Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions benchmark/models/oml/aws.oml
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
name : /oml/normal/aws
rule : /aws/*
enable : false
enable : true
---
sent_bytes:digit = take(sent_bytes) ;
target_status_code:digit = take(target_status_code) ;
Expand All @@ -17,4 +17,4 @@ str_elb_status = match read(option:[elb_status_code]) {
digit(200) => chars(ok);
digit(404) => chars(error);
};
//* : auto = read();
* : auto = read();
4 changes: 2 additions & 2 deletions benchmark/models/oml/nginx.oml
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
name : /oml/normal/nginx
rule : /nginx/*
//enable : false
enable : true
---
size : digit = take(size);
status : digit = take(status);
Expand All @@ -12,4 +12,4 @@ match_chars = match read(option:[wp_src_ip]) {
ip(127.0.0.1) => chars(localhost);
!ip(127.0.0.1) => chars(attack_ip);
};
* : auto = take();
* : auto = read();
4 changes: 2 additions & 2 deletions benchmark/models/oml/nginx_static.oml
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
name : /oml/static/nginx
rule : /nginx/*
//enable : false
enable : true
---
static {
localhost = chars("localhost");
Expand All @@ -19,4 +19,4 @@ match_chars = match read(wp_src_ip) {
ip(127.0.0.1) => localhost ;
!ip(127.0.0.1) => attack_ip ;
};
* : auto = take();
* : auto = read();
5 changes: 2 additions & 3 deletions benchmark/models/wpl/mixed/sample.dat
Original file line number Diff line number Diff line change
@@ -1,7 +1,6 @@
180.57.30.148 - - [21/Jan/2025:01:40:02 +0800] "GET /nginx-logo.png HTTP/1.1" 500 368 "http://207.131.38.110/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.142 Safari/537.36" "-"
180.57.30.148 - - [21/Jan/2025:01:40:02 +0800] "GET /nginx-logo.png HTTP/1.1" 500 368 "http://207.131.38.110/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.142 Safari/537.36" "-"
180.57.30.148 - - [21/Jan/2025:01:40:02 +0800] "GET /nginx-logo.png HTTP/1.1" 500 368 "http://207.131.38.110/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.142 Safari/537.36" "-"
http 2018-11-30T22:23:00.186641Z app/my-lb 192.168.1.10:2000 10.0.0.15:8080 0.01 0.02 0.01 200 200 100 200 "POST https://api.example.com/u?p=1&sid=2&t=3 HTTP/1.1" "Mozilla/5.0 (Win) Chrome/90" "ECDHE" "TLSv1.3" arn:aws:elb:us:123:tg "Root=1-test" "api.example.com" "arn:aws:acm:us:123:cert/short" 1 2018-11-30T22:22:48.364000Z "forward" "https://auth.example.com/r" "err" "10.0.0.1:80" "200" "cls" "rsn" TID_x1
http 2018-11-30T22:23:00.186641Z app/my-lb 192.168.1.10:2000 10.0.0.15:8080 0.01 0.02 0.01 200 200 100 200 "POST https://api.example.com/u?p=1&sid=2&t=3 HTTP/1.1" "Mozilla/5.0 (Win) Chrome/90" "ECDHE" "TLSv1.3" arn:aws:elb:us:123:tg "Root=1-test" "api.example.com" "arn:aws:acm:us:123:cert/short" 1 2018-11-30T22:22:48.364000Z "forward" "https://auth.example.com/r" "err" "10.0.0.1:80" "200" "cls" "rsn" TID_x1
2018-01-30 13:12:21 Security +01:00 Block: type=FWD|action=BLOCK|proto=UDP|ipVersion=4|srcIF=eth0|srcZone=LAN|srcIP=10.17.34.12|srcPort=54915|srcMAC=18:db:f2:13:ca:9c|srcNAT=0.0.0.0|srcCountry=CN|srcASN=4134|dstIF=eth1|dstZone=WAN|dstIP=10.17.34.255|dstPort=54915|dstService=custom_udp|dstNAT=0.0.0.0|dstCountry=US|dstASN=15169|rule=BLOCKALL|ruleType=FirewallPolicy|policyId=policy_10234|policyGroup=corp_default|interfaceGroup=internal_to_external|routingTable=main|connState=NEW|sessionId=843920184|sessionDuration=0|receivedPackets=0|sentPackets=0|receivedBytes=0|sentBytes=0|packetCount=1|byteCount=60|tcpFlags=|icmpType=|icmpCode=|application=unknown|applicationRisk=0|applicationCategory=unclassified|protocolDetection=enabled|detectedProtocol=udp_generic|user=john.doe|userGroup=employees|authMethod=ldap|vpnType=none|vpnTunnelId=0|contentProfile=default|contentAction=none|url=http://example.com/resource|urlCategory=uncategorized|threatLevel=0|threatName=none|signatureId=0|signatureVersion=0|limitProfile=default|rateLimitPps=1200|rateLimitBps=768000|logSource=box_firewall_activity|logType=activity|logVersion=1
2018-01-30 13:12:21 Security +01:00 Block: type=FWD|action=BLOCK|proto=UDP|ipVersion=4|srcIF=eth0|srcZone=LAN|srcIP=10.17.34.12|srcPort=54915|srcMAC=18:db:f2:13:ca:9c|srcNAT=0.0.0.0|srcCountry=CN|srcASN=4134|dstIF=eth1|dstZone=WAN|dstIP=10.17.34.255|dstPort=54915|dstService=custom_udp|dstNAT=0.0.0.0|dstCountry=US|dstASN=15169|rule=BLOCKALL|ruleType=FirewallPolicy|policyId=policy_10234|policyGroup=corp_default|interfaceGroup=internal_to_external|routingTable=main|connState=NEW|sessionId=843920184|sessionDuration=0|receivedPackets=0|sentPackets=0|receivedBytes=0|sentBytes=0|packetCount=1|byteCount=60|tcpFlags=|icmpType=|icmpCode=|application=unknown|applicationRisk=0|applicationCategory=unclassified|protocolDetection=enabled|detectedProtocol=udp_generic|user=john.doe|userGroup=employees|authMethod=ldap|vpnType=none|vpnTunnelId=0|contentProfile=default|contentAction=none|url=http://example.com/resource|urlCategory=uncategorized|threatLevel=0|threatName=none|signatureId=0|signatureVersion=0|limitProfile=default|rateLimitPps=1200|rateLimitBps=768000|logSource=box_firewall_activity|logType=activity|logVersion=1
2018-01-30 13:12:21 Security +01:00 Block: type=FWD|action=BLOCK|proto=UDP|ipVersion=4|srcIF=eth0|srcZone=LAN|srcIP=10.17.34.12|srcPort=54915|srcMAC=18:db:f2:13:ca:9c|srcNAT=0.0.0.0|srcCountry=CN|srcASN=4134|dstIF=eth1|dstZone=WAN|dstIP=10.17.34.255|dstPort=54915|dstService=custom_udp|dstNAT=0.0.0.0|dstCountry=US|dstASN=15169|rule=BLOCKALL|ruleType=FirewallPolicy|policyId=policy_10234|policyGroup=corp_default|interfaceGroup=internal_to_external|routingTable=main|connState=NEW|sessionId=843920184|sessionDuration=0|receivedPackets=0|sentPackets=0|receivedBytes=0|sentBytes=0|packetCount=1|byteCount=60|tcpFlags=|icmpType=|icmpCode=|application=unknown|applicationRisk=0|applicationCategory=unclassified|protocolDetection=enabled|detectedProtocol=udp_generic|user=john.doe|userGroup=employees|authMethod=ldap|vpnType=none|vpnTunnelId=0|contentProfile=default|contentAction=none|url=http://example.com/resource|urlCategory=uncategorized|threatLevel=0|threatName=none|signatureId=0|signatureVersion=0|limitProfile=default|rateLimitPps=1200|rateLimitBps=768000|logSource=box_firewall_activity|logType=activity|logVersion=1
#Feb 7 2025 15:07:18+08:00 USG1000E %%01ANTI-APT/4/ANTI-APT(l)[29]: An advanced persistent threat was detected. (SyslogId=1, VSys="public-long-virtual-system-name-for-testing-extra-large-value-to-simulate-enterprise-scenario", Policy="trust-untrust-high-risk-policy-with-deep-inspection-and-layer7-protection-enabled-for-advanced-threat-detection", SrcIp=192.168.1.123, DstIp=182.150.63.102, SrcPort=51784, DstPort=10781, SrcZone=trust-zone-with-multiple-segments-for-internal-security-domains-and-access-control, DstZone=untrust-wide-area-network-zone-with-external-facing-interfaces-and-honeynet-integration, User="unknown-long-user-field-used-for-simulation-purpose-with-extra-description-and-tags-[tag1][tag2][tag3]-to-reach-required-size", Protocol=TCP, Application="HTTP-long-application-signature-identification-with-multiple-behavior-patterns-and-deep-packet-inspection-enabled", Profile="IPS_default_advanced_extended_profile_with_ml_detection-long", Direction=aaa-long-direction-field-used-to-extend-size-with-additional-info-about-traffic-orientation-from-client-to-server, ThreatType=File Reputation with additional descriptive context of multi-layer analysis engine including sandbox-behavioral-signature-ml-static-analysis-and-network-correlation-modules-working-together, ThreatName=bbb-advanced-threat-campaign-with-code-name-operation-shadow-storm-and-related-IOCs-collected-over-multiple-incidents-in-the-wild-attached-metadata-[phase1][phase2][phase3], Action=ccc-block-and-alert-with-deep-scan-followed-by-quarantine-and-forensic-dump-generation-for-further-investigation, FileType=ddd-executable-binary-with-multiple-packed-layers-suspicious-import-table-behavior-and-evasion-techniques, Hash=eee1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef-long-hash-value-used-for-testing-purpose-extended-with-multiple-hash-representations-[MD5:aaa111bbb222ccc333]-[SHA1:bbb222ccc333ddd444]-[SHA256:ccc333ddd444eee555]-[SSDEEP:ddd444eee555fff666]-end-of-hash-section, ExtraInfo="This is additional extended information purposely added to inflate the total log size for stress testing of log ingestion engines such as Vector, Fluent Bit, self-developed ETL pipelines, and any high-throughput log processing systems. It contains repeated segments to simulate realistic verbose threat intelligence attachment blocks. [SEG-A-BEGIN] The threat was part of a coordinated multi-vector campaign observed across various geographic regions targeting enterprise networks with spear-phishing, watering-hole attacks, and supply-chain compromise vectors. Enriched indicators include C2 domains, malware families, behavioral clusters, sandbox detonation traces, and network telemetry correlation. [SEG-A-END] [SEG-B-BEGIN] Further analysis revealed that the payload exhibited persistence techniques including registry autoruns, scheduled tasks, masquerading, process injection, and lateral movement attempts leveraging remote service creation and stolen credentials. The binary contains multiple obfuscation layers, anti-debugging, anti-VM checks, and unusual API call sequences. [SEG-B-END] [SEG-C-BEGIN] IOC Bundle: Domains=malicious-domain-example-01.com,malicious-domain-example-02.net,malicious-update-service.info; IPs=103.21.244.0,198.51.100.55,203.0.113.77; FileNames=update_service.exe,winlog_service.dll,mscore_update.bin; RegistryKeys=HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run,HKLM\\System\\Services\\FakeService; Mutex=Global\\A1B2C3D4E5F6G7H8; YARA Matches=[rule1,rule2,rule3]. [SEG-C-END] EndOfExtraInfo")
168 changes: 168 additions & 0 deletions benchmark/monitor_linux.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,168 @@
#!/bin/bash
# monitor.sh (v6 - 仅 CPU/内存均值与峰值)
# 保留核心功能:监控指定进程的 CPU 与内存,输出平均值和峰值。
show_help() {
cat << EOF
用法: $0 <进程名> [监控间隔] [总时长] [输出文件]

参数说明:
进程名 必填,要监控的进程名称 (例如 vector, wpflow)
监控间隔 采样间隔秒数 (默认: 1 秒)
总时长 监控总时长秒数 (默认: 30 秒)
输出文件 监控结果保存路径 (默认: monitoring_report.txt)

示例:
$0 vector
# 监控 vector 进程,间隔 1 秒,总时长 30 秒

$0 wpflow 2 60 wpflow_report.txt
# 监控 wpflow 进程,间隔 2 秒,总时长 60 秒,结果保存到 wpflow_report.txt
EOF
}

# --- 如果传 -h 或 --help 就打印帮助并退出 ---
if [[ "$1" == "-h" || "$1" == "--help" ]]; then
show_help
exit 0
fi

# --- 参数解析(带默认值) ---
PROCESS_NAME=${1}
INTERVAL=${2:-1}
DURATION=${3:-30}
OUTFILE=${4:-"monitoring_report.txt"}

if [ -z "$PROCESS_NAME" ]; then
echo "错误: 必须提供要监控的进程名作为第一个参数。" >&2
echo "使用 $0 --help 查看帮助。" >&2
exit 1
fi

echo "--- [1/3] 正在查找进程 '$PROCESS_NAME' ---"

# 确保 pidstat 可用;若缺失则尝试安装(需具备相应权限)
if ! command -v pidstat >/dev/null 2>&1; then
echo "未找到 pidstat,尝试安装..."
if command -v apt-get >/dev/null 2>&1; then
sudo apt-get update && sudo apt-get install -y sysstat
elif command -v yum >/dev/null 2>&1; then
sudo yum install -y sysstat
elif command -v dnf >/dev/null 2>&1; then
sudo dnf install -y sysstat
elif command -v zypper >/dev/null 2>&1; then
sudo zypper install -y sysstat
elif command -v pacman >/dev/null 2>&1; then
sudo pacman -Sy --noconfirm sysstat
else
echo "无法自动安装 pidstat,请手动安装 sysstat 包后重试。" >&2
exit 1
fi

if ! command -v pidstat >/dev/null 2>&1; then
echo "自动安装 pidstat 失败,请手动安装 sysstat 包后重试。" >&2
exit 1
fi
echo "pidstat 已安装。"
fi

PIDS=$(pgrep -x "$PROCESS_NAME")

if [ -z "$PIDS" ]; then
echo "错误: 找不到正在运行的 '$PROCESS_NAME' 进程。" >&2
exit 1
fi

pid_count=$(echo "$PIDS" | wc -l | xargs)
if [ "$pid_count" -gt 1 ]; then
echo "⚠️ 发现多个 '$PROCESS_NAME' 进程,请选择一个:"
select pid in $PIDS; do
if [ -n "$pid" ]; then
break
fi
done
else
pid=$PIDS
fi

echo "✅ 成功找到进程,PID: $pid"
echo "----------------------------------"

# --- 2. 执行监控 ---
echo "--- [2/3] 开始监控 ---"
echo "监控进程名: $PROCESS_NAME"
echo "监控 PID: $pid"
echo "采样间隔: $INTERVAL 秒"
echo "总时长: $DURATION 秒"
echo "结果将写入: $OUTFILE"
echo "----------------------------------"

cpu_sum=0
cpu_max=0
mem_sum=0
mem_max=0
count=0

start_time=$(date +%s)
end_time=$((start_time + DURATION))

> "$OUTFILE"

while [ "$(date +%s)" -lt "$end_time" ]; do
if ! ps -p "$pid" > /dev/null; then
echo "⚠️ 目标进程 PID '$pid' 已退出,监控提前结束。" >&2
break
fi

read -r cpu mem_kb < <(pidstat -u -r -p "$pid" 1 1 | awk '
/%CPU/ { getline; cpu_val=$8 }
/RSS/ { getline; mem_val=$7 }
END { if (cpu_val == "") cpu_val="N/A"; if (mem_val == "") mem_val="N/A"; print cpu_val, mem_val }
')

if [[ "$cpu" =~ ^[0-9]+([.][0-9]+)?$ && "$mem_kb" =~ ^[0-9]+([.][0-9]+)?$ ]]; then
mem_mb=$(awk "BEGIN {print $mem_kb / 1024}")
printf "实时: CPU %5.1f%% | Mem %8.2f MB\n" "$cpu" "$mem_mb"

cpu_sum=$(awk "BEGIN {print $cpu_sum + $cpu}")
mem_sum=$(awk "BEGIN {print $mem_sum + $mem_mb}")

cpu_max=$(awk "BEGIN {print ($cpu > $cpu_max) ? $cpu : $cpu_max}")
mem_max=$(awk "BEGIN {print ($mem_mb > $mem_max) ? $mem_mb : $mem_max}")

count=$((count + 1))
else
echo "⚠️ 无法从 pidstat 输出中获取有效数据。CPU='$cpu', Mem='$mem_kb'" >&2
fi

sleep "$INTERVAL"
done

echo "----------------------------------"
echo "--- [3/3] 生成监控报告 ---"

if [ $count -eq 0 ]; then
echo "❌ 错误: 没有采集到任何有效数据。" >&2
exit 1
fi

cpu_avg=$(awk "BEGIN {print $cpu_sum/$count}")
mem_avg=$(awk "BEGIN {print $mem_sum/$count}")

{
echo "========== 性能监控汇总 =========="
echo "监控时间: $(date)"
echo "进程名: $PROCESS_NAME"
echo "PID: $pid"
echo "采样次数: $count 次"
echo "------------------------------------"
printf "平均 CPU 使用率: %.2f %%\n" "$cpu_avg"
printf "峰值 CPU 使用率: %.2f %%\n" "$cpu_max"
echo "------------------------------------"
printf "平均内存使用 (RSS): %.2f MB\n" "$mem_avg"
printf "峰值内存使用 (RSS): %.2f MB\n" "$mem_max"
echo "===================================="
} > "$OUTFILE"

echo "✅ 监控结束,汇总报告已保存到: $OUTFILE"
echo
cat "$OUTFILE"
Loading
Loading