SIEM\uff08Security Information and Event Management\uff0c\u5b89\u5168\u4fe1\u606f\u548c\u4e8b\u4ef6\u7ba1\u7406\u7cfb\u7edf\uff09\u662f\u4e00\u79cd\u7528\u4e8e\u5b9e\u65f6\u76d1\u63a7\u3001\u68c0\u6d4b\u548c\u54cd\u5e94\u5b89\u5168\u4e8b\u4ef6\u7684\u7efc\u5408\u5b89\u5168\u89e3\u51b3\u65b9\u6848\u3002\u5b83\u7ed3\u5408\u4e86SIM\uff08Security Information Management\uff0c\u5b89\u5168\u4fe1\u606f\u7ba1\u7406\uff09<\/strong>\u548cSEM\uff08Security Event Management\uff0c\u5b89\u5168\u4e8b\u4ef6\u7ba1\u7406\uff09<\/strong>\u7684\u529f\u80fd\uff0c\u5e2e\u52a9\u7ec4\u7ec7\u7ba1\u7406\u6d77\u91cf\u65e5\u5fd7\u6570\u636e\u3001\u8bc6\u522b\u6f5c\u5728\u5a01\u80c1\uff0c\u5e76\u81ea\u52a8\u5316\u54cd\u5e94\u6d41\u7a0b\u3002SIEM \u7cfb\u7edf\u5e7f\u6cdb\u5e94\u7528\u4e8e\u4f01\u4e1a\u5b89\u5168\u8fd0\u7ef4\u4e2d\uff0c\u5c24\u5176\u5728\u68c0\u6d4b\u5f02\u5e38\u767b\u5f55\u3001\u5165\u4fb5\u884c\u4e3a\u7b49\u65b9\u9762<\/p>\n\n\n\n \u901a\u5e38\u91c7\u7528push-pull\u6df7\u5408\uff1a<\/p>\n\n\n\n Push\u6a21\u5f0f\u7531\u6570\u636e\u6e90\u4e3b\u52a8\u53d1\u9001\u65e5\u5fd7\uff0c\u9002\u5408\u5b9e\u65f6\u6027<\/strong>|<\/p>\n<\/div>\n\n\n\n |Pull\u6a21\u5f0f\u7531SIEM\u670d\u52a1\u5668\u5b9a\u671f\u62c9\u53d6\uff0c\u9002\u5408\u4e91\u73af\u5883<\/strong><\/p>\n<\/div>\n<\/div>\n\n\n\n \u5728\u5f02\u5e38\u767b\u5f55\u573a\u666f\uff0c\u91c7\u96c6Windows Event Logs \u6216 Linux auth.log \u65f6\uff0c\u9700\u8981\u5904\u7406\u65e5\u5fd7\u8f6e\u8f6c\uff08log rotation\uff09\u4ee5\u907f\u514d\u6570\u636e\u4e22\u5931<\/p>\n<\/blockquote>\n\n\n\n \u7f3a\u70b9\uff1a\u6570\u636e\u91cf\u5e9e\u5927\uff0c\u9700\u8981\u538b\u7f29\u4f20\u8f93\u548c\u8fc7\u6ee4\u65e0\u5173\u65e5\u5fd7\u3002Python\u4e2d\uff0c\u53ef\u4ee5\u5229\u7528logging\u6a21\u5757<\/mark>\u6216pywin32<\/mark>\u5904\u7406Windows\u65e5\u5fd7<\/p>\n\n\n\n \u7531\u4e8e\u65e5\u5fd7\u683c\u5f0f\u591a\u6837\u5316\uff08.json\u3001CEF\u3001Syslog\uff09\uff0c\u89e3\u6790\u7528\u6b63\u5219\u6216\u89e3\u6790\u5668\u3002\u63d0\u53d6\u5b57\u6bb5\u540e\uff0c\u6dfb\u52a0\u5143\u6570\u636e\uff08\u5982\u4e8b\u4ef6ID\u3001\u4e25\u91cd\u5ea6\u3001\u9891\u7387\uff09<\/p>\n\n\n\n \u8fd9\u4e00\u5c42\u548c\u5206\u6790\u5173\u8054\u5c42<\/strong>\u9ad8\u5ea6\u7ed1\u5b9a\uff0c\u540c\u65f6\u4f1a\u7275\u626f\u5230\u4e00\u4e2a\u5371\u9669\u5ea6\u9ad8\u7684\u6f5c\u5728\u653b\u51fb\u2014\u2014APT<\/p>\n\n\n\n \u6ca1\u6709\u7ecf\u8fc7\u6807\u51c6\u5316\u7684\u65e5\u5fd7\u65e0\u6cd5\u5173\u8054\uff0c\u9ad8\u9891\u7684\u4e8b\u4ef6\u62a5\u544a\u53ef\u4ee5\u548cAPT\u5173\u8054\u8d77\u6765\uff0c\u9632\u6b62\u540e\u7eedAPT\u6e17\u900f\u5185\u7f51\u9020\u6210\u4e25\u91cd\u8d22\u4ea7\u635f\u5931<\/p>\n<\/blockquote>\n\n\n\n Python\u5b9e\u73b0\uff1a\u7528re<\/mark>\u6216grok-py<\/mark>\u5e93\u89e3\u6790\uff0c\u7edf\u4e00schema\u5982\uff08\u201ctimestamp\u201d\uff1a\u201c\u2026\u201d\uff1b\u201cevent_type\u201d:”\u2026\u201d\uff1b\uff09\uff0c\u65b9\u4fbf\u56e2\u961f\u67e5\u770b\u548c\u8fa8\u8ba4<\/p>\n\n\n\n CEP\uff08Complex Event Processing\uff09<\/p>\n\n\n\n \u6982\u5ff5<\/strong> <\/p>\n\n\n\n Complex Event Processing\uff08\u590d\u6742\u4e8b\u4ef6\u5904\u7406\uff09\u662f\u4e00\u79cd\u5b9e\u65f6\u5904\u7406\u6280\u672f\uff0c\u5b83\u4ece\u591a\u4e2a\u4e8b\u4ef6\u6d41\uff08event streams\uff09\u4e2d\u68c0\u6d4b\u590d\u6742\u6a21\u5f0f<\/strong>\u3001\u65f6\u95f4\u76f8\u5173\u6027<\/strong>\u3001\u56e0\u679c\u5173\u7cfb<\/strong>\u6216\u8d8b\u52bf<\/strong>\uff0c\u800c\u4e0d\u662f\u53ea\u770b\u5355\u4e2a\u4e8b\u4ef6\u3002 \u5b83\u5173\u6ce8\u201c\u4e8b\u4ef6\u7684\u7ec4\u5408\u4e0e\u65f6\u5e8f\u201d\uff0c\u80fd\u8bc6\u522b\u51fa\u7b80\u5355\u89c4\u5219\u5f15\u64ce\u65e0\u6cd5\u53d1\u73b0\u7684\u9ad8\u9636\u5a01\u80c1<\/p>\n\n\n\n \u5178\u578b\u4ee3\u8868\u5de5\u5177<\/strong>\uff1aEsper\uff08\u5f00\u6e90 Java CEP \u5f15\u64ce\uff09\u3001Apache Flink CEP\u3001Drools Fusion\u3001IBM Operational Decision Manager \u7b49<\/p>\n\n\n\n \u4e3b\u8981\u4f5c\u7528<\/strong><\/p>\n\n\n\n \u793a\u4f8b\u573a\u666f <\/strong><\/p>\n\n\n\n \u7528\u6237 A \u6b63\u5e38\u5de5\u4f5c\u65f6\u95f4\u4ece\u4e1c\u4eac\u767b\u5f55\uff0c\u7a81\u7136\u5728\u51cc\u6668\u4ece\u4fc4\u7f57\u65af IP \u767b\u5f55\uff0c\u4e14 2 \u5206\u949f\u5185\u5c1d\u8bd5\u8bbf\u95ee 10 \u4e2a\u654f\u611f\u670d\u52a1\u5668 \u2192 CEP \u53ef\u4ee5\u7528\u4e00\u6761 EPL\uff08Event Processing Language\uff09\u8bed\u53e5\u68c0\u6d4b\u8fd9\u79cd\u8de8\u65f6\u95f4\u3001\u8de8\u6765\u6e90\u7684\u6a21\u5f0f<\/p>\n<\/details>\n\n\n\n \u5173\u8054\u793a\u4f8b\uff1a192.168.xxx.xxx\u5728\u4e94\u5206\u949f\u5185\u767b\u5f55\u5931\u8d25\u8d85\u8fc710\u6b21+\u7aef\u53e3\u626b\u63cf=\u9ad8\u5371\u544a\u8b66<\/p>\n\n\n\n \u6982\u5ff5<\/strong> UEBA = User and Entity Behavior Analytics<\/strong>\uff08\u7528\u6237\u4e0e\u5b9e\u4f53\u884c\u4e3a\u5206\u6790\uff09\u3002 \u5b83\u5229\u7528\u673a\u5668\u5b66\u4e60<\/strong>\uff08\u800c\u975e\u56fa\u5b9a\u89c4\u5219\uff09\u4e3a\u6bcf\u4e2a\u7528\u6237\u3001\u4e3b\u673a\u3001IP\u3001\u5e94\u7528\u7b49\u5b9e\u4f53\u5efa\u7acb\u52a8\u6001\u884c\u4e3a\u57fa\u7ebf<\/strong>\uff08baseline\uff09\uff0c\u7136\u540e\u6301\u7eed\u76d1\u63a7\u5f53\u524d\u884c\u4e3a\u4e0e\u57fa\u7ebf\u7684\u504f\u79bb\u7a0b\u5ea6\uff0c\u68c0\u6d4b\u5f02\u5e38<\/p>\n\n\n\n \u6838\u5fc3\u673a\u5236<\/strong><\/p>\n\n\n\n \u4e3b\u8981\u4f5c\u7528<\/strong><\/p>\n\n\n\n \u5b9e\u4f8b<\/strong><\/p>\n\n\n\n \u7528\u6237\u5e73\u65f6 9:00\u201318:00 \u4ece\u4e1c\u4eac IP \u767b\u5f55\u516c\u53f8\u90ae\u7bb1\uff0c\u7a81\u7136 03:00 \u4ece\u4fc4\u7f57\u65af IP \u767b\u5f55 \u2192 UEBA \u4f1a\u7ed9\u8be5\u884c\u4e3a\u6253\u9ad8\u98ce\u9669\u5206\uff0c\u751f\u6210\u5f02\u5e38\u4e8b\u4ef6\uff0c\u4f9b\u7b2c 5 \u5c42\u544a\u8b66\u3002<\/p>\n<\/details>\n\n\n\n \u6982\u5ff5<\/strong> SOAR = Security Orchestration, Automation and Response<\/strong>\uff08\u5b89\u5168\u7f16\u6392\u3001\u81ea\u52a8\u5316\u4e0e\u54cd\u5e94\uff09\u3002 \u5b83\u662f\u4e00\u4e2a\u6d41\u7a0b\u81ea\u52a8\u5316\u5e73\u53f0<\/strong>\uff0c\u628a\u5b89\u5168\u5de5\u5177\uff08SIEM\u3001EDR\u3001\u9632\u706b\u5899\u3001\u7968\u52a1\u7cfb\u7edf\u3001\u90ae\u4ef6\u7b49\uff09\u4e32\u8054\u8d77\u6765\uff0c\u901a\u8fc7\u9884\u5b9a\u4e49\u7684playbook<\/strong>\uff08\u5267\u672c\uff09\u81ea\u52a8\u6216\u534a\u81ea\u52a8\u6267\u884c\u54cd\u5e94\u52a8\u4f5c<\/p>\n\n\n\n \u5178\u578b\u4ee3\u8868\u5de5\u5177<\/strong><\/p>\n\n\n\n \u4e3b\u8981\u4f5c\u7528<\/strong><\/p>\n\n\n\n \u793a\u4f8b\u573a\u666f<\/strong>\uff08TheHive \u96c6\u6210\uff09 SIEM \u68c0\u6d4b\u5230\u66b4\u529b\u7834\u89e3 \u2192 \u81ea\u52a8\u89e6\u53d1 Shuffle\/TheHive playbook\uff1a<\/p>\n\n\n\n Python\u53ef\u8c03\u7528\u5916\u90e8API\uff08Slack for\u901a\u77e5\u3001iptables for\u5c01\u7981\uff09<\/p>\n\n\n\n SIEM\u91c7\u7528\u95ed\u73af\u6d41\u7a0b\u7684\u5de5\u4f5c\u673a\u5236\uff1a<\/p>\n\n\n\n \u73b0\u5047\u8bbe\u9700\u8981\u5f00\u53d1\u4e00\u4e2a\u6a21\u5757\u6765\u76d1\u63a7Linux\u7cfb\u7edf\u4e0b\u7684\/var\/log\/auth.log<\/mark>\u6587\u4ef6\uff0c\u5b9e\u65f6\u91c7\u96c6\u65e5\u5fd7\uff0c\u68c0\u6d4b\u5f02\u5e38\u767b\u5f55\uff0c\u5e76\u901a\u8fc7\u90ae\u4ef6\u53d1\u9001\u544a\u8b66<\/p>\n\n\n\n \u8fd9\u4e2a\u5b9e\u4f8b\u4f7f\u7528Python\u6807\u51c6\u5e93\u548c\u5c11\u91cf\u5185\u7f6e\u6a21\u5757\uff08\u5982re<\/mark>\u7528\u4e8e\u89e3\u6790\u3001smtplib<\/mark>\u7528\u4e8e\u90ae\u4ef6\uff09\u91c7\u7528\u6587\u4ef6\u5c3e\u968f\uff08tailing\uff09\u673a\u5236\u6a21\u62df\u5b9e\u65f6\u91c7\u96c6\uff08\u7c7b\u4f3clinux\u7684tail -f\u547d\u4ee4\uff09\uff0c\u907f\u514d\u4f9d\u8d56\u5916\u90e8\u5e93<\/p>\n\n\n\n \u4ee3\u7801\u793a\u4f8b\uff1a<\/p>\n\n\n\n SIEM\u7684\u6838\u5fc3\u67b6\u6784\u901a\u5e38\u88ab\u63cf\u8ff0\u4e3a\u5206\u5c42\u7ba1\u9053\uff08pipeline\uff09\u5f0f\u7ed3\u6784\uff0c\u903b\u8f91\u4e0a\u770b\uff0c\u516d\u5c42\u67b6\u6784\u6bcf\u5c42\u5b9e\u73b0\u7684\u6a21\u5757\u5206\u522b\u72ec\u7acb\u8fd0\u884c\u540e\u4ea4\u7ed9\u4e0b\u4e00\u5c42\uff0c\u7ecf\u8fc7\u95ed\u73af\u6d41\u7a0b\u5b9e\u73b0\u8bb0\u5f55\u3001\u7edf\u4e00\u3001\u5b58\u50a8\u3001\u5206\u6790\u3001\u54cd\u5e94\u3001\u4f18\u5316\u3002\u4f46\u4ece\u5b9e\u9645\u7cfb\u7edf\u8fd0\u884c\u4e2d\uff0c\u8fd9\u4e9b\u5c42\u90fd\u662f\u9ad8\u5ea6\u5e76\u884c\u3001\u5f02\u6b65\u3001\u6d41\u5f0f\u5904\u7406\uff0c\u5373\u540c\u4e00\u65f6\u523b\u6210\u5343\u4e0a\u4e07\u5404\u4e8b\u4ef6\u5728\u4e0d\u540c\u5c42\u3001\u4e0d\u540c\u8282\u70b9\u540c\u65f6\u88ab\u5904\u7406\u3002\u4e0b\u9762\u5c06\u9488\u5bf9\u5404\u5c42\u5355\u72ec\u7528\u4ee3\u7801\u4e3e\u4f8b\u89e3\u91ca<\/p>\n\n\n\n \u8d1f\u8d23\u4ece\u5404\u79cd\u6e90\u5934\u5b9e\u65f6\/\u6279\u91cf\u62c9\u53d6\u6216\u63a5\u6536\u65e5\u5fd7\uff0c\u5178\u578b\u7684\u5b9e\u73b0\u65b9\u5f0f<\/strong>\u6709\uff1a<\/p>\n\n\n\n \u6587\u4ef6tail\u3001Syslog UDP\/TCP\u63a5\u6536\u3001Beats\/Filebeat\u3001API polling\u7b49<\/p>\n\n\n\n Python\u793a\u4f8b<\/strong>\uff08\u6587\u4ef6tail+\u7b80\u5355Syslog UDP\u670d\u52a1\u5668\uff09<\/p>\n\n\n\n \u628a\u539f\u59cb\u65e5\u5fd7\u8f6c\u5316\u6210\u540c\u4e00\u7ed3\u6784\uff0c\u63d0\u53d6\u5173\u952e\u5b57\u6bb5<\/p>\n\n\n\n \u5178\u578b\u5b9e\u73b0\u65b9\u5f0f\uff1a<\/strong>\u6b63\u5219\/Grok\/CEF\/JSON schema\u6620\u5c04<\/p>\n\n\n\n Python\u5b9e\u4f8b<\/strong>\uff08\u7b80\u5355\u6b63\u5219 + CEF-like \u8f93\u51fa\uff09<\/p>\n\n\n\n \u628a\u89e3\u6790\u540e\u7684\u4e8b\u4ef6\u5b58\u4e0b\u6765\uff0c\u652f\u6301\u5feb\u901f\u68c0\u7d22\u3002<\/p>\n\n\n\n \u5178\u578b\u5b9e\u73b0\u65b9\u5f0f<\/strong>\uff1aElasticsearch\u3001OpenSearch\u3001ClickHouse\u3001PostgreSQL + TimescaleDB\u3001SQLite\uff08\u539f\u578b\uff09\u3002<\/p>\n\n\n\n Python \u793a\u4f8b<\/strong>\uff08\u4f7f\u7528 SQLite + \u7b80\u5355\u65f6\u95f4\u5206\u533a\u8868\uff09<\/p>\n\n\n\n \u6838\u5fc3\u68c0\u6d4b\u5f15\u64ce\uff1a\u89c4\u5219\u5339\u914d\u3001\u9608\u503c\u3001\u65f6\u95f4\u7a97\u53e3\u5173\u8054\u3001\u7b80\u5355 ML\u3002<\/p>\n\n\n\n \u5178\u578b\u5b9e\u73b0\u65b9\u5f0f<\/strong>\uff1a\u89c4\u5219\u5f15\u64ce\uff08Sigma\uff09\u3001CEP\u3001\u72b6\u6001\u673a\u3001ML \u5f02\u5e38\u68c0\u6d4b\u3002<\/p>\n\n\n\n Python \u793a\u4f8b<\/strong>\uff08\u7b80\u5355\u6ed1\u52a8\u7a97\u53e3 + \u89c4\u5219\uff09<\/p>\n\n\n\n \u4ea7\u751f\u544a\u8b66\u3001\u901a\u77e5\u3001\u81ea\u52a8\u5316\u52a8\u4f5c\u3002<\/p>\n\n\n\n \u5178\u578b\u5b9e\u73b0\u65b9\u5f0f<\/strong>\uff1a\u90ae\u4ef6\u3001Slack\/Webhook\u3001SOAR \u811a\u672c\u3001\u9632\u706b\u5899 API\u3002<\/p>\n\n\n\n Python \u793a\u4f8b<\/strong>\uff08\u90ae\u4ef6 + \u7b80\u5355 iptables \u5c01\u7981\uff09<\/p>\n\n\n\n \u4eea\u8868\u76d8\u3001\u67e5\u8be2\u3001\u62a5\u544a\u3001\u7528\u6237\u6743\u9650\u3001\u5ba1\u8ba1\u3001\u5f52\u6863\u3002<\/p>\n\n\n\n \u5178\u578b\u5b9e\u73b0\u65b9\u5f0f<\/strong>\uff1aKibana\/ Grafana\u3001\u81ea\u5b9a\u4e49 Flask\/Dash \u754c\u9762\u3001RBAC\u3002<\/p>\n\n\n\n Python \u793a\u4f8b<\/strong>\uff08\u7b80\u5355 Flask + SQLite \u67e5\u8be2 dashboard\uff09<\/p>\n\n\n\n \u4e4b\u540e\u7ec4\u5408\uff0c\u5f62\u6210\u4e00\u4e2a\u5c0f\u578b\u7ba1\u9053\uff1a<\/p>\n\n\n\n SIEM SIEM\uff08Security Information and Event Management\uff0c\u5b89\u5168\u4fe1 […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[6,14],"tags":[19],"class_list":["post-592","post","type-post","status-publish","format-standard","hentry","category-capture-the-flag","category-14","tag-19"],"_links":{"self":[{"href":"https:\/\/myblog.marsrains.top\/index.php?rest_route=\/wp\/v2\/posts\/592","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/myblog.marsrains.top\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/myblog.marsrains.top\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/myblog.marsrains.top\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/myblog.marsrains.top\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=592"}],"version-history":[{"count":11,"href":"https:\/\/myblog.marsrains.top\/index.php?rest_route=\/wp\/v2\/posts\/592\/revisions"}],"predecessor-version":[{"id":607,"href":"https:\/\/myblog.marsrains.top\/index.php?rest_route=\/wp\/v2\/posts\/592\/revisions\/607"}],"wp:attachment":[{"href":"https:\/\/myblog.marsrains.top\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=592"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/myblog.marsrains.top\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=592"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/myblog.marsrains.top\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=592"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
\n\n\n\n\u6838\u5fc3\u67b6\u6784<\/h1>\n\n\n\n
1\u3001\u6570\u636e\u91c7\u96c6\u5c42<\/h2>\n\n\n\n
\n
\u673a\u5236<\/h3>\n\n\n\n
\n
2\u3001\u6570\u636e\u6807\u51c6\u5316\u4e0e\u89e3\u6790\u5c42<\/h2>\n\n\n\n
\n
\u673a\u5236<\/h3>\n\n\n\n
\n
3\u3001\u5b58\u50a8\u4e0e\u7d22\u5f15\u5c42<\/h2>\n\n\n\n
\n
4\u3001\u5206\u6790\u4e0e\u5173\u8054\u5c42\u2014\u2014\u6838\u5fc3\u5f15\u64ce<\/h2>\n\n\n\n
\n
\u89c4\u5219\u5f15\u64ce<\/h3>\n\n\n\n
\u7b80\u5355\u89c4\u5219\u7528if-then\uff1b\u590d\u6742\u7528CEP\uff08Complex Event Processing\uff09\u5982Esper<\/strong><\/summary>\n
\n
ML\u96c6\u6210<\/h3>\n\n\n\n
\u7528 UEBA \u68c0\u6d4b\u5f02\u5e38\uff08\u5982\u7528\u6237\u5e73\u65f6\u4ece US \u767b\u5f55\uff0c\u7a81\u7136\u4ece RU\uff0c\u9700\u57fa\u7ebf\u6a21\u578b\uff09<\/strong><\/summary>\n
\n
\n
\n
5\u3001\u544a\u8b66\u4e0e\u54cd\u5e94\u5c42<\/h2>\n\n\n\n
\n
\u673a\u5236<\/h3>\n\n\n\n
\u544a\u8b66\u5206\u7ea7\uff08\u9ad8\u5371\/\u4e2d\u5371\/\u4f4e\u5371\/\u65e0\u98ce\u9669\uff09\uff0c\u96c6\u6210SOAR\u81ea\u52a8\u5316\u54cd\u5e94<\/strong><\/summary>\n
\n
\n
\n
\u96c6\u6210<\/h3>\n\n\n\n
6\u3001\u7ba1\u7406\u4e0e\u5408\u89c4\u5c42<\/h2>\n\n\n\n
\n
\n\n\n\n\u5de5\u4f5c\u673a\u5236<\/h1>\n\n\n\n
\n
\n
\n
graph TB\nA((\u91c7\u96c6\u4e0e\u4f20\u8f93))\nB[\u5904\u7406\u4e0e\u5206\u6790]\nC[\u68c0\u6d4b\u5f02\u5e38]\nD[\u544a\u8b66\u751f\u6210]\nE((\u56de\u987e\u548c\u4f18\u5316))\nA--\u63a8\u9001\u5230\u670d\u52a1\u5668-->B\nB--\u65e5\u5fd7\u8fdb\u5165\u7ba1\u9053-->C\nC--\u89c4\u5219\u5339\u914d\u3001\u9608\u503c\u68c0\u6d4b\u3001\u884c\u4e3a\u5339\u914d-->D\nD--\u751f\u6210\u7968\u636e\uff0c\u544a\u77e5\u56e2\u961f-->E\nE--\u6a21\u578b\u5b66\u4e60\u3001\u5206\u6790\u5386\u53f2-->A<\/pre><\/div>\n\n\n\n
\n\n\n\nPython\u6a21\u5757\u793a\u4f8b<\/h1>\n\n\n\n
import re\nimport time\nimport smtplib\nfrom email.mime.text import MIMEText # \u7528\u4e8e\u6784\u5efa\u90ae\u4ef6\u5185\u5bb9\nfrom collections import defaultdict # \u7528\u4e8e\u5b58\u50a8\u767b\u5f55\u5931\u8d25\u7684\u65f6\u95f4\u6233\u5217\u8868\nfrom datetime import datetime, timedelta # \u7528\u4e8e\u5904\u7406\u65f6\u95f4\u7a97\u53e3\n\n# \u914d\u7f6e\u53c2\u6570\nLOG_FILE = '\/var\/log\/auth.log' # \u66ff\u6362\u4e3a\u5b9e\u9645\u65e5\u5fd7\u8def\u5f84\uff08\u9700\u8bfb\u6743\u9650\uff09\nALERT_THRESHOLD = 3 # \u5931\u8d25\u767b\u5f55\u9608\u503c\nTIME_WINDOW = timedelta(minutes=1) # \u65f6\u95f4\u7a97\u53e3\nSMTP_SERVER = 'smtp.example.com' # \u66ff\u6362\u4e3a\u4f60\u7684 SMTP \u670d\u52a1\u5668\nSMTP_PORT = 587 # \u66ff\u6362\u4e3a\u4f60\u7684 SMTP \u7aef\u53e3\nSENDER_EMAIL = 'alert@example.com' # \u66ff\u6362\u4e3a\u4f60\u7684\u53d1\u9001\u90ae\u7bb1\nSENDER_PASSWORD = 'your_password' # \u66ff\u6362\u4e3a\u4f60\u7684\u53d1\u9001\u90ae\u7bb1\u5bc6\u7801\nRECIPIENT_EMAIL = 'admin@example.com' # \u66ff\u6362\u4e3a\u4f60\u7684\u63a5\u6536\u90ae\u7bb1\n\n# \u6b63\u5219\u8868\u8fbe\u5f0f\u89e3\u6790 sshd \u767b\u5f55\u65e5\u5fd7\uff08\u793a\u4f8b\uff1aFailed password for user from IP\uff09\nFAILED_LOGIN_PATTERN = re.compile(r'Failed password for (\\w+) from ([\\d.]