GET /user/eam/vib?id=/etc/passwd HTTP/1.1 Host: yun.edutest.cn User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: application/json, text/plain, */* Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Cookie: edutestyuncookie=FEFAD4A135ED9A630FDA20BB449BBA10; SESSION=MzY1N2RkNzktMDlkOC00YzI5LWEyOWItYzAxMWIxMzgwNjdm Referer: http://yun.edutest.cn/ Accept-Encoding: gzip alertinfo:None proxy_info:None characters:33,14,1,3,11,id=/etc/passwd||||| count_num:1 protocol_type:HTTP wci:None wsi:None country:China
<11>Oct 27 17:23:51 localhost waf: tag:waf_log_websec site_id:1521092804 protect_id:2521094130 dst_ip:10.131.2.adm dst_port:80 src_ip:100.18.18.18 src_port:50952 method:GET domain:yun.edutest.cn uri:/user/etc/passwd alertlevel:HIGH event_type:Path_Traversal stat_time:2022-10-24 17:23:49 policy_id:2359295 rule_id:18612236 action:Block block:No block_info:None http:GET /user/etc/passwd HTTP/1.1 Host: yun.edutest.cn User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: application/json, text/plain, */* Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Cookie: edutestyuncookie=FEFAD4A135ED9A630FDA20BB449BBA10; SESSION=MzY1N2RkNzktMDlkOC00YzI5LWEyOWItYzAxMWIxMzgwNjdm Range: bytes=0-8096 Referer: http://yun.edutest.cn/ alertinfo:None proxy_info:None characters:7,16,1,5,11,/user/etc/passwd||||| count_num:1 protocol_type:HTTP wci:None wsi:None country:China
<11>Oct 27 17:24:58 localhost waf: tag:waf_log_websec site_id:1521092804 protect_id:2521094130 dst_ip:10.131.2.adm dst_port:80 src_ip:100.18.18.18 src_port:32240 method:GET domain:yun.edutest.cn uri:/wxjsapi/saveYZJFile?fileName=adm&downloadUrl=file:///etc/passwd&fileExt=txt alertlevel:HIGH event_type:Path_Traversal stat_time:2022-10-24 17:24:56 policy_id:2359295 rule_id:18612236 action:Block block:No block_info:None http:GET /wxjsapi/saveYZJFile?fileName=adm&downloadUrl=file:///etc/passwd&fileExt=txt HTTP/1.1 Host: yun.edutest.cn User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Cookie: edutestyuncookie=FEFAD4A135ED9A630FDA20BB449BBA10; SESSION=MzY1N2RkNzktMDlkOC00YzI5LWEyOWItYzAxMWIxMzgwNjdm Upgrade-Insecure-Requests: 1 Accept-Encoding: gzip alertinfo:None proxy_info:None characters:33,30,1,17,13,downloadUrl=file:///etc/passwd||||| count_num:1 protocol_type:HTTP wci:None wsi:None country:China
<11>Oct 27 17:25:40 localhost waf: tag:waf_log_websec site_id:1521092804 protect_id:2521094130 dst_ip:10.131.2.adm dst_port:80 src_ip:100.18.18.18 src_port:50941 method:GET domain:yun.edutest.cn uri:/user/index.php/bbs/index/download?url=/etc/passwd&name=1.txt&local=1 alertlevel:HIGH event_type:Path_Traversal stat_time:2022-10-24 17:25:38 policy_id:2359295 rule_id:18612236 action:Block block:No block_info:None http:GET /user/index.php/bbs/index/download?url=/etc/passwd&name=1.txt&local=1 HTTP/1.1 Host: yun.edutest.cn User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: application/json, text/plain, */* Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Cookie: edutestyuncookie=FEFAD4A135ED9A630FDA20BB449BBA10; SESSION=MzY1N2RkNzktMDlkOC00YzI5LWEyOWItYzAxMWIxMzgwNjdm Referer: http://yun.edutest.cn/ Accept-Encoding: gzip alertinfo:None proxy_info:None characters:33,15,1,4,11,url=/etc/passwd||||| count_num:1 protocol_type:HTTP wci:None wsi:None country:China
<11>Oct 27 17:24:58 localhost waf: tag:waf_log_websec site_id:1521092804 protect_id:2521094130 dst_ip:10.131.2.adm dst_port:80 src_ip:100.18.18.18 src_port:34702 method:GET domain:yun.edutest.cn uri:/user/adm/pathtraversal/master/..%252F..%252F..%252F..%252F..%252F..%252Fetc%252fpasswd alertlevel:HIGH event_type:Web_Server_Bug stat_time:2022-10-24 17:24:57 policy_id:524287 rule_id:27526130 action:Block block:No block_info:None http:GET /user/adm/pathtraversal/master/..%252F..%252F..%252F..%252F..%252F..%252Fetc%252fpasswd HTTP/1.1 Host: yun.edutest.cn User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: application/json, text/plain, */* Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Cookie: edutestyuncookie=FEFAD4A135ED9A630FDA20BB449BBA10; SESSION=MzY1N2RkNzktMDlkOC00YzI5LWEyOWItYzAxMWIxMzgwNjdm Referer: http://yun.edutest.cn/ Accept-Encoding: gzip alertinfo:None proxy_info:None characters:7,60,1,32,3,/user/adm/pathtraversal/master/../../../../../../etc/passwd||||| count_num:1 protocol_type:HTTP wci:None wsi:None country:China
<11>Oct 27 17:25:56 localhost waf: tag:waf_log_websec site_id:1521092804 protect_id:2521094130 dst_ip:10.131.2.adm dst_port:80 src_ip:100.18.18.18 src_port:59513 method:GET domain:yun.edutest.cn uri:/lib///....//....//....//....//....//....//....//....//etc//passwd alertlevel:HIGH event_type:Web_Server_Bug stat_time:2022-10-24 17:25:52 policy_id:524287 rule_id:27526130 action:Block block:No block_info:None http:GET /lib///....//....//....//....//....//....//....//....//etc//passwd HTTP/1.1 Host: yun.edutest.cn User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Cookie: edutestyuncookie=FEFAD4A135ED9A630FDA20BB449BBA10; SESSION=MzY1N2RkNzktMDlkOC00YzI5LWEyOWItYzAxMWIxMzgwNjdm Upgrade-Insecure-Requests: 1 Accept-Encoding: gzip alertinfo:None proxy_info:None characters:7,55,1,7,3,/lib/..../..../..../..../..../..../..../..../etc/passwd||||| count_num:1 protocol_type:HTTP wci:None wsi:None country:CNGM4
<11>Oct 27 17:24:52 localhost waf: tag:waf_log_websec site_id:1521092804 protect_id:2521094130 dst_ip:10.131.2.adm dst_port:80 src_ip:100.18.18.18 src_port:26138 method:GET domain:yun.edutest.cn uri:/..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252Fetc%252Fpasswd%23/a alertlevel:HIGH event_type:Web_Server_Bug stat_time:2022-10-24 17:24:51 policy_id:524287 rule_id:27526130 action:Block block:No block_info:None http:GET /..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252Fetc%252Fpasswd%23/a HTTP/1.1 Host: yun.edutest.cn User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Cookie: edutestyuncookie=FEFAD4A135ED9A630FDA20BB449BBA10; SESSION=MzY1N2RkNzktMDlkOC00YzI5LWEyOWItYzAxMWIxMzgwNjdm Upgrade-Insecure-Requests: 1 Accept-Encoding: gzip alertinfo:None proxy_info:None characters:7,47,1,1,3,/../../../../../../../../../../../etc/passwd#/a||||| count_num:1 protocol_type:HTTP wci:None wsi:None country:China
<11>Oct 27 17:24:54 localhost waf: tag:waf_log_websec site_id:1521092804 protect_id:2521094130 dst_ip:10.131.2.adm dst_port:80 src_ip:100.18.18.18 src_port:26161 method:GET domain:yun.edutest.cn uri:/user/a/b/%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252fetc/resolv.conf alertlevel:HIGH event_type:Web_Server_Bug stat_time:2022-10-24 17:24:52 policy_id:524287 rule_id:27526130 action:Block block:No block_info:None http:GET /user/a/b/%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252fetc/resolv.conf HTTP/1.1 Host: yun.edutest.cn User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: application/json, text/plain, */* Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Cookie: edutestyuncookie=FEFAD4A135ED9A630FDA20BB449BBA10; SESSION=MzY1N2RkNzktMDlkOC00YzI5LWEyOWItYzAxMWIxMzgwNjdm Referer: http://yun.edutest.cn/ Accept-Encoding: gzip alertinfo:None proxy_info:None characters:7,48,1,15,3,/user/a/b//.%2f../../../../../../etc/resolv.conf||||| count_num:1 protocol_type:HTTP wci:None wsi:None country:China
<11>Oct 27 17:25:38 localhost waf: tag:waf_log_websec site_id:1521092804 protect_id:2521094130 dst_ip:10.131.2.adm dst_port:80 src_ip:100.18.18.18 src_port:48463 method:GET domain:yun.edutest.cn uri:/index.php?target=db%5fsql.php%253f/../../../../../../../../etc/passwd alertlevel:HIGH event_type:Path_Traversal stat_time:2022-10-24 17:25:36 policy_id:2359295 rule_id:18612238 action:Block block:No block_info:None http:GET /index.php?target=db_sql.php%253f/../../../../../../../../etc/passwd HTTP/1.1 Host: yun.edutest.cn User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Cookie: edutestyuncookie=FEFAD4A135ED9A630FDA20BB449BBA10; SESSION=MzY1N2RkNzktMDlkOC00YzI5LWEyOWItYzAxMWIxMzgwNjdm Upgrade-Insecure-Requests: 1 Accept-Encoding: gzip alertinfo:None proxy_info:None characters:33,53,1,19,3,target=db_sql.php?/../../../../../../../../etc/passwd||||| count_num:1 protocol_type:HTTP wci:None wsi:None country:China


