IDS/IDSJava.java at master · klemenStanic/IDS · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
import com.google.common.collect.ImmutableList;
import com.google.common.collect.ImmutableMap;
import org.apache.spark.SparkConf;
import org.apache.spark.api.java.JavaPairRDD;
import org.apache.spark.api.java.JavaRDD;
import org.apache.spark.api.java.JavaSparkContext;
import org.elasticsearch.spark.rdd.api.java.JavaEsSpark;

import java.io.File;
import java.io.FileNotFoundException;
import java.io.FileWriter;
import java.text.SimpleDateFormat;
import java.util.*;


public class IDSJava {
    public Long lastCheckTime;
    public static void main(String[] args) {
        int THRESHOLD = Integer.parseInt(args[0]);
        SparkConf conf = new SparkConf().setAppName("myApp").setMaster("local");
        conf.set("es.index.auto.create", "true");
        System.out.println("GET CURRENT DATE: " + getCurrentDate(true));
        JavaSparkContext jsc = new JavaSparkContext(conf);


        //perform ICMP tests, if there are more than THRESHOLD ICMP events, writes a warning back to elasticsearch
        ICMPTesting(THRESHOLD, jsc);

    }

    // checks  for ICMP events in Elasticsearch, if more than THRESHOLD, calls writeEventToES()
    private static void ICMPTesting(int THRESHOLD, JavