开源运维工具研发与实践-03开源安全信息管理平台最佳实

企业级开源安全信息管理平台最佳实践@李晨光的微博主要议题运维现状传统网管工具到开源工具的演变开源工具整合的困惑集成安全平台应用背景及需求分析接入层交换机汇聚层交换机接入层交换机接入层交换机核心层交换机汇聚层交换机Internet出口防火墙监控平台手工编写脚本。故障时在多Termina间通过awk、grep分析日志抓包……2613:59:50192.168.60.65QA-Netscreen-10:NetScreenTrafficLog:device_id=QA-Netscreen-10start_tssime=2001-3-2613:03:31src=192.168.60.208dst=192.168.60.65src_port=45529dst_port=633service=TCPport633policy_id=32767duration=0sent=0rcvd=40action=DenyMar2614:01:10192.168.60.65QA-Netscreen-10:NetScreenTrafficLog:device_id=QA-Netscreen-10start_time=2001-3-2613:04:47src=192.168.60.208dst=192.168.60.65src_port=45532dst_port=964service=TCPport964policy_id=32767duration=0sent=0rcvd=40action=DenyMar2614:02:30192.168.60.65QA-Netscreen-10:netscreen:Usernetscreentelnetmanagementsessionfrom(192.168.60.232:4383)timedout(2001-3-2613:12:15)Mar2614:43:03192.168.60.65QA-Netscreen-10:NetScreenTrafficLog:device_id=QA-Netscreen-10start_time=2001-3-2614:41:22src=192.168.60.208dst=192.168.60.65src_port=39629dst_port=792service=TCPport792policy_id=32767duration=0sent=0rcvd=40action=DenyMar2614:44:23192.168.60.65QA-Netscreen-10:NetScreenTrafficLog:device_id=QA-Netscreen-10start_time=2001-3-2614:41:22src=192.168.60.208dst=192.168.60.65src_port=39629dst_port=1527service=TCPport1527policy_id=32767duration=0sent=0rcvd=40action=DenyMar2614:45:43192.168.60.65QA-Netscreen-10:NetScreenTrafficLog:device_id=QA-Netscreen-10start_time=2001-3-2614:41:22src=192.168.60.208dst=192.168.60.65src_port=39629dst_port=418service=TCPport418policy_id=32767duration=0sent=0rcvd=40action=DenyMar2614:47:03192.168.60.65QA-Netscreen-10:NetScreenTrafficLog:device_id=QA-Netscreen-10start_time=2001-3-2614:41:22src=192.168.60.208dst=192.168.60.65src_port=39629dst_port=983service=TCPport983policy_id=32767duration=0sent=0rcvd=40action=DenyMar2614:48:23192.168.60.65QA-Netscreen-10:NetScreenTrafficLog:device_id=QA-Netscreen-10start_time=2001-3-2614:41:22src=192.168.60.208dst=192.168.60.65src_port=39629dst_port=28service=TCPport28policy_id=32767duration=0sent=0rcvd=40action=DenyMar2614:49:43192.168.60.65QA-Netscreen-10:NetScreenTrafficLog:device_id=QA-Netscreen-10start_time=2001-3-2614:41:22src=192.168.60.208dst=192.168.60.65src_port=39629dst_port=761service=TCPport761policy_id=32767duration=0sent=0rcvd=40num;date;time;orig;type;action;alert;i/f_name;i/f_dir;proto;src;dst;service;s_port;len;rule;xlatesrc;xlatedst;xlatesport;xlatedport;icmp-type;icmp-code;reason:;sys_msgs0;26Mar2001;17:50:58;fw_dev1;control;ctl;;daemon;inbound;;;;;;;;;;;;;;;startedsendinglogtolocalhost1;26Mar2001;17:50:58;fw_dev1;log;accept;;DC21X41;inbound;tcp;D-Chris1;soc1_DB1(ValidAddress);ms_sql_445;3120;48;14;D-Chris1;soc1_DB1;3120;ms_sql_445;;;;2;26Mar2001;17:50:58;fw_dev1;log;accept;;DC21X41;inbound;tcp;D-Chris1;soc1_DB1(ValidAddress);nbsession;3121;48;14;D-Chris1;soc1_DB1;3121;nbsession;;;;3;26Mar2001;17:50:58;fw_dev1;log;accept;;DC21X41;inbound;tcp;D-Daniel1;soc1_backend_DB(ValidAddress);ms_sql_445;2106;48;14;D-Daniel1;soc1_backend_DB;2106;ms_sql_445;;;;4;26Mar2001;17:50:58;fw_dev1;log;accept;;DC21X41;inbound;tcp;D-Daniel1;soc1_backend_DB(ValidAddress);nbsession;2108;48;14;D-Daniel1;soc1_backend_DB;2108;nbsession;;;;5;26Mar2001;17:50:58;fw_dev1;log;accept;;DC21X41;inbound;tcp;D-Chris1;soc1_AuxDB(ValidAddress);ms_sql_445;3122;48;14;D-Chris1;soc1_AuxDB;3122;ms_sql_445;;;;6;26Mar2001;17:50:58;fw_dev1;log;accept;;DC21X41;inbound;tcp;D-Chris1;soc1_AuxDB(ValidAddress);nbsession;3123;48;14;D-Chris1;soc1_AuxDB;3123;nbsession;;;;7;26Mar2001;17:50:58;fw_dev1;log;accept;;DC21X41;inbound;tcp;D-Daniel1;soc1_AuxDB(ValidAddress);ms_sql_445;2109;48;14;D-Daniel1;soc1_AuxDB;2109;ms_sql_445;;;;8;26Mar2001;17:50:58;fw_dev1;log;accept;;DC21X41;inbound;tcp;D-Daniel1;soc1_AuxDB(ValidAddress);nbsession;2110;48;14;D-Daniel1;soc1_AuxDB;2110;nbsession;;;;9;26Mar2001;17:50:58;fw_dev1;log;accept;;DC21X41;inbound;tcp;D-Daniel1;soc1_DB1(ValidAddress);ms_sql_445;2111;48;14;D-Daniel1;soc1_DB1;2111;ms_sql_445;;;;10;26Mar2001;17:50:58;fw_dev1;log;accept;;DC21X41;inbound;tcp;D-Daniel1;soc1_DB1(ValidAddress);nbsession;2112;48;14;D-Daniel1;soc1_DB1;2112;nbsession;;;;11;26Mar2001;17:50:58;fw_dev1;log;accept;;DC21X41;inbound;tcp;D-Daniel1;soc1_backend_DB(ValidAddress);ms_sql_445;2113;48;14;D-Daniel1;soc1_backend_DB;2113;ms_sql_445;;;;2001-03-1310:29:43|drag-sensor1|DRAGONRIDER-START|0.0.0.0|0.0.0.0|0|0|?||0|dv=,tz=GMT|2001-03-1310:30:32|drag-sensor1|DRAGONRIDER-START|0|0|0|0|?||0|dv=,tz=GMT|2001-03-1311:02:05|drag-sensor1|HEARTBEAT|0|0|0|0|I||0|IP=1380,ICMP=0,TCP=1237,UDP=143,EVENTS=1,DROP=0,VER=4.2.2|2001-03-1312:02:44|drag-sensor1|HEARTBEAT|0|0|0|0|I||0|IP=201,ICMP=0,TCP=3,UDP=198,EVENTS=1,DROP=0,VER=4.2.2|2001-03-1312:23:23|drag-sensor1|TCP-SCAN|727912620|1684213932|0|0|I|------S-|0|total=490,min=2,max=1024,up=241,down=249,flags=------S-,Mar13-12:22,Mar13-12:23|2001-03-1312:23:23|drag-sensor1|TCP-SCAN|727912620|1684213932|55564|0|I|------S-|0|total=500,min=1,max=1022,up=242,down=258,sp=55564,flags=------S-,Mar13-12:23,Mar13-12:23|2001-03-1312:24:31|drag-sensor1|TCP-SCAN|727912