绿盟WAF 5141 恶意攻击 2022-10-24
<11>Oct 27 18:16:26 localhost waf: tag:waf_log_websec site_id:1448267979 protect_id:2448268132 dst_ip:10.131.2.10 dst_port:80 src_ip:100.18.18.18 src_port:46459 method:GET domain:www.edutest.cn uri:/admin/cms%5fchannel.php?del=123456+AND+(SELECT+1+FROM(SELECT+COUNT(*)%2cCONCAT(0x7e%2cmd5(202072102)%2c0x7e%2cFLOOR(RAND(0)*2))x+FROM+INFORMATION%5fSCHEMA.CHARACTER%5fSETS+GROUP+BY+x)a)%2d%2d%2b alertlevel:HIGH event_type:SQL_Injection stat_time:2022-10-24 18:16:25 policy_id:2359299 rule_id:18612302 action:Block block:No block_info:None http:GET /admin/cms_channel.php?del=123456+AND+(SELECT+1+FROM(SELECT+COUNT(*)%2cCONCAT(0x7e%2cmd5(202072102)%2c0x7e%2cFLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.CHARACTER_SETS+GROUP+BY+x)a)--%2b HTTP/1.1 Host: www.edutest.cn:443 User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Referer: http://www.edutest.cn/admin/cms_channel.php?del=123456+AND+(SELECT+1+FROM(SELECT+COUNT(*)%2cCONCAT(0x7e%2cmd5(202072102)%2c0x7e%2cFLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.CHARACTER_SETS+GROUP+BY+x)a)--%2b Upgrade-Insecure-Requests: 1 alertinfo:None proxy_info:None characters:33,152,1,37,6,del=123456 AND (SELECT 1 FROM(SELECT COUNT(*),CONCAT(0x7e,md5(202072102),0x7e,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)--+||||| count_num:1 protocol_type:HTTP wci:None wsi:None country:Local area Network
<11>Oct 27 18:16:35 localhost waf: tag:waf_log_websec site_id:1448267979 protect_id:2448268132 dst_ip:10.131.2.10 dst_port:80 src_ip:100.18.18.18 src_port:7395 method:GET domain:www.edutest.cn uri:/index.php?option=com%5fcontenthistory&view=history&list%5bordering%5d=&item%5fid=1&type%5fid=1&list%5bselect%5d=updatexml(0x23%2cconcat(1%2cmd5(8888))%2c1) alertlevel:HIGH event_type:SQL_Injection stat_time:2022-10-24 18:16:31 policy_id:2359299 rule_id:18612300 action:Block block:No block_info:None http:GET /index.php?option=com_contenthistory&view=history&list[ordering]=&item_id=1&type_id=1&list[select]=updatexml(0x23,concat(1,md5(8888)),1) HTTP/1.1 Host: www.edutest.cn:443 User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Referer: http://www.edutest.cn/index.php?option=com_contenthistory&view=history&list[ordering]=&item_id=1&type_id=1&list[select]=updatexml(0x23,concat(1,md5(8888)),1) Upgrade-Insecure-Requests: 1 alertinfo:None proxy_info:None characters:33,50,1,28,7,list[select]=updatexml(0x23,concat(1,md5(8888)),1)||||| count_num:1 protocol_type:HTTP wci:None wsi:None country:Local area Network
<11>Oct 27 09:03:15 localhost waf: tag:waf_log_websec site_id:1448267979 protect_id:2448268132 dst_ip:10.131.2.10 dst_port:80 src_ip:100.18.18.18 src_port:17518 method:GET domain:www.edutest.cn uri://uc/data/config.inc.php.bak alertlevel:MEDIUM event_type:Download_limit stat_time:2022-10-24 09:03:12 policy_id:2883587 rule_id:0 action:Block block:No block_info:None http:GET //uc/data/config.inc.php.bak HTTP/1.1 Host: www.edutest.cn X-Forwarded-For: 32.67.92.142 Client-IP: 32.67.92.142 REMOTE_ADDR: 32.67.92.142 Accept: text/html, application/xhtml+xml, */* Content-Type: text/html User-Agent: Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html Referer: http://www.edutest.net//uc/data/config.inc.php.bak alertinfo:filetype 'bak' matched: bak. proxy_info:None characters:None count_num:1 protocol_type:HTTP wci:None wsi:None country:Local area Network
<11>Oct 27 09:03:26 localhost waf: tag:waf_log_websec site_id:1448267979 protect_id:2448268132 dst_ip:10.131.2.10 dst_port:80 src_ip:100.18.18.18 src_port:28633 method:GET domain:www.edutest.cn uri://include/search.php?key=%7Bif:1==1)echo%20md5(niubi);//%7D%7Bend%20if%7D alertlevel:HIGH event_type:OS_CMD_Injection stat_time:2022-10-24 09:03:24 policy_id:2359299 rule_id:25612334 action:Block block:No block_info:None http:GET //include/search.php?key=%7Bif:1==1)echo%20md5(niubi);//%7D%7Bend%20if%7D HTTP/1.1 Host: www.edutest.cn X-Forwarded-For: 74.215.46.69 Client-IP: 74.215.46.69 REMOTE_ADDR: 74.215.46.69 Accept: text/html, application/xhtml+xml, */* Content-Type: text/html User-Agent: Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html Referer: http://www.edutest.net//include/search.php?key={if:1==1)echo%20md5(niubi);//}{end%20if} alertinfo:None proxy_info:None characters:33,40,1,12,6,key={if:1==1)echo md5(niubi);//}{end if}||||| count_num:1 protocol_type:HTTP wci:None wsi:None country:Local area Network
<11>Oct 27 09:03:26 localhost waf: tag:waf_log_websec site_id:1448267979 protect_id:2448268132 dst_ip:10.131.2.10 dst_port:80 src_ip:100.18.18.18 src_port:28633 method:GET domain:www.edutest.cn uri://include/search.php?key=%7Bif:1==1)echo%20md5(niubi);//%7D%7Bend%20if%7D alertlevel:HIGH event_type:OS_CMD_Injection stat_time:2022-10-24 09:03:24 policy_id:2359299 rule_id:25612334 action:Block block:No block_info:None http:GET //include/search.php?key=%7Bif:1==1)echo%20md5(niubi);//%7D%7Bend%20if%7D HTTP/1.1 Host: www.edutest.cn X-Forwarded-For: 74.215.46.69 Client-IP: 74.215.46.69 REMOTE_ADDR: 74.215.46.69 Accept: text/html, application/xhtml+xml, */* Content-Type: text/html User-Agent: Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html Referer: http://www.edutest.net//include/search.php?key={if:1==1)echo%20md5(niubi);//}{end%20if} alertinfo:None proxy_info:None characters:33,40,1,12,6,key={if:1==1)echo md5(niubi);//}{end if}||||| count_num:1 protocol_type:HTTP wci:None wsi:None country:Local area Network

绿盟IPS 516 文件上传
<5>time:2022-10-24 19:30:12;danger_degree:3;breaking_sighn:0;event:[68654]可疑Webshell脚本文件上传行为;src_addr:100.18.18.18;src_port:51874;dst_addr:10.131.2.167;dst_port:80;proto:HTTP;user:


绿盟IPS 516 webshell访问
<5>time:2022-10-24 19:37:25;danger_degree:3;breaking_sighn:0;event:[40958]木马后门程序Chopper Webshell检测;src_addr:100.18.18.18;src_port:54952;dst_addr:10.131.2.167;dst_port:80;proto:HTTP;user:

山石防火墙 514 数据外流 要与上条的目标IP联动
<190>Oct 27 13:11:06 2206409150000938(root) 44243624 Traffic@FLOW: SESSION: 100.18.18.18:62492->10.131.2.167:80(TCP), application HTTP, interface aggregate1, vr trust-vr, policy 3, user -@-, host -, send packets 10,send bytes 1000,receive packets 9,receive bytes 7756000,start time 2022-10-24 19:39:05,close time 2022-10-24 19:39:06,session end,TCP FIN
<190>Oct 27 13:11:06 2206409150000938(root) 44243624 Traffic@FLOW: SESSION: 100.18.18.18:62492->10.131.2.167:80(TCP), application HTTP, interface aggregate1, vr trust-vr, policy 3, user -@-, host -, send packets 10,send bytes 1000,receive packets 9,receive bytes 7757600,start time 2022-10-24 19:39:05,close time 2022-10-24 19:39:06,session end,TCP FIN
<190>Oct 27 13:11:06 2206409150000938(root) 44243624 Traffic@FLOW: SESSION: 100.18.18.18:62492->10.131.2.167:80(TCP), application HTTP, interface aggregate1, vr trust-vr, policy 3, user -@-, host -, send packets 10,send bytes 1000,receive packets 9,receive bytes 77887856,start time 2022-10-24 19:39:05,close time 2022-10-24 19:39:06,session end,TCP FIN
<190>Oct 27 13:11:06 2206409150000938(root) 44243624 Traffic@FLOW: SESSION: 100.18.18.18:62492->10.131.2.167:80(TCP), application HTTP, interface aggregate1, vr trust-vr, policy 3, user -@-, host -, send packets 10,send bytes 1000,receive packets 9,receive bytes 77677556,start time 2022-10-24 19:39:05,close time 2022-10-24 19:39:06,session end,TCP FIN
<190>Oct 27 13:11:06 2206409150000938(root) 44243624 Traffic@FLOW: SESSION: 100.18.18.18:62492->10.131.2.167:80(TCP), application HTTP, interface aggregate1, vr trust-vr, policy 3, user -@-, host -, send packets 10,send bytes 1000,receive packets 9,receive bytes 7346756,start time 2022-10-24 19:39:05,close time 2022-10-24 19:39:06,session end,TCP FIN
<190>Oct 27 13:11:06 2206409150000938(root) 44243624 Traffic@FLOW: SESSION: 100.18.18.18:62492->10.131.2.167:80(TCP), application HTTP, interface aggregate1, vr trust-vr, policy 3, user -@-, host -, send packets 10,send bytes 1000,receive packets 9,receive bytes 77236456,start time 2022-10-24 19:39:05,close time 2022-10-24 19:39:06,session end,TCP FIN
<190>Oct 27 13:11:06 2206409150000938(root) 44243624 Traffic@FLOW: SESSION: 100.18.18.18:62492->10.131.2.167:80(TCP), application HTTP, interface aggregate1, vr trust-vr, policy 3, user -@-, host -, send packets 10,send bytes 1000,receive packets 9,receive bytes 74347756,start time 2022-10-24 19:39:05,close time 2022-10-24 19:39:06,session end,TCP FIN
<190>Oct 27 13:11:06 2206409150000938(root) 44243624 Traffic@FLOW: SESSION: 100.18.18.18:62492->10.131.2.167:80(TCP), application HTTP, interface aggregate1, vr trust-vr, policy 3, user -@-, host -, send packets 10,send bytes 1000,receive packets 9,receive bytes 77343456,start time 2022-10-24 19:39:05,close time 2022-10-24 19:39:06,session end,TCP FIN
<190>Oct 27 13:11:06 2206409150000938(root) 44243624 Traffic@FLOW: SESSION: 100.18.18.18:62492->10.131.2.167:80(TCP), application HTTP, interface aggregate1, vr trust-vr, policy 3, user -@-, host -, send packets 10,send bytes 1000,receive packets 9,receive bytes 77323256,start time 2022-10-24 19:39:05,close time 2022-10-24 19:39:06,session end,TCP FIN
<190>Oct 27 13:11:06 2206409150000938(root) 44243624 Traffic@FLOW: SESSION: 100.18.18.18:62492->10.131.2.167:80(TCP), application HTTP, interface aggregate1, vr trust-vr, policy 3, user -@-, host -, send packets 10,send bytes 1000,receive packets 9,receive bytes 77232356,start time 2022-10-24 19:39:05,close time 2022-10-24 19:39:06,session end,TCP FIN
<190>Oct 27 13:11:06 2206409150000938(root) 44243624 Traffic@FLOW: SESSION: 100.18.18.18:62492->10.131.2.167:80(TCP), application HTTP, interface aggregate1, vr trust-vr, policy 3, user -@-, host -, send packets 10,send bytes 1000,receive packets 9,receive bytes 77232456,start time 2022-10-24 19:39:05,close time 2022-10-24 19:39:06,session end,TCP FIN
<190>Oct 27 13:11:06 2206409150000938(root) 44243624 Traffic@FLOW: SESSION: 100.18.18.18:62492->10.131.2.167:80(TCP), application HTTP, interface aggregate1, vr trust-vr, policy 3, user -@-, host -, send packets 10,send bytes 1000,receive packets 9,receive bytes 7798756,start time 2022-10-24 19:39:05,close time 2022-10-24 19:39:06,session end,TCP FIN
<190>Oct 27 13:11:06 2206409150000938(root) 44243624 Traffic@FLOW: SESSION: 100.18.18.18:62492->10.131.2.167:80(TCP), application HTTP, interface aggregate1, vr trust-vr, policy 3, user -@-, host -, send packets 10,send bytes 1000,receive packets 9,receive bytes 7734556,start time 2022-10-24 19:39:05,close time 2022-10-24 19:39:06,session end,TCP FIN
<190>Oct 27 13:11:06 2206409150000938(root) 44243624 Traffic@FLOW: SESSION: 100.18.18.18:62492->10.131.2.167:80(TCP), application HTTP, interface aggregate1, vr trust-vr, policy 3, user -@-, host -, send packets 10,send bytes 1000,receive packets 9,receive bytes 7776556,start time 2022-10-24 19:39:05,close time 2022-10-24 19:39:06,session end,TCP FIN
<190>Oct 27 13:11:06 2206409150000938(root) 44243624 Traffic@FLOW: SESSION: 100.18.18.18:62492->10.131.2.167:80(TCP), application HTTP, interface aggregate1, vr trust-vr, policy 3, user -@-, host -, send packets 10,send bytes 1000,receive packets 9,receive bytes 775456,start time 2022-10-24 19:39:05,close time 2022-10-24 19:39:06,session end,TCP FIN

深信服VPN 515 登录失败 adm
<7>[login][failure]adm from IP 100.18.18.18: Invalid username or password!
<7>[login][failure]adm from IP 100.18.18.18: Invalid username or password!
<7>[login][failure]adm from IP 100.18.18.18: Invalid username or password!
<7>[login][failure]adm from IP 100.18.18.18: Invalid username or password!
<7>[login][failure]adm from IP 100.18.18.18: Invalid username or password!
<7>[login][failure]adm from IP 100.18.18.18: Invalid username or password!
<7>[login][failure]adm from IP 100.18.18.18: Invalid username or password!
<7>[login][failure]adm from IP 100.18.18.18: Invalid username or password!
<7>[login][failure]adm from IP 100.18.18.18: Invalid username or password!
<7>[login][failure]adm from IP 100.18.18.18: Invalid username or password!

深信服VPN 515 登录成功   连续失败这个不命中

<7>[login][success]adm from IP 100.18.18.18: Log in successfully!

------------------------------------------------------------------------------------------------------------

求和
1.山石防火墙测试数据基于源IP地址聚合，计算发送字节-求和=1000（近5分钟）

<190>Oct 31 13:11:06 2206409150000938(root) 44243624 Traffic@FLOW: SESSION: 100.134.18.18:62492->10.200.3.4:23(TCP), application WeChat-File-Transfer, interface aggregate1, vr trust-vr, policy 3, user -@-, host -, send packets 10,send bytes 1000,receive packets 9,receive bytes 7756,start time 2022-10-24 15:30:05,close time 2022-10-24 15:30:06,session end,TCP FIN
<190>Oct 31 13:12:06 2206409150000938(root) 44243624 Traffic@FLOW: SESSION: 100.134.18.18:62492->10.200.3.41:1521(TCP), application WeChat-File-Transfer, interface aggregate1, vr trust-vr, policy 3, user -@-, host -, send packets 10,send bytes 1000,receive packets 9,receive bytes 7756,start time 2022-10-24 15:30:05,close time 2022-10-24 15:30:06,session end,TCP FIN
<190>Oct 31 13:13:06 2206409150000938(root) 44243624 Traffic@FLOW: SESSION: 100.134.18.18:62492->10.200.3.42:22(TCP), application WeChat-File-Transfer, interface aggregate1, vr trust-vr, policy 3, user -@-, host -, send packets 10,send bytes 1000,receive packets 9,receive bytes 7756,start time 2022-10-24 15:30:05,close time 2022-10-24 15:30:06,session end,TCP FIN

------------------------------------------------------------------------------------------------------------

求平均
2.山石防火墙测试数据基于源IP地址聚合，计算发送字节-求平均=2000（近5分钟，数据分类里面更改哪个时间段-字段生效）

<190>Oct 31 13:11:06 2206409150000938(root) 44243624 Traffic@FLOW: SESSION: 111.136.12.18:62492->10.200.3.4:23(TCP), application WeChat-File-Transfer, interface aggregate1, vr trust-vr, policy 3, user -@-, host -, send packets 10,send bytes 1000,receive packets 9,receive bytes 7756,start time 2022-10-31 15:32:15,close time 2022-10-24 15:30:06,session end,TCP FIN
<190>Oct 31 13:12:06 2206409150000938(root) 44243624 Traffic@FLOW: SESSION: 111.136.12.18:62492->10.200.3.41:1521(TCP), application WeChat-File-Transfer, interface aggregate1, vr trust-vr, policy 3, user -@-, host -, send packets 10,send bytes 2000,receive packets 9,receive bytes 7756,start time 2022-10-31 15:33:25,close time 2022-10-24 15:30:06,session end,TCP FIN
<190>Oct 31 13:13:06 2206409150000938(root) 44243624 Traffic@FLOW: SESSION: 111.136.12.18:62492->10.200.3.42:22(TCP), application WeChat-File-Transfer, interface aggregate1, vr trust-vr, policy 3, user -@-, host -, send packets 10,send bytes 3000,receive packets 9,receive bytes 7756,start time 2022-10-31 15:34:45,close time 2022-10-24 15:30:06,session end,TCP FIN

------------------------------------------------------------------------------------------------------------

求最小值
3.山石防火墙测试数据基于源IP地址聚合，计算发送字节-求最小值=500（近5分钟，数据分类里面更改哪个时间段-字段生效）

<190>Oct 31 13:11:06 2206409150000938(root) 44243624 Traffic@FLOW: SESSION: 113.136.12.18:62492->10.200.3.4:23(TCP), application WeChat-File-Transfer, interface aggregate1, vr trust-vr, policy 3, user -@-, host -, send packets 10,send bytes 800,receive packets 9,receive bytes 7756,start time 2022-10-31 15:31:45,close time 2022-10-24 15:30:06,session end,TCP FIN
<190>Oct 31 13:11:06 2206409150000938(root) 44243624 Traffic@FLOW: SESSION: 113.136.12.18:62492->10.200.3.4:23(TCP), application WeChat-File-Transfer, interface aggregate1, vr trust-vr, policy 3, user -@-, host -, send packets 10,send bytes 1000,receive packets 9,receive bytes 7756,start time 2022-10-31 15:32:15,close time 2022-10-24 15:30:06,session end,TCP FIN
<190>Oct 31 13:12:06 2206409150000938(root) 44243624 Traffic@FLOW: SESSION: 113.136.12.18:62492->10.200.3.41:1521(TCP), application WeChat-File-Transfer, interface aggregate1, vr trust-vr, policy 3, user -@-, host -, send packets 10,send bytes 2000,receive packets 9,receive bytes 7756,start time 2022-10-31 15:33:25,close time 2022-10-24 15:30:06,session end,TCP FIN
<190>Oct 31 13:13:06 2206409150000938(root) 44243624 Traffic@FLOW: SESSION: 113.136.12.18:62492->10.200.3.42:22(TCP), application WeChat-File-Transfer, interface aggregate1, vr trust-vr, policy 3, user -@-, host -, send packets 10,send bytes 500,receive packets 9,receive bytes 7756,start time 2022-10-31 15:34:45,close time 2022-10-24 15:30:06,session end,TCP FIN

------------------------------------------------------------------------------------------------------------

求最大值
4.山石防火墙测试数据基于源IP地址聚合，计算发送字节-求最大值=5200（近5分钟，数据分类里面更改哪个时间段-字段生效）

<190>Oct 31 13:11:06 2206409150000938(root) 44243624 Traffic@FLOW: SESSION: 135.136.12.18:62492->10.200.3.4:23(TCP), application WeChat-File-Transfer, interface aggregate1, vr trust-vr, policy 3, user -@-, host -, send packets 10,send bytes 800,receive packets 9,receive bytes 7756,start time 2022-10-31 15:01:45,close time 2022-10-24 15:30:06,session end,TCP FIN
<190>Oct 31 13:11:06 2206409150000938(root) 44243624 Traffic@FLOW: SESSION: 135.136.12.18:62492->10.200.3.4:23(TCP), application WeChat-File-Transfer, interface aggregate1, vr trust-vr, policy 3, user -@-, host -, send packets 10,send bytes 1000,receive packets 9,receive bytes 7756,start time 2022-10-31 15:02:15,close time 2022-10-24 15:30:06,session end,TCP FIN
<190>Oct 31 13:12:06 2206409150000938(root) 44243624 Traffic@FLOW: SESSION: 135.136.12.18:62492->10.200.3.41:1521(TCP), application WeChat-File-Transfer, interface aggregate1, vr trust-vr, policy 3, user -@-, host -, send packets 10,send bytes 2000,receive packets 9,receive bytes 7756,start time 2022-10-31 15:03:25,close time 2022-10-24 15:30:06,session end,TCP FIN
<190>Oct 31 13:13:06 2206409150000938(root) 44243624 Traffic@FLOW: SESSION: 135.136.12.18:62492->10.200.3.42:22(TCP), application WeChat-File-Transfer, interface aggregate1, vr trust-vr, policy 3, user -@-, host -, send packets 10,send bytes 3000,receive packets 9,receive bytes 7756,start time 2022-10-31 15:04:05,close time 2022-10-24 15:30:06,session end,TCP FIN

得出结论，在测试过程中，选择类似start time或者datetime等时间，通过nc -u 192.168.50.10 521 发送数据可以直接粘贴，如果每次复制粘贴时间都跟上一次时间一样，那么就会产生同一时间产生多条数据，会导致测试结果不准确，故实际测试过程中可直接复制，但是必须每次复制测试过程中将时间都修改一次，建议依次向后递减设置，每条数据以分钟为单位递增。
------------------------------------------------------------------------------------------------------------

次数统计
5.山石防火墙测试数据基于源IP地址聚合，计算来源IP出现的次数，统计得出一个数值（近5分钟，数据分类里面更改哪个时间段-字段生效）

<190>Oct 31 13:11:06 2206409150000938(root) 44243624 Traffic@FLOW: SESSION: 136.136.12.18:62492->10.200.3.4:23(TCP), application WeChat-File-Transfer, interface aggregate1, vr trust-vr, policy 3, user -@-, host -, send packets 10,send bytes 800,receive packets 9,receive bytes 7756,start time 2022-10-31 15:11:45,close time 2022-10-24 15:30:06,session end,TCP FIN
<190>Oct 31 13:11:06 2206409150000938(root) 44243624 Traffic@FLOW: SESSION: 136.137.12.18:62492->10.200.3.4:23(TCP), application WeChat-File-Transfer, interface aggregate1, vr trust-vr, policy 3, user -@-, host -, send packets 10,send bytes 1000,receive packets 9,receive bytes 7756,start time 2022-10-31 15:12:15,close time 2022-10-24 15:30:06,session end,TCP FIN
<190>Oct 31 13:12:06 2206409150000938(root) 44243624 Traffic@FLOW: SESSION: 136.138.12.18:62492->10.200.3.41:1521(TCP), application WeChat-File-Transfer, interface aggregate1, vr trust-vr, policy 3, user -@-, host -, send packets 10,send bytes 2000,receive packets 9,receive bytes 7756,start time 2022-10-31 15:13:25,close time 2022-10-24 15:30:06,session end,TCP FIN
<190>Oct 31 13:13:06 2206409150000938(root) 44243624 Traffic@FLOW: SESSION: 136.136.12.18:62492->10.200.3.42:22(TCP), application WeChat-File-Transfer, interface aggregate1, vr trust-vr, policy 3, user -@-, host -, send packets 10,send bytes 3000,receive packets 9,receive bytes 7756,start time 2022-10-31 15:14:05,close time 2022-10-24 15:30:06,session end,TCP FIN

上面的策略结果是计算来源IP出现两次就可在威胁看板处查看日志命中一次，上面日志poc来源IP136.136.12.18出现两次

------------------------------------------------------------------------------------------------------------

关联个数
6.山石防火墙测试数据基于源IP地址聚合，计算日志里面同一个源IP地址对应关联多个不同的端口，统计得出一个数值（近5分钟，数据分类里面更改哪个时间段-字段生效）

<190>Oct 31 13:11:06 2206409150000938(root) 44243624 Traffic@FLOW: SESSION: 101.106.12.108:62492->10.200.3.4:23(TCP), application WeChat-File-Transfer, interface aggregate1, vr trust-vr, policy 3, user -@-, host -, send packets 10,send bytes 800,receive packets 9,receive bytes 7756,start time 2022-10-31 16:11:45,close time 2022-10-24 15:30:06,session end,TCP FIN
<190>Oct 31 13:11:06 2206409150000938(root) 44243624 Traffic@FLOW: SESSION: 101.106.12.108:62492->10.200.3.4:23(TCP), application WeChat-File-Transfer, interface aggregate1, vr trust-vr, policy 3, user -@-, host -, send packets 10,send bytes 1000,receive packets 9,receive bytes 7756,start time 2022-10-31 16:12:15,close time 2022-10-24 15:30:06,session end,TCP FIN
<190>Oct 31 13:12:06 2206409150000938(root) 44243624 Traffic@FLOW: SESSION: 101.106.12.108:62492->10.200.3.41:1521(TCP), application WeChat-File-Transfer, interface aggregate1, vr trust-vr, policy 3, user -@-, host -, send packets 10,send bytes 2000,receive packets 9,receive bytes 7756,start time 2022-10-31 16:13:25,close time 2022-10-24 15:30:06,session end,TCP FIN
<190>Oct 31 13:13:06 2206409150000938(root) 44243624 Traffic@FLOW: SESSION: 101.106.12.108:62492->10.200.3.42:22(TCP), application WeChat-File-Transfer, interface aggregate1, vr trust-vr, policy 3, user -@-, host -, send packets 10,send bytes 3000,receive packets 9,receive bytes 7756,start time 2022-10-31 16:14:05,close time 2022-10-24 15:30:06,session end,TCP FIN

上面的策略结果是基于源IP地址聚合，计算日志里面同一个源IP地址对应关联多个不同的端口，统计得出是有两个目的端口为23的端口

------------------------------------------------------------------------------------------------------------

关联取值
7.山石防火墙测试数据基于应用名称聚合，计算日志里面同一个应用名称对应最早的来源IP地址不等于当前最近5分钟之内的当前来源IP地址，（近5分钟，数据分类里面更改哪个时间段-字段生效）

<190>Oct 31 13:11:06 2206409150000938(root) 44243624 Traffic@FLOW: SESSION: 103.106.12.108:62492->10.200.3.4:23(TCP), application WeChat-File-Transfer, interface aggregate1, vr trust-vr, policy 3, user -@-, host -, send packets 10,send bytes 800,receive packets 9,receive bytes 7756,start time 2022-10-31 16:30:45,close time 2022-10-24 15:30:06,session end,TCP FIN
<190>Oct 31 13:11:06 2206409150000938(root) 44243624 Traffic@FLOW: SESSION: 103.106.12.108:62492->10.200.3.4:23(TCP), application WeChat-File-Transfer, interface aggregate1, vr trust-vr, policy 3, user -@-, host -, send packets 10,send bytes 800,receive packets 9,receive bytes 7756,start time 2022-10-31 16:31:45,close time 2022-10-24 15:30:06,session end,TCP FIN
<190>Oct 31 13:11:06 2206409150000938(root) 44243624 Traffic@FLOW: SESSION: 103.106.12.108:62492->10.200.3.4:23(TCP), application WeChat-File-Transfer, interface aggregate1, vr trust-vr, policy 3, user -@-, host -, send packets 10,send bytes 1000,receive packets 9,receive bytes 7756,start time 2022-10-31 16:32:15,close time 2022-10-24 15:30:06,session end,TCP FIN
<190>Oct 31 13:12:06 2206409150000938(root) 44243624 Traffic@FLOW: SESSION: 103.106.12.108:62492->10.200.3.41:1521(TCP), application WeChat-File-Transfer, interface aggregate1, vr trust-vr, policy 3, user -@-, host -, send packets 10,send bytes 2000,receive packets 9,receive bytes 7756,start time 2022-10-31 16:33:25,close time 2022-10-24 15:30:06,session end,TCP FIN
<190>Oct 31 13:13:06 2206409150000938(root) 44243624 Traffic@FLOW: SESSION: 107.126.12.108:62492->10.200.3.42:22(TCP), application WeChat-File-Transfer, interface aggregate1, vr trust-vr, policy 3, user -@-, host -, send packets 10,send bytes 3000,receive packets 9,receive bytes 7756,start time 2022-10-31 16:34:05,close time 2022-10-24 15:30:06,session end,TCP FIN

上面的策略结果是基于同一个应用名称进行聚合，找出近5分钟之内最早一次的来源IP不等于当前5分钟之内的最近当前的来源IP地址。
这里测试至少需要5条数据，并且每条数据的时间点是以分钟为单位的数据，每分钟需要一条数据

------------------------------------------------------------------------------------------------------------

事件时间差
8.山石防火墙测试数据基于来源IP地址聚合，时间字段选择发生时间，取值方式选择最早，时间单位是分钟，指标会基于来源IP地址分组，并取出来源IP的值，然后再取出基于来源IP地址对应在近5分钟之内最早的发生时间，在配置规则的时候，规则会取近5分钟最近一次或者理解为当前的发生时间取减去刚才指标取出的最早时间，她们之间相减得到事件时间差，例如下面的例子就是：2022-10-31 17:04:45 - 2022-10-31 17:00:45 = 4分钟 （近5分钟，数据分类里面更改哪个时间段-字段生效）

规则配置的时候，指标-选择查询字段：来源IP-扩展字段：发生时间-近5分钟内；数字等于常量4

经典的样例是，基于用户进行聚合，时间字段选择发生时间，取值方式选择最早，时间单位是分钟，记录出账号的初始创建时间，再统计账号最近的删除时间，她们之间的差值过小，即可在威胁看板查看告警。

两个测试成功的poc原始数据

<190>Oct 31 13:11:06 2206409150000938(root) 44243624 Traffic@FLOW: SESSION: 129.126.12.108:62492->10.200.3.4:23(TCP), application WeChat-File-Transfer, interface aggregate1, vr trust-vr, policy 3, user -@-, host -, send packets 10,send bytes 800,receive packets 9,receive bytes 7756,start time 2022-10-31 17:00:45,close time 2022-10-24 15:30:06,session end,TCP FIN
<190>Oct 31 13:11:06 2206409150000938(root) 44243624 Traffic@FLOW: SESSION: 129.126.12.108:62492->10.200.3.4:23(TCP), application WeChat-File-Transfer, interface aggregate1, vr trust-vr, policy 3, user -@-, host -, send packets 10,send bytes 800,receive packets 9,receive bytes 7756,start time 2022-10-31 17:01:45,close time 2022-10-24 15:30:06,session end,TCP FIN
<190>Oct 31 13:11:06 2206409150000938(root) 44243624 Traffic@FLOW: SESSION: 129.126.12.108:62492->10.200.3.4:23(TCP), application WeChat-File-Transfer, interface aggregate1, vr trust-vr, policy 3, user -@-, host -, send packets 10,send bytes 1000,receive packets 9,receive bytes 7756,start time 2022-10-31 17:02:15,close time 2022-10-24 15:30:06,session end,TCP FIN
<190>Oct 31 13:12:06 2206409150000938(root) 44243624 Traffic@FLOW: SESSION: 129.126.12.108:62492->10.200.3.41:1521(TCP), application WeChat-File-Transfer, interface aggregate1, vr trust-vr, policy 3, user -@-, host -, send packets 10,send bytes 2000,receive packets 9,receive bytes 7756,start time 2022-10-31 17:03:25,close time 2022-10-24 15:30:06,session end,TCP FIN
<190>Oct 31 13:13:06 2206409150000938(root) 44243624 Traffic@FLOW: SESSION: 129.126.12.108:62492->10.200.3.42:22(TCP), application WeChat-File-Transfer, interface aggregate1, vr trust-vr, policy 3, user -@-, host -, send packets 10,send bytes 3000,receive packets 9,receive bytes 7756,start time 2022-10-31 17:04:45,close time 2022-10-24 15:30:06,session end,TCP FIN

2022-10-31 17:04:45 - 2022-10-31 17:00:45 = 4分钟 

<190>Oct 31 13:11:06 2206409150000938(root) 44243624 Traffic@FLOW: SESSION: 139.126.12.108:62492->10.200.3.4:23(TCP), application WeChat-File-Transfer, interface aggregate1, vr trust-vr, policy 3, user -@-, host -, send packets 10,send bytes 800,receive packets 9,receive bytes 7756,start time 2022-10-31 17:05:40,close time 2022-10-24 15:30:06,session end,TCP FIN
<190>Oct 31 13:11:06 2206409150000938(root) 44243624 Traffic@FLOW: SESSION: 139.126.12.108:62492->10.200.3.4:23(TCP), application WeChat-File-Transfer, interface aggregate1, vr trust-vr, policy 3, user -@-, host -, send packets 10,send bytes 800,receive packets 9,receive bytes 7756,start time 2022-10-31 17:05:45,close time 2022-10-24 15:30:06,session end,TCP FIN
<190>Oct 31 13:11:06 2206409150000938(root) 44243624 Traffic@FLOW: SESSION: 139.126.12.108:62492->10.200.3.4:23(TCP), application WeChat-File-Transfer, interface aggregate1, vr trust-vr, policy 3, user -@-, host -, send packets 10,send bytes 800,receive packets 9,receive bytes 7756,start time 2022-10-31 17:06:45,close time 2022-10-24 15:30:06,session end,TCP FIN
<190>Oct 31 13:11:06 2206409150000938(root) 44243624 Traffic@FLOW: SESSION: 139.126.12.108:62492->10.200.3.4:23(TCP), application WeChat-File-Transfer, interface aggregate1, vr trust-vr, policy 3, user -@-, host -, send packets 10,send bytes 1000,receive packets 9,receive bytes 7756,start time 2022-10-31 17:07:15,close time 2022-10-24 15:30:06,session end,TCP FIN
<190>Oct 31 13:12:06 2206409150000938(root) 44243624 Traffic@FLOW: SESSION: 139.126.12.108:62492->10.200.3.41:1521(TCP), application WeChat-File-Transfer, interface aggregate1, vr trust-vr, policy 3, user -@-, host -, send packets 10,send bytes 2000,receive packets 9,receive bytes 7756,start time 2022-10-31 17:08:25,close time 2022-10-24 15:30:06,session end,TCP FIN
<190>Oct 31 13:13:06 2206409150000938(root) 44243624 Traffic@FLOW: SESSION: 139.126.12.108:62492->10.200.3.42:22(TCP), application WeChat-File-Transfer, interface aggregate1, vr trust-vr, policy 3, user -@-, host -, send packets 10,send bytes 3000,receive packets 9,receive bytes 7756,start time 2022-10-31 17:09:30,close time 2022-10-24 15:30:06,session end,TCP FIN
<190>Oct 31 13:13:06 2206409150000938(root) 44243624 Traffic@FLOW: SESSION: 139.126.12.108:62492->10.200.3.42:22(TCP), application WeChat-File-Transfer, interface aggregate1, vr trust-vr, policy 3, user -@-, host -, send packets 10,send bytes 3000,receive packets 9,receive bytes 7756,start time 2022-10-31 17:09:40,close time 2022-10-24 15:30:06,session end,TCP FIN

2022-10-31 17:09:40 - 2022-10-31 17:05:40 = 4分钟 

------------------------------------------------------------------------------------------------------------

TOPX
9.山石防火墙测试数据基于来源IP地址聚合,统计目标IP的TOP3，其中TOP字段目的IP，TOP长度3（近5分钟，数据分类里面更改哪个时间段-字段生效）

原理：当插入数据达到TOPX的条件后，再插入一条基于跟上面同样的目标IP，但是没有出现在（榜单）TOP3上的来源IP地址的数据，此时调用TOPX的这个指标，结果会返回0，之后再插入一条数据，同样是目标IP跟上面相同，且来源IP地址也是在上面的TOP3（榜单）上，此时会返回1

测试数据

<190>Oct 31 13:11:06 2206409150000938(root) 44243624 Traffic@FLOW: SESSION: 112.126.12.108:62492->10.200.3.50:23(TCP), application WeChat-File-Transfer, interface aggregate1, vr trust-vr, policy 3, user -@-, host -, send packets 10,send bytes 800,receive packets 9,receive bytes 7756,start time 2022-10-31 17:50:36,close time 2022-10-24 15:30:06,session end,TCP FIN
<190>Oct 31 13:11:06 2206409150000938(root) 44243624 Traffic@FLOW: SESSION: 112.126.12.108:62492->10.200.3.50:23(TCP), application WeChat-File-Transfer, interface aggregate1, vr trust-vr, policy 3, user -@-, host -, send packets 10,send bytes 800,receive packets 9,receive bytes 7756,start time 2022-10-31 17:50:37,close time 2022-10-24 15:30:06,session end,TCP FIN
<190>Oct 31 13:11:06 2206409150000938(root) 44243624 Traffic@FLOW: SESSION: 112.126.12.108:62492->10.200.3.50:23(TCP), application WeChat-File-Transfer, interface aggregate1, vr trust-vr, policy 3, user -@-, host -, send packets 10,send bytes 800,receive packets 9,receive bytes 7756,start time 2022-10-31 17:50:38,close time 2022-10-24 15:30:06,session end,TCP FIN
<190>Oct 31 13:11:06 2206409150000938(root) 44243624 Traffic@FLOW: SESSION: 112.126.12.108:62492->10.200.3.50:23(TCP), application WeChat-File-Transfer, interface aggregate1, vr trust-vr, policy 3, user -@-, host -, send packets 10,send bytes 800,receive packets 9,receive bytes 7756,start time 2022-10-31 17:51:41,close time 2022-10-24 15:30:06,session end,TCP FIN
<190>Oct 31 13:11:06 2206409150000938(root) 44243624 Traffic@FLOW: SESSION: 112.126.12.108:62492->10.200.3.50:23(TCP), application WeChat-File-Transfer, interface aggregate1, vr trust-vr, policy 3, user -@-, host -, send packets 10,send bytes 800,receive packets 9,receive bytes 7756,start time 2022-10-31 17:51:42,close time 2022-10-24 15:30:06,session end,TCP FIN
<190>Oct 31 13:11:06 2206409150000938(root) 44243624 Traffic@FLOW: SESSION: 112.126.12.108:62492->10.200.3.50:23(TCP), application WeChat-File-Transfer, interface aggregate1, vr trust-vr, policy 3, user -@-, host -, send packets 10,send bytes 800,receive packets 9,receive bytes 7756,start time 2022-10-31 17:52:43,close time 2022-10-24 15:30:06,session end,TCP FIN
<190>Oct 31 13:11:06 2206409150000938(root) 44243624 Traffic@FLOW: SESSION: 112.126.12.108:62492->10.200.3.50:23(TCP), application WeChat-File-Transfer, interface aggregate1, vr trust-vr, policy 3, user -@-, host -, send packets 10,send bytes 800,receive packets 9,receive bytes 7756,start time 2022-10-31 17:52:44,close time 2022-10-24 15:30:06,session end,TCP FIN
<190>Oct 31 13:11:06 2206409150000938(root) 44243624 Traffic@FLOW: SESSION: 112.126.12.108:62492->10.200.3.50:23(TCP), application WeChat-File-Transfer, interface aggregate1, vr trust-vr, policy 3, user -@-, host -, send packets 10,send bytes 800,receive packets 9,receive bytes 7756,start time 2022-10-31 17:52:45,close time 2022-10-24 15:30:06,session end,TCP FIN
<190>Oct 31 13:11:06 2206409150000938(root) 44243624 Traffic@FLOW: SESSION: 142.126.12.108:62492->10.200.3.50:23(TCP), application WeChat-File-Transfer, interface aggregate1, vr trust-vr, policy 3, user -@-, host -, send packets 10,send bytes 1000,receive packets 9,receive bytes 7756,start time 2022-10-31 17:53:15,close time 2022-10-24 15:30:06,session end,TCP FIN
<190>Oct 31 13:11:06 2206409150000938(root) 44243624 Traffic@FLOW: SESSION: 142.126.12.108:62492->10.200.3.50:23(TCP), application WeChat-File-Transfer, interface aggregate1, vr trust-vr, policy 3, user -@-, host -, send packets 10,send bytes 1000,receive packets 9,receive bytes 7756,start time 2022-10-31 17:53:16,close time 2022-10-24 15:30:06,session end,TCP FIN
<190>Oct 31 13:11:06 2206409150000938(root) 44243624 Traffic@FLOW: SESSION: 142.126.12.108:62492->10.200.3.50:23(TCP), application WeChat-File-Transfer, interface aggregate1, vr trust-vr, policy 3, user -@-, host -, send packets 10,send bytes 1000,receive packets 9,receive bytes 7756,start time 2022-10-31 17:53:17,close time 2022-10-24 15:30:06,session end,TCP FIN
<190>Oct 31 13:11:06 2206409150000938(root) 44243624 Traffic@FLOW: SESSION: 142.126.12.108:62492->10.200.3.50:23(TCP), application WeChat-File-Transfer, interface aggregate1, vr trust-vr, policy 3, user -@-, host -, send packets 10,send bytes 1000,receive packets 9,receive bytes 7756,start time 2022-10-31 17:53:18,close time 2022-10-24 15:30:06,session end,TCP FIN
<190>Oct 31 13:11:06 2206409150000938(root) 44243624 Traffic@FLOW: SESSION: 142.126.12.108:62492->10.200.3.50:23(TCP), application WeChat-File-Transfer, interface aggregate1, vr trust-vr, policy 3, user -@-, host -, send packets 10,send bytes 1000,receive packets 9,receive bytes 7756,start time 2022-10-31 17:53:19,close time 2022-10-24 15:30:06,session end,TCP FIN
<190>Oct 31 13:12:06 2206409150000938(root) 44243624 Traffic@FLOW: SESSION: 126.126.12.108:62492->10.200.3.50:23(TCP), application WeChat-File-Transfer, interface aggregate1, vr trust-vr, policy 3, user -@-, host -, send packets 10,send bytes 2000,receive packets 9,receive bytes 7756,start time 2022-10-31 17:53:25,close time 2022-10-24 15:30:06,session end,TCP FIN
<190>Oct 31 13:12:06 2206409150000938(root) 44243624 Traffic@FLOW: SESSION: 126.126.12.108:62492->10.200.3.50:23(TCP), application WeChat-File-Transfer, interface aggregate1, vr trust-vr, policy 3, user -@-, host -, send packets 10,send bytes 2000,receive packets 9,receive bytes 7756,start time 2022-10-31 17:53:26,close time 2022-10-24 15:30:06,session end,TCP FIN
<190>Oct 31 13:12:06 2206409150000938(root) 44243624 Traffic@FLOW: SESSION: 126.126.12.108:62492->10.200.3.50:23(TCP), application WeChat-File-Transfer, interface aggregate1, vr trust-vr, policy 3, user -@-, host -, send packets 10,send bytes 2000,receive packets 9,receive bytes 7756,start time 2022-10-31 17:53:27,close time 2022-10-24 15:30:06,session end,TCP FIN
<190>Oct 31 13:12:06 2206409150000938(root) 44243624 Traffic@FLOW: SESSION: 126.126.12.108:62492->10.200.3.50:23(TCP), application WeChat-File-Transfer, interface aggregate1, vr trust-vr, policy 3, user -@-, host -, send packets 10,send bytes 2000,receive packets 9,receive bytes 7756,start time 2022-10-31 17:53:28,close time 2022-10-24 15:30:06,session end,TCP FIN
<190>Oct 31 13:13:06 2206409150000938(root) 44243624 Traffic@FLOW: SESSION: 132.126.12.108:62492->10.200.3.50:23(TCP), application WeChat-File-Transfer, interface aggregate1, vr trust-vr, policy 3, user -@-, host -, send packets 10,send bytes 3000,receive packets 9,receive bytes 7756,start time 2022-10-31 17:54:53,close time 2022-10-24 15:30:06,session end,TCP FIN
<190>Oct 31 13:13:06 2206409150000938(root) 44243624 Traffic@FLOW: SESSION: 142.126.12.108:62492->10.200.3.50:23(TCP), application WeChat-File-Transfer, interface aggregate1, vr trust-vr, policy 3, user -@-, host -, send packets 10,send bytes 3000,receive packets 9,receive bytes 7756,start time 2022-10-31 17:54:54,close time 2022-10-24 15:30:06,session end,TCP FIN


同一时间快速发送同一数据会有抑制，不会再触发同一规则命中次数，得再等1分钟之后再触发。

在榜单top3里面，topx指标会返回等于1

山石fwtest访问-基于来源IP地址-统计目的IP-TOP3-在榜单top3  ( 65分)
命中次数：
6
首次命中时间：
2022-10-31 17:50:36
最近命中时间：
2022-10-31 17:54:54
最近命中规则详情： 从2022-10-31 17:50:00到2022-10-31 17:54:54，目标IP被常见的142.126.12.108访问，经常访问这个目标IP10.200.3.50的地址是112.126.12.108、142.126.12.108、126.126.12.108

----------------------------------------------------------------------------------------------------------------

不在榜单top3里面，topx指标会返回等于0

山石fwtest访问-基于来源IP地址-统计目的IP-TOP3-不在榜单top3  ( 65分)
命中次数：
1
首次命中时间：
2022-10-31 17:54:53
最近命中时间：
2022-10-31 17:54:53
最近命中规则详情： 从2022-10-31 17:50:00到2022-10-31 17:54:53，目标IP10.200.3.50被不常见的来源IP132.126.12.108访问，经常访问这个目标IP的地址是112.126.12.108、142.126.12.108、126.126.12.108、132.126.12.108。
------------------------------------------------------------------------------------------------------------

活跃数
10.山石防火墙测试数据基于来源IP地址和目的IP聚合,统计来源IP和目标IP，在近5分钟之内活跃数等于3次，理解为就是在5分钟之内来源IP和目标IP同时出现3次（近5分钟，数据分类里面更改哪个时间段-字段生效）

活跃数，是基于活跃天，活跃时，活跃分来计算的单位，理解为，假如近7天内，同样的来源ip有3天出现，那么活跃数的单位就是天，活跃数等于3，这个单位取决于配置规则的时候定义。

测试数据

<190>Oct 31 13:11:06 2206409150000938(root) 44243624 Traffic@FLOW: SESSION: 172.126.12.108:62492->10.200.3.52:23(TCP), application WeChat-File-Transfer, interface aggregate1, vr trust-vr, policy 3, user -@-, host -, send packets 10,send bytes 800,receive packets 9,receive bytes 7756,start time 2022-10-31 18:50:36,close time 2022-10-24 15:30:06,session end,TCP FIN
<190>Oct 31 13:11:06 2206409150000938(root) 44243624 Traffic@FLOW: SESSION: 172.126.12.108:62492->10.200.3.52:23(TCP), application WeChat-File-Transfer, interface aggregate1, vr trust-vr, policy 3, user -@-, host -, send packets 10,send bytes 800,receive packets 9,receive bytes 7756,start time 2022-10-31 18:51:38,close time 2022-10-24 15:30:06,session end,TCP FIN
<190>Oct 31 13:11:06 2206409150000938(root) 44243624 Traffic@FLOW: SESSION: 172.126.12.108:62492->10.200.3.52:23(TCP), application WeChat-File-Transfer, interface aggregate1, vr trust-vr, policy 3, user -@-, host -, send packets 10,send bytes 800,receive packets 9,receive bytes 7756,start time 2022-10-31 18:52:40,close time 2022-10-24 15:30:06,session end,TCP FIN
<190>Oct 31 13:11:06 2206409150000938(root) 44243624 Traffic@FLOW: SESSION: 173.126.12.108:62492->10.200.3.52:23(TCP), application WeChat-File-Transfer, interface aggregate1, vr trust-vr, policy 3, user -@-, host -, send packets 10,send bytes 800,receive packets 9,receive bytes 7756,start time 2022-10-31 18:53:26,close time 2022-10-24 15:30:06,session end,TCP FIN
<190>Oct 31 13:11:06 2206409150000938(root) 44243624 Traffic@FLOW: SESSION: 174.126.12.108:62492->10.200.3.52:23(TCP), application WeChat-File-Transfer, interface aggregate1, vr trust-vr, policy 3, user -@-, host -, send packets 10,send bytes 800,receive packets 9,receive bytes 7756,start time 2022-10-31 18:54:16,close time 2022-10-24 15:30:06,session end,TCP FIN

测试结果：

山石fwtest访问-基于来源IP地址-目标IP-近5分钟之内聚合后活跃数出现3次 ( 70分)
命中次数：
1
首次命中时间：
2022-10-31 18:52:40
最近命中时间：
2022-10-31 18:52:40
最近命中规则详情： 从2022-10-31 18:48:00命中来源IP172.126.12.108和目标IP10.200.3.52在最近5分钟之内聚合后出现3次。


------------------------------------------------------------------------------------------------------------

时间间隔
11.山石防火墙测试数据基于来源IP地址-近30分钟之内发生时间之间间隔的平均时间，理解为就是聚合来源IP的基础之上，计算来源IP发生时间之间的间隔，然后求她们之间间隔的平均值（近30分钟，数据分类里面更改哪个时间段-字段生效）

测试数据

<190>Oct 31 13:11:06 2206409150000938(root) 44243624 Traffic@FLOW: SESSION: 103.126.12.108:62492->10.200.3.56:23(TCP), application WeChat-File-Transfer, interface aggregate1, vr trust-vr, policy 3, user -@-, host -, send packets 10,send bytes 800,receive packets 9,receive bytes 7756,start time 2022-10-31 19:00:00,close time 2022-10-24 15:30:06,session end,TCP FIN
<190>Oct 31 13:11:06 2206409150000938(root) 44243624 Traffic@FLOW: SESSION: 103.126.12.108:62492->10.200.3.56:23(TCP), application WeChat-File-Transfer, interface aggregate1, vr trust-vr, policy 3, user -@-, host -, send packets 10,send bytes 800,receive packets 9,receive bytes 7756,start time 2022-10-31 19:05:00,close time 2022-10-24 15:30:06,session end,TCP FIN
<190>Oct 31 13:11:06 2206409150000938(root) 44243624 Traffic@FLOW: SESSION: 103.126.12.108:62492->10.200.3.56:23(TCP), application WeChat-File-Transfer, interface aggregate1, vr trust-vr, policy 3, user -@-, host -, send packets 10,send bytes 800,receive packets 9,receive bytes 7756,start time 2022-10-31 19:10:00,close time 2022-10-24 15:30:06,session end,TCP FIN
<190>Oct 31 13:11:06 2206409150000938(root) 44243624 Traffic@FLOW: SESSION: 103.126.12.108:62492->10.200.3.56:23(TCP), application WeChat-File-Transfer, interface aggregate1, vr trust-vr, policy 3, user -@-, host -, send packets 10,send bytes 800,receive packets 9,receive bytes 7756,start time 2022-10-31 19:15:00,close time 2022-10-24 15:30:06,session end,TCP FIN
<190>Oct 31 13:11:06 2206409150000938(root) 44243624 Traffic@FLOW: SESSION: 103.126.12.108:62492->10.200.3.56:23(TCP), application WeChat-File-Transfer, interface aggregate1, vr trust-vr, policy 3, user -@-, host -, send packets 10,send bytes 800,receive packets 9,receive bytes 7756,start time 2022-10-31 19:20:00,close time 2022-10-24 15:30:06,session end,TCP FIN
<190>Oct 31 13:11:06 2206409150000938(root) 44243624 Traffic@FLOW: SESSION: 103.126.12.108:62492->10.200.3.56:23(TCP), application WeChat-File-Transfer, interface aggregate1, vr trust-vr, policy 3, user -@-, host -, send packets 10,send bytes 800,receive packets 9,receive bytes 7756,start time 2022-10-31 19:25:00,close time 2022-10-24 15:30:06,session end,TCP FIN

测试结果：

山石fwtest访问-基于来源IP地址-近30分钟之内发生时间之间间隔的平均时间 ( 75分)
命中次数：
5
首次命中时间：
2022-10-31 19:05:00
最近命中时间：
2022-10-31 19:25:00
最近命中规则详情： 从5到命中来源IP103.126.12.108和发生时间1667215500000之间的时间间隔的平均时间是5分钟

------------------------------------------------------------------------------------------------------------

时间集中度
12.山石防火墙测试数据基于来源IP地址-目标IP地址-目标端口进行聚合，指标参数同样聚合前面3个字段，时间片数量是1，集中度阈值45%（过去5小时，数据分类里面更改哪个时间段-字段生效）

指标原理
去找过去5小时内，聚合的相同数据在这过去5小时出现的总次数作为被除数，因为上面时间片数量是1，所以会去拿每个时间片前面相同聚合的数据字段计算她的次数，然后作为除数，使用这个除数/被除数如果>=45%那就被命中，此时的指标范围结果是1

测试数据

<190>Oct 31 13:11:06 2206409150000938(root) 44243624 Traffic@FLOW: SESSION: 213.156.16.120:62492->10.200.8.88:23(TCP), application WeChat-File-Transfer, interface aggregate1, vr trust-vr, policy 3, user -@-, host -, send packets 10,send bytes 800,receive packets 9,receive bytes 7756,start time 2022-10-31 13:26:26,close time 2022-10-24 15:30:06,session end,TCP FIN
<190>Oct 31 13:11:06 2206409150000938(root) 44243624 Traffic@FLOW: SESSION: 213.156.16.120:62492->10.200.8.88:23(TCP), application WeChat-File-Transfer, interface aggregate1, vr trust-vr, policy 3, user -@-, host -, send packets 10,send bytes 800,receive packets 9,receive bytes 7756,start time 2022-10-31 14:21:26,close time 2022-10-24 15:30:06,session end,TCP FIN
<190>Oct 31 13:11:06 2206409150000938(root) 44243624 Traffic@FLOW: SESSION: 213.156.16.120:62492->10.200.8.88:23(TCP), application WeChat-File-Transfer, interface aggregate1, vr trust-vr, policy 3, user -@-, host -, send packets 10,send bytes 800,receive packets 9,receive bytes 7756,start time 2022-10-31 14:21:26,close time 2022-10-24 15:30:06,session end,TCP FIN
<190>Oct 31 13:11:06 2206409150000938(root) 44243624 Traffic@FLOW: SESSION: 213.156.16.120:62492->10.200.8.88:23(TCP), application WeChat-File-Transfer, interface aggregate1, vr trust-vr, policy 3, user -@-, host -, send packets 10,send bytes 800,receive packets 9,receive bytes 7756,start time 2022-10-31 14:21:26,close time 2022-10-24 15:30:06,session end,TCP FIN
<190>Oct 31 13:11:06 2206409150000938(root) 44243624 Traffic@FLOW: SESSION: 213.156.16.120:62492->10.200.8.88:23(TCP), application WeChat-File-Transfer, interface aggregate1, vr trust-vr, policy 3, user -@-, host -, send packets 10,send bytes 800,receive packets 9,receive bytes 7756,start time 2022-10-31 14:21:26,close time 2022-10-24 15:30:06,session end,TCP FIN
<190>Oct 31 13:11:06 2206409150000938(root) 44243624 Traffic@FLOW: SESSION: 213.156.16.120:62492->10.200.8.88:23(TCP), application WeChat-File-Transfer, interface aggregate1, vr trust-vr, policy 3, user -@-, host -, send packets 10,send bytes 800,receive packets 9,receive bytes 7756,start time 2022-10-31 14:21:26,close time 2022-10-24 15:30:06,session end,TCP FIN
<190>Oct 31 13:11:06 2206409150000938(root) 44243624 Traffic@FLOW: SESSION: 213.156.16.120:62492->10.200.8.88:23(TCP), application WeChat-File-Transfer, interface aggregate1, vr trust-vr, policy 3, user -@-, host -, send packets 10,send bytes 800,receive packets 9,receive bytes 7756,start time 2022-10-31 15:21:26,close time 2022-10-24 15:30:06,session end,TCP FIN
<190>Oct 31 13:11:06 2206409150000938(root) 44243624 Traffic@FLOW: SESSION: 213.156.16.120:62492->10.200.8.88:23(TCP), application WeChat-File-Transfer, interface aggregate1, vr trust-vr, policy 3, user -@-, host -, send packets 10,send bytes 800,receive packets 9,receive bytes 7756,start time 2022-10-31 15:21:26,close time 2022-10-24 15:30:06,session end,TCP FIN
<190>Oct 31 13:11:06 2206409150000938(root) 44243624 Traffic@FLOW: SESSION: 213.156.16.120:62492->10.200.8.88:23(TCP), application WeChat-File-Transfer, interface aggregate1, vr trust-vr, policy 3, user -@-, host -, send packets 10,send bytes 800,receive packets 9,receive bytes 7756,start time 2022-10-31 15:21:26,close time 2022-10-24 15:30:06,session end,TCP FIN
<190>Oct 31 13:11:06 2206409150000938(root) 44243624 Traffic@FLOW: SESSION: 213.156.16.120:62492->10.200.8.88:23(TCP), application WeChat-File-Transfer, interface aggregate1, vr trust-vr, policy 3, user -@-, host -, send packets 10,send bytes 800,receive packets 9,receive bytes 7756,start time 2022-10-31 16:21:26,close time 2022-10-24 15:30:06,session end,TCP FIN
<190>Oct 31 13:11:06 2206409150000938(root) 44243624 Traffic@FLOW: SESSION: 213.156.16.120:62492->10.200.8.88:23(TCP), application WeChat-File-Transfer, interface aggregate1, vr trust-vr, policy 3, user -@-, host -, send packets 10,send bytes 800,receive packets 9,receive bytes 7756,start time 2022-10-31 16:21:26,close time 2022-10-24 15:30:06,session end,TCP FIN
<190>Oct 31 13:11:06 2206409150000938(root) 44243624 Traffic@FLOW: SESSION: 213.156.16.120:62492->10.200.8.88:23(TCP), application WeChat-File-Transfer, interface aggregate1, vr trust-vr, policy 3, user -@-, host -, send packets 10,send bytes 800,receive packets 9,receive bytes 7756,start time 2022-10-31 16:21:26,close time 2022-10-24 15:30:06,session end,TCP FIN
<190>Oct 31 13:11:06 2206409150000938(root) 44243624 Traffic@FLOW: SESSION: 213.156.16.120:62492->10.200.8.88:23(TCP), application WeChat-File-Transfer, interface aggregate1, vr trust-vr, policy 3, user -@-, host -, send packets 10,send bytes 800,receive packets 9,receive bytes 7756,start time 2022-10-31 16:21:26,close time 2022-10-24 15:30:06,session end,TCP FIN
<190>Oct 31 13:11:06 2206409150000938(root) 44243624 Traffic@FLOW: SESSION: 213.156.16.120:62492->10.200.8.88:23(TCP), application WeChat-File-Transfer, interface aggregate1, vr trust-vr, policy 3, user -@-, host -, send packets 10,send bytes 800,receive packets 9,receive bytes 7756,start time 2022-10-31 16:21:26,close time 2022-10-24 15:30:06,session end,TCP FIN
<190>Oct 31 13:11:06 2206409150000938(root) 44243624 Traffic@FLOW: SESSION: 213.156.16.120:62492->10.200.8.88:23(TCP), application WeChat-File-Transfer, interface aggregate1, vr trust-vr, policy 3, user -@-, host -, send packets 10,send bytes 800,receive packets 9,receive bytes 7756,start time 2022-10-31 16:21:26,close time 2022-10-24 15:30:06,session end,TCP FIN
<190>Oct 31 13:11:06 2206409150000938(root) 44243624 Traffic@FLOW: SESSION: 213.156.16.120:62492->10.200.8.88:23(TCP), application WeChat-File-Transfer, interface aggregate1, vr trust-vr, policy 3, user -@-, host -, send packets 10,send bytes 800,receive packets 9,receive bytes 7756,start time 2022-10-31 16:21:26,close time 2022-10-24 15:30:06,session end,TCP FIN
<190>Oct 31 13:11:06 2206409150000938(root) 44243624 Traffic@FLOW: SESSION: 213.156.16.120:62492->10.200.8.88:23(TCP), application WeChat-File-Transfer, interface aggregate1, vr trust-vr, policy 3, user -@-, host -, send packets 10,send bytes 800,receive packets 9,receive bytes 7756,start time 2022-10-31 16:21:26,close time 2022-10-24 15:30:06,session end,TCP FIN
<190>Oct 31 13:11:06 2206409150000938(root) 44243624 Traffic@FLOW: SESSION: 213.156.16.120:62492->10.200.8.88:23(TCP), application WeChat-File-Transfer, interface aggregate1, vr trust-vr, policy 3, user -@-, host -, send packets 10,send bytes 800,receive packets 9,receive bytes 7756,start time 2022-10-31 16:21:26,close time 2022-10-24 15:30:06,session end,TCP FIN
<190>Oct 31 13:11:06 2206409150000938(root) 44243624 Traffic@FLOW: SESSION: 213.156.16.120:62492->10.200.8.88:23(TCP), application WeChat-File-Transfer, interface aggregate1, vr trust-vr, policy 3, user -@-, host -, send packets 10,send bytes 800,receive packets 9,receive bytes 7756,start time 2022-10-31 16:21:26,close time 2022-10-24 15:30:06,session end,TCP FIN
<190>Oct 31 16:11:06 2206409150000938(root) 44243624 Traffic@FLOW: SESSION: 213.156.16.120:62492->10.200.8.88:23(TCP), application WeChat-File-Transfer, interface aggregate1, vr trust-vr, policy 3, user -@-, host -, send packets 10,send bytes 800,receive packets 9,receive bytes 7756,start time 2022-10-31 16:21:26,close time 2022-10-24 15:30:06,session end,TCP FIN
<190>Oct 31 13:11:06 2206409150000938(root) 44243624 Traffic@FLOW: SESSION: 213.156.16.120:62492->10.200.8.88:23(TCP), application WeChat-File-Transfer, interface aggregate1, vr trust-vr, policy 3, user -@-, host -, send packets 10,send bytes 800,receive packets 9,receive bytes 7756,start time 2022-10-31 16:21:26,close time 2022-10-24 15:30:06,session end,TCP FIN
<190>Oct 31 13:11:06 2206409150000938(root) 44243624 Traffic@FLOW: SESSION: 213.156.16.120:62492->10.200.8.88:23(TCP), application WeChat-File-Transfer, interface aggregate1, vr trust-vr, policy 3, user -@-, host -, send packets 10,send bytes 800,receive packets 9,receive bytes 7756,start time 2022-10-31 16:22:00,close time 2022-10-24 15:30:06,session end,TCP FIN
<190>Oct 31 13:11:06 2206409150000938(root) 44243624 Traffic@FLOW: SESSION: 213.156.16.120:62492->10.200.8.88:23(TCP), application WeChat-File-Transfer, interface aggregate1, vr trust-vr, policy 3, user -@-, host -, send packets 10,send bytes 800,receive packets 9,receive bytes 7756,start time 2022-10-31 16:23:00,close time 2022-10-24 15:30:06,session end,TCP FIN
<190>Oct 31 13:11:06 2206409150000938(root) 44243624 Traffic@FLOW: SESSION: 213.156.16.120:62492->10.200.8.88:23(TCP), application WeChat-File-Transfer, interface aggregate1, vr trust-vr, policy 3, user -@-, host -, send packets 10,send bytes 800,receive packets 9,receive bytes 7756,start time 2022-10-31 17:24:00,close time 2022-10-24 15:30:06,session end,TCP FIN
<190>Oct 31 13:11:06 2206409150000938(root) 44243624 Traffic@FLOW: SESSION: 213.156.16.120:62492->10.200.8.88:23(TCP), application WeChat-File-Transfer, interface aggregate1, vr trust-vr, policy 3, user -@-, host -, send packets 10,send bytes 800,receive packets 9,receive bytes 7756,start time 2022-10-31 17:25:00,close time 2022-10-24 15:30:06,session end,TCP FIN
<190>Oct 31 13:11:06 2206409150000938(root) 44243624 Traffic@FLOW: SESSION: 213.156.16.120:62492->10.200.8.88:23(TCP), application WeChat-File-Transfer, interface aggregate1, vr trust-vr, policy 3, user -@-, host -, send packets 10,send bytes 800,receive packets 9,receive bytes 7756,start time 2022-10-31 17:25:00,close time 2022-10-24 15:30:06,session end,TCP FIN
<190>Oct 31 13:11:06 2206409150000938(root) 44243624 Traffic@FLOW: SESSION: 213.156.16.120:62492->10.200.8.88:23(TCP), application WeChat-File-Transfer, interface aggregate1, vr trust-vr, policy 3, user -@-, host -, send packets 10,send bytes 800,receive packets 9,receive bytes 7756,start time 2022-10-31 18:25:00,close time 2022-10-24 15:30:06,session end,TCP FIN
<190>Oct 31 13:11:06 2206409150000938(root) 44243624 Traffic@FLOW: SESSION: 213.156.16.120:62492->10.200.8.88:23(TCP), application WeChat-File-Transfer, interface aggregate1, vr trust-vr, policy 3, user -@-, host -, send packets 10,send bytes 800,receive packets 9,receive bytes 7756,start time 2022-10-31 18:25:00,close time 2022-10-24 15:30:06,session end,TCP FIN
<190>Oct 31 13:11:06 2206409150000938(root) 44243624 Traffic@FLOW: SESSION: 213.156.16.120:62492->10.200.8.88:23(TCP), application WeChat-File-Transfer, interface aggregate1, vr trust-vr, policy 3, user -@-, host -, send packets 10,send bytes 800,receive packets 9,receive bytes 7756,start time 2022-10-31 18:25:00,close time 2022-10-24 15:30:06,session end,TCP FIN
<190>Oct 31 13:11:06 2206409150000938(root) 44243624 Traffic@FLOW: SESSION: 213.156.16.120:62492->10.200.8.88:23(TCP), application WeChat-File-Transfer, interface aggregate1, vr trust-vr, policy 3, user -@-, host -, send packets 10,send bytes 800,receive packets 9,receive bytes 7756,start time 2022-10-31 19:25:00,close time 2022-10-24 15:30:06,session end,TCP FIN
<190>Oct 31 13:11:06 2206409150000938(root) 44243624 Traffic@FLOW: SESSION: 213.156.16.120:62492->10.200.8.88:23(TCP), application WeChat-File-Transfer, interface aggregate1, vr trust-vr, policy 3, user -@-, host -, send packets 10,send bytes 800,receive packets 9,receive bytes 7756,start time 2022-10-31 20:25:00,close time 2022-10-24 15:30:06,session end,TCP FIN

测试结果

山石fwtest访问-基于来源IP地址-目标IP-目标端口-过去5小时之内-时间集中度 ( 80分)
命中次数：
8
首次命中时间：
2022-10-31 14:21:26
最近命中时间：
2022-10-31 19:25:00
最近命中规则详情： 从2022-10-31 14:00:00命中2022-10-31 19:25:00在近5分钟之内某一分钟之内的时间片10条数据有9条数据命中来源IP213.156.16.120，目的IP10.200.8.88和目标端口23的聚合，百分位是14/29=48%-大于等于40%-<190>Oct 31 13:11:06 2206409150000938(root) 44243624 Traffic@FLOW: SESSION: 213.156.16.120:62492->10.200.8.88:23(TCP), application WeChat-File-Transfer, interface aggregate1, vr trust-vr, policy 3, user -@-, host -, send packets 10,send bytes 800,receive packets 9,receive bytes 7756,start time 2022-10-31 19:25:00,close time 2022-10-24 15:30:06,session end,TCP FIN
------------------------------------------------------------------------------------------------------------

次数统计
13.山石防火墙测试数据基于来源IP地址-（近5分钟，数据分类里面更改哪个时间段-字段生效）

迷茫的人生，需要不断努力，才能看清远方模糊的志向！