-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathmini.drl
123 lines (110 loc) · 3.84 KB
/
mini.drl
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
//package com.rules.trojan
import com.model.problem.Trojan
import com.model.other.Time
import com.model.other.Type
import com.model.other.Item
// This rule is a naive simple to detect Trojan
// Key Logic:
// 1. Usually a host machine within trojan upload more frequently than download
// 1. 通常来说在木马发作期间,感染木马的机器上传数据的次数比下载数据的次数多
// 2. Usually a host machine within trojan upload package with larger size then dowonload
// 2. 通常来说在木马发作期间,感染木马的机器上传数据的总量比下载数据的总量大
// 3. Usually a host machine within trojan upload package with larger size then which without trojan
// 3. 通常来说在木马发作期间,感染木马的机器上传数据的次数,比其他机器的平均上传次数多
// 4. Usually a host machine within trojan upload more frequently than which without trojan
// 4. 通常来说在木马发作期间,感染木马的机器上传数据的总量,比其他机器的平均上传总量大
// Only when the data suits all four key logic, then the host machine would be detected as the trojan infected
//=========================================================================
// Set the runtime environment
//=========================================================================
rule "SET: begin detection time"
salience 100
lock-on-active true
dialect "mvel"
when
$time : Time()
then
$time.setbeginTime(1490630400)
System.out.println(" [Rule] SET: begin detection time 1490630400")
update($time)
end
rule "SET: end detection time"
salience 100
lock-on-active true
dialect "mvel"
when
$time : Time()
then
$time.setendTime(1490634000)
System.out.println(" [Rule] SET: end detection time 1490634000")
update($time)
end
rule "VERIFY: verify the time operation"
//lock-on-active true
dialect "mvel"
when
$time : Time(beginTime == 1490630400 && endTime == 1490634000)
then
System.out.println(" [Rule] VERIFY: verify the time operation :Correct")
end
rule "SET: detection type"
lock-on-active true
dialect "mvel"
when
$type : Type()
then
$type.setType("Trojan")
System.out.println(" [Rule] SET: end detection type Trojan")
update($type)
end
//==========================================================================
// Set the statistical data required for judgement
//=========================================================================
rule "Action: Acquire the TCP upload flow amount for each IP"
lock-on-active true
salience 10
dialect "mvel"
when
$item : Item()
$time : Time()
then
$item.SS_TCP_UPLOAD_SIZE_SRCIP($time,"Default")
System.out.println(" [Rule] Action: Acquire the TCP upload flow amount: "+$item.obj)
//update($item)
end
rule "Action: Acquire the TCP download flow amount for each IP"
lock-on-active true
salience 10
dialect "mvel"
when
$item : Item()
$time : Time()
then
$item.SS_TCP_DOWNLOAD_SIZE_DSTIP($time,"Default")
System.out.println(" [Rule] Action: Acquire the TCP download flow amount: "+$item.obj)
//update($item)
end
rule "Action: Acquire the TCP upload flow times for each IP"
lock-on-active true
salience 10
dialect "mvel"
when
$item : Item()
$time : Time()
then
$item.SS_TCP_UPLOAD_COUNT_SRCIP($time,"Default")
System.out.println(" [Rule] Action: Acquire the TCP upload flow times: "+$item.obj)
//update($item)
end
rule "Action: Acquire the TCP download flow times for each IP"
lock-on-active true
salience 10
dialect "mvel"
when
$item : Item()
$time : Time()
then
$item.SS_TCP_DOWNLOAD_COUNT_DSTIP($time,"Default")
System.out.println(" [Rule] Action: Acquire the TCP download flow times: "+$item.obj)
//update($item)
end