+) port \\d+ ssh2')\nSUCCESS_LOGIN_PATTERN = re.compile(r'Accepted password for (\\w+) from ([\\d.]+) port \\d+ ssh2')\n\nclass LoginTracker: # \u8ffd\u8e2a\u767b\u5f55\u5931\u8d25\u7684\u7c7b\n def __init__(self):\n self.failures = defaultdict(list) # IP -> list of failure timestamps\n\n def process_log_line(self, line):\n failed_match = FAILED_LOGIN_PATTERN.search(line)\n if failed_match: # \u5982\u679c\u5339\u914d\u5230\u5931\u8d25\u767b\u5f55\n user, ip = failed_match.groups()\n now = datetime.now() # \u5f53\u524d\u65f6\u95f4\n self.failures[ip].append(now) # \u8bb0\u5f55\u5931\u8d25\u65f6\u95f4\n # \u6e05\u7406\u8fc7\u671f\u8bb0\u5f55\n self.failures[ip] = [t for t in self.failures[ip] if now - t < TIME_WINDOW] # \u4fdd\u7559\u65f6\u95f4\u7a97\u53e3\u5185\u7684\u8bb0\u5f55\n # \u68c0\u67e5\u9608\u503c\n if len(self.failures[ip]) >= ALERT_THRESHOLD:\n self.send_alert(ip, user, len(self.failures[ip]))\n self.failures[ip] = [] # \u91cd\u7f6e\u8ba1\u6570\u4ee5\u907f\u514d\u91cd\u590d\u544a\u8b66\n\n success_match = SUCCESS_LOGIN_PATTERN.search(line)\n if success_match:\n user, ip = success_match.groups()\n print(f\"Successful login: User {user} from {ip}\")\n\n def send_alert(self, ip, user, count): # \u53d1\u9001\u544a\u8b66\u90ae\u4ef6\n msg = MIMEText(f\"Abnormal login detected: {count} failed attempts for user {user} from IP {ip}\") # \u90ae\u4ef6\u5185\u5bb9\n msg['Subject'] = 'Security Alert: Abnormal Login'\n msg['From'] = SENDER_EMAIL # \u90ae\u4ef6\u53d1\u9001\u8005\n msg['To'] = RECIPIENT_EMAIL # \u90ae\u4ef6\u63a5\u6536\u8005\n\n try: # \u8fde\u63a5 SMTP \u670d\u52a1\u5668\u5e76\u53d1\u9001\u90ae\u4ef6\n server = smtplib.SMTP(SMTP_SERVER, SMTP_PORT) # \u8fde\u63a5 SMTP \u670d\u52a1\u5668\n server.starttls() # \u542f\u7528 TLS\n server.login(SENDER_EMAIL, SENDER_PASSWORD) # \u767b\u5f55 SMTP \u670d\u52a1\u5668\n server.sendmail(SENDER_EMAIL, RECIPIENT_EMAIL, msg.as_string())\n server.quit()\n print(\"Alert sent successfully\") \n except Exception as e:\n print(f\"Failed to send alert: {e}\")\n\ndef tail_log_file(file_path): # \u5b9e\u65f6\u8bfb\u53d6\u65e5\u5fd7\u6587\u4ef6\n with open(file_path, 'r') as f:\n # \u79fb\u52a8\u5230\u6587\u4ef6\u672b\u5c3e\n f.seek(0, 2) \n while True:\n line = f.readline()\n if not line:\n time.sleep(0.1) # \u8f6e\u8be2\u95f4\u9694\n continue\n yield line.strip() # \u8fd4\u56de\u65b0\u884c\n\n# \u4e3b\u51fd\u6570\nif __name__ == '__main__':\n tracker = LoginTracker()\n print(\"Starting log monitoring...\")\n for line in tail_log_file(LOG_FILE): # \u5904\u7406\u6bcf\u4e00\u884c\u65e5\u5fd7\n tracker.process_log_line(line) # \u89e3\u6790\u65e5\u5fd7\u884c\u5e76\u66f4\u65b0\u767b\u5f55\u72b6\u6001<\/code><\/pre>\n\n\n\n
\n\n\n\nPython\u4ee3\u7801\u7247\u6bb5\u793a\u4f8b<\/h1>\n\n\n\n
1\u3001\u6570\u636e\u91c7\u96c6\u5c42\uff08Data Collection \/ Ingestion\uff09<\/h2>\n\n\n\n
# collector.py - \u91c7\u96c6\u5c42\u793a\u4f8b\nimport socket\nimport threading\nfrom pathlib import Path\nimport time\n\ndef tail_file(log_path: str, callback): # \u5b9a\u4e49\u4e00\u4e2a\u51fd\u6570\u6765\u6a21\u62df tail -f \u529f\u80fd\uff0c\u5b9e\u65f6\u8bfb\u53d6\u65e5\u5fd7\u6587\u4ef6\u5e76\u8c03\u7528\u56de\u8c03\u51fd\u6570\u5904\u7406\u65b0\u884c\n \"\"\"\u6a21\u62df tail -f\"\"\"\n path = Path(log_path)\n last_size = path.stat().st_size # \u83b7\u53d6\u6587\u4ef6\u521d\u59cb\u5927\u5c0f\uff0c\u4ee5\u4fbf\u540e\u7eed\u8bfb\u53d6\u65b0\u589e\u5185\u5bb9\n while True:\n time.sleep(0.2)\n current_size = path.stat().st_size # \u83b7\u53d6\u5f53\u524d\u6587\u4ef6\u5927\u5c0f\uff0c\u5982\u679c\u6709\u65b0\u589e\u5185\u5bb9\uff0c\u5219\u8bfb\u53d6\u65b0\u589e\u90e8\u5206\u5e76\u8c03\u7528\u56de\u8c03\u51fd\u6570\u5904\u7406\n if current_size > last_size: # \u5982\u679c\u6587\u4ef6\u6709\u65b0\u589e\u5185\u5bb9\uff0c\u5219\u8bfb\u53d6\u65b0\u589e\u90e8\u5206\u5e76\u8c03\u7528\u56de\u8c03\u51fd\u6570\u5904\u7406\n with open(path, 'r') as f:\n f.seek(last_size) # \u79fb\u52a8\u6587\u4ef6\u6307\u9488\u5230\u4e0a\u6b21\u8bfb\u53d6\u7684\u4f4d\u7f6e\n new_lines = f.readlines()\n for line in new_lines: # \u5904\u7406\u6bcf\u4e00\u884c\u65b0\u589e\u65e5\u5fd7\uff0c\u8c03\u7528\u56de\u8c03\u51fd\u6570\n callback(line.strip()) # \u53bb\u9664\u884c\u672b\u7684\u6362\u884c\u7b26\u5e76\u8c03\u7528\u56de\u8c03\u51fd\u6570\n last_size = current_size\n\ndef start_syslog_udp_server(port=514, callback=None): # \u5b9a\u4e49\u4e00\u4e2a\u51fd\u6570\u6765\u542f\u52a8\u4e00\u4e2a\u7b80\u5355\u7684 UDP Syslog \u670d\u52a1\u5668\uff0c\u76d1\u542c\u6307\u5b9a\u7aef\u53e3\u5e76\u8c03\u7528\u56de\u8c03\u51fd\u6570\u5904\u7406\u63a5\u6536\u5230\u7684\u65e5\u5fd7\u6d88\u606f\n sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) # \u521b\u5efa\u4e00\u4e2a UDP \u5957\u63a5\u5b57\n sock.bind(('0.0.0.0', port))\n print(f\"Syslog UDP listening on :{port}\")\n while True:\n data, addr = sock.recvfrom(4096) # \u63a5\u6536 UDP \u6d88\u606f\n line = data.decode('utf-8', errors='ignore').strip() # \u89e3\u7801\u6d88\u606f\u5e76\u53bb\u9664\u884c\u672b\u7684\u6362\u884c\u7b26\n if callback:\n callback(line) # \u8c03\u7528\u56de\u8c03\u51fd\u6570\u5904\u7406\u63a5\u6536\u5230\u7684\u65e5\u5fd7\u6d88\u606f\n\n# \u4f7f\u7528\u793a\u4f8b\nif __name__ == \"__main__\": # \u5b9a\u4e49\u4e00\u4e2a\u7b80\u5355\u7684\u56de\u8c03\u51fd\u6570\u6765\u6253\u5370\u91c7\u96c6\u5230\u7684\u65e5\u5fd7\u884c\n def print_line(line):\n print(f\"[\u91c7\u96c6] {line}\") \n\n # \u542f\u52a8\u6587\u4ef6 tail\n threading.Thread(target=tail_file, args=(\"\/var\/log\/auth.log\", print_line), daemon=True).start()\n\n # \u542f\u52a8 UDP Syslog \u63a5\u6536\uff08\u53ef\u9009\uff09\n # threading.Thread(target=start_syslog_udp_server, args=(514, print_line), daemon=True).start()\n\n while True:\n time.sleep(10) # \u4e3b\u7ebf\u7a0b\u4fdd\u6301\u8fd0\u884c\uff0c\u91c7\u96c6\u7ebf\u7a0b\u5728\u540e\u53f0\u5de5\u4f5c # \u53ef\u4ee5\u6839\u636e\u9700\u8981\u6dfb\u52a0\u66f4\u591a\u7684\u91c7\u96c6\u65b9\u5f0f\uff0c\u5982 TCP Syslog\u3001API \u91c7\u96c6\u7b49<\/code><\/pre>\n\n\n\n2\u3001\u6570\u636e\u6807\u51c6\u5316\u4e0e\u89e3\u6790\u5c42\uff08Normalization & Parsing\uff09<\/h2>\n\n\n\n
# parser.py\nimport re\nimport json\nfrom datetime import datetime\n\n# \u793a\u4f8b\uff1asshd \u5931\u8d25\u767b\u5f55\u6b63\u5219\nFAIL_PATTERN = re.compile(r'Failed password for (\\S+) from ([\\d.]+) port \\d+ ssh2')\n\ndef parse_line(raw_line: str) -> dict | None: # \u89e3\u6790\u65e5\u5fd7\u884c\uff0c\u63d0\u53d6\u4e8b\u4ef6\u4fe1\u606f\n ts = datetime.utcnow().isoformat() + \"Z\" # \u5b9e\u9645\u5e94\u4ece\u65e5\u5fd7\u63d0\u53d6\u65f6\u95f4\n event = {\n \"timestamp\": ts,\n \"raw\": raw_line,\n \"source\": \"auth.log\",\n \"event_type\": \"unknown\"\n }\n\n m = FAIL_PATTERN.search(raw_line) # \u5339\u914d\u5931\u8d25\u767b\u5f55\u4e8b\u4ef6\n if m:\n user, src_ip = m.groups()\n event.update({\n \"event_type\": \"authentication_failure\",\n \"user\": user,\n \"src_ip\": src_ip,\n \"severity\": \"medium\",\n \"category\": \"authentication\"\n })\n return event\n\n # \u53ef\u7ee7\u7eed\u6dfb\u52a0\u6210\u529f\u767b\u5f55\u3001sudo\u3001cron \u7b49\u591a\u79cd\u6a21\u5f0f...\n return None # \u5ffd\u7565\u4e0d\u5173\u5fc3\u7684\u65e5\u5fd7\n\n# \u4f7f\u7528\u793a\u4f8b\nif __name__ == \"__main__\": # \u6d4b\u8bd5\u89e3\u6790\u529f\u80fd\n test_lines = [\n 'Sep 4 10:15:23 server sshd[1234]: Failed password for invalid user admin from 192.168.1.100 port 12345 ssh2',\n 'Sep 4 10:16:01 server sshd[5678]: Accepted password for rain from 203.0.113.50 port 54321 ssh2'\n ]\n for line in test_lines:\n parsed = parse_line(line) # \u89e3\u6790\u65e5\u5fd7\u884c,\u8f93\u51fa\u7ed3\u679c\n if parsed:\n print(json.dumps(parsed, indent=2, ensure_ascii=False))<\/code><\/pre>\n\n\n\n3\u3001\u5b58\u50a8\u4e0e\u7d22\u5f15\u5c42\uff08Storage & Indexing\uff09<\/h2>\n\n\n\n
# storage.py\nimport sqlite3\nimport json\n\nfrom parser import parse_line # \u4ece parser \u6a21\u5757\u5bfc\u5165\u89e3\u6790\u51fd\u6570\nfrom datetime import datetime\n\nDB_PATH = \"siem_events.db\"\n\ndef init_db(): # \u521d\u59cb\u5316\u6570\u636e\u5e93\uff0c\u521b\u5efa\u4e8b\u4ef6\u8868\n conn = sqlite3.connect(DB_PATH)\n conn.execute(\"\"\"\n CREATE TABLE IF NOT EXISTS events (\n id INTEGER PRIMARY KEY AUTOINCREMENT,\n timestamp TEXT,\n event_type TEXT,\n src_ip TEXT,\n user TEXT,\n severity TEXT,\n raw TEXT,\n json_data TEXT\n )\n \"\"\")\n conn.commit()\n return conn\n\ndef store_event(event: dict): # \u5b58\u50a8\u4e8b\u4ef6\u5230\u6570\u636e\u5e93\n conn = sqlite3.connect(DB_PATH) # \u8fde\u63a5\u6570\u636e\u5e93\n conn.execute(\"\"\"\n INSERT INTO events (timestamp, event_type, src_ip, user, severity, raw, json_data) \n VALUES (?, ?, ?, ?, ?, ?, ?) # \u4f7f\u7528\u53c2\u6570\u5316\u67e5\u8be2\u9632\u6b62 SQL \u6ce8\u5165\n \"\"\", ( \n event[\"timestamp\"],\n event.get(\"event_type\"),\n event.get(\"src_ip\"),\n event.get(\"user\"),\n event.get(\"severity\"),\n event[\"raw\"],\n json.dumps(event)\n )) # \u5c06\u4e8b\u4ef6\u5b57\u5178\u8f6c\u6362\u4e3a JSON \u5b58\u50a8\n conn.commit()\n conn.close()\n\n# \u4f7f\u7528\u793a\u4f8b\uff1a\u7ed3\u5408 parser\nif __name__ == \"__main__\":\n init_db()\n sample_event = parse_line(\"Failed password for test from 1.2.3.4 port 22 ssh2\") # \u4ece parser \u5bfc\u5165\u89e3\u6790\u51fd\u6570\uff0c\u89e3\u6790\u793a\u4f8b\u65e5\u5fd7\u884c\n if sample_event:\n store_event(sample_event)<\/code><\/pre>\n\n\n\n4\u3001\u5206\u6790\u4e0e\u5173\u8054\u5c42\uff08Analysis & Correlation\uff09<\/h2>\n\n\n\n
# analyzer.py\nfrom collections import defaultdict, deque \nfrom datetime import datetime, timedelta\n\nclass FailureWindow: # \u76d1\u63a7\u77ed\u65f6\u95f4\u5185\u7684\u5931\u8d25\u4e8b\u4ef6\n def __init__(self, threshold=5, window_sec=300): # threshold: \u5931\u8d25\u6b21\u6570\u9608\u503c, window_sec: \u65f6\u95f4\u7a97\u53e3\u957f\u5ea6\uff08\u79d2\uff09\n self.failures = defaultdict(lambda: deque(maxlen=100)) # \u5b58\u50a8\u6bcf\u4e2aIP\u7684\u5931\u8d25\u4e8b\u4ef6\u65f6\u95f4\u6233\uff0c\u4f7f\u7528deque\u81ea\u52a8\u4e22\u5f03\u8fc7\u65e7\u7684\u8bb0\u5f55\n self.threshold = threshold\n self.window = timedelta(seconds=window_sec) # \u8f6c\u6362\u4e3atimedelta\u5bf9\u8c61\uff0c\u65b9\u4fbf\u65f6\u95f4\u6bd4\u8f83\n\n def add_failure(self, ip: str, ts: datetime): # \u6dfb\u52a0\u5931\u8d25\u4e8b\u4ef6\n self.failures[ip].append(ts) # \u6dfb\u52a0\u5f53\u524d\u5931\u8d25\u4e8b\u4ef6\u7684\u65f6\u95f4\u6233\n # \u6e05\u7406\u8fc7\u671f\n while self.failures[ip] and ts - self.failures[ip][0] > self.window: # \u79fb\u9664\u7a97\u53e3\u5916\u7684\u65e7\u8bb0\u5f55\n self.failures[ip].popleft()\n\n def is_brute_force(self, ip: str) -> bool: # \u5224\u65ad\u662f\u5426\u8fbe\u5230\u66b4\u529b\u653b\u51fb\u7684\u6761\u4ef6\n if len(self.failures[ip]) >= self.threshold: # \u5982\u679c\u5f53\u524dIP\u7684\u5931\u8d25\u4e8b\u4ef6\u6570\u91cf\u8d85\u8fc7\u9608\u503c\uff0c\u8ba4\u4e3a\u53ef\u80fd\u662f\u66b4\u529b\u653b\u51fb\n return True\n return False\n\n# \u89c4\u5219\u793a\u4f8b\uff1a\u77ed\u65f6\u95f4\u591a\u6b21\u5931\u8d25\u767b\u5f55\nanalyzer = FailureWindow(threshold=4, window_sec=120)\n\ndef analyze_event(event: dict): # \u5206\u6790\u4e8b\u4ef6\uff0c\u5224\u65ad\u662f\u5426\u89e6\u53d1\u66b4\u529b\u653b\u51fb\u89c4\u5219\n if event.get(\"event_type\") == \"authentication_failure\": \n ts = datetime.fromisoformat(event[\"timestamp\"].replace(\"Z\", \"+00:00\")) # \u89e3\u6790\u65f6\u95f4\u6233\uff0c\u5904\u7406UTC\u683c\u5f0f\n ip = event[\"src_ip\"]\n analyzer.add_failure(ip, ts)\n if analyzer.is_brute_force(ip):\n return {\n \"alert\": True,\n \"type\": \"brute_force_attempt\",\n \"ip\": ip,\n \"count\": len(analyzer.failures[ip]),\n \"time_window\": \"2\u5206\u949f\"\n }\n return None<\/code><\/pre>\n\n\n\n5\u3001\u544a\u8b66\u4e0e\u54cd\u5e94\u5c42\uff08Alerting & Response\uff09<\/h2>\n\n\n\n
#alerter.py\nimport smtplib\nfrom email.mime.text import MIMEText\nimport subprocess\n\ndef send_email_alert(alert_data: dict, to_email=\"admin@example.com\"): # \u53d1\u9001\u544a\u8b66\u90ae\u4ef6\n msg = MIMEText(f\"\u9ad8\u5371\u544a\u8b66\uff1a{alert_data}\")\n msg['Subject'] = f\"SIEM Alert - {alert_data.get('type', '\u672a\u77e5')}\"\n msg['From'] = \"siem@example.com\"\n msg['To'] = to_email\n\n with smtplib.SMTP(\"smtp.example.com\", 587) as server: # \u8fde\u63a5SMTP\u670d\u52a1\u5668\n server.starttls()\n server.login(\"siem@example.com\", \"password\")\n server.send_message(msg)\n\ndef auto_block_ip(ip: str): # \u81ea\u52a8\u5c01\u7981IP\u5730\u5740\n try: \n # \u6ce8\u610f\uff1a\u751f\u4ea7\u73af\u5883\u9700\u8c28\u614e\uff0c\u6700\u597d\u7528 nftables \u6216\u4e13\u7528\u9632\u706b\u5899\u63a5\u53e3\n subprocess.run([\"sudo\", \"iptables\", \"-A\", \"INPUT\", \"-s\", ip, \"-j\", \"DROP\"], check=True, timeout=10) # \u4f7f\u7528iptables\u5c01\u7981IP\uff0c\u8bbe\u7f6e\u8d85\u65f6\u907f\u514d\u6302\u8d77\n print(f\"\u5df2\u81ea\u52a8\u5c01\u7981 IP: {ip}\")\n except Exception as e:\n print(f\"\u5c01\u7981\u5931\u8d25: {e}\")\n\n# \u4f7f\u7528\u793a\u4f8b\nif __name__ == \"__main__\": # \u6a21\u62df\u63a5\u6536\u5230\u4e00\u4e2a\u9ad8\u5371\u544a\u8b66\n sample_alert = {\"type\": \"brute_force_attempt\", \"ip\": \"1.2.3.4\", \"count\": 7} # \u6a21\u62df\u4e00\u4e2a\u66b4\u529b\u653b\u51fb\u544a\u8b66\n send_email_alert(sample_alert) # \u53d1\u9001\u544a\u8b66\u90ae\u4ef6\n auto_block_ip(sample_alert[\"ip\"]) # \u81ea\u52a8\u5c01\u7981\u653b\u51fbIP<\/code><\/pre>\n\n\n\n6\u3001\u5c55\u793a\u3001\u7ba1\u7406\u4e0e\u5408\u89c4\u5c42\uff08Visualization, Management & Compliance\uff09<\/h2>\n\n\n\n
# dashboard.py - \u6781\u7b80 Web \u5c55\u793a\nfrom flask import Flask, render_template_string\nimport sqlite3\n\napp = Flask(__name__)\n\nHTML = \"\"\"\n<!doctype html>\n<title>SIEM Mini Dashboard<\/title>\n<h1>\u6700\u8fd1\u544a\u8b66\u4e8b\u4ef6<\/h1>\n<table border=1>\n<tr><th>\u65f6\u95f4<\/th><th>\u7c7b\u578b<\/th><th>IP<\/th><th>\u7528\u6237<\/th><th>\u539f\u59cb\u65e5\u5fd7<\/th><\/tr>\n{% for row in events %}\n<tr><td>{{ row[0] }}<\/td><td>{{ row[1] }}<\/td><td>{{ row[2] }}<\/td><td>{{ row[3] }}<\/td><td>{{ row[6][:100] }}<\/td><\/tr>\n{% endfor %}\n<\/table>\n\"\"\"\n\n@app.route(\"\/\") # \u9996\u9875\u663e\u793a\u6700\u8fd1\u7684\u544a\u8b66\u4e8b\u4ef6\ndef dashboard(): # \u4ece\u6570\u636e\u5e93\u8bfb\u53d6\u6700\u8fd1\u7684\u4e8b\u4ef6\u5e76\u5c55\u793a\n conn = sqlite3.connect(\"siem_events.db\")\n cur = conn.cursor() # \u67e5\u8be2\u6700\u8fd1\u7684\u4e8b\u4ef6\n cur.execute(\"SELECT timestamp, event_type, src_ip, user, severity, raw FROM events ORDER BY timestamp DESC LIMIT 20\")\n events = cur.fetchall() # \u5173\u95ed\u6570\u636e\u5e93\u8fde\u63a5\n conn.close()\n return render_template_string(HTML, events=events) # \u6e32\u67d3 HTML \u6a21\u677f\u5e76\u8fd4\u56de\n\nif __name__ == \"__main__\": # \u542f\u52a8 Flask \u5e94\u7528\n app.run(debug=True, port=5005)<\/code><\/pre>\n\n\n\n# main.py \u793a\u4f8b\u7ec4\u5408\nfrom collector import tail_file\nfrom parser import parse_line\nfrom storage import store_event\nfrom analyzer import analyze_event\nfrom alerter import send_email_alert # \u6216\u5176\u4ed6\u52a8\u4f5c\n\ndef process_line(raw): # \u5904\u7406\u6bcf\u4e00\u884c\u65e5\u5fd7\n event = parse_line(raw)\n if event:\n store_event(event)\n alert = analyze_event(event)\n if alert and alert.get(\"alert\"):\n send_email_alert(alert)\n\ntail_file(\"\/var\/log\/auth.log\", process_line) # \u76d1\u63a7\u65e5\u5fd7\u6587\u4ef6\u5e76\u5904\u7406\u65b0\u884c<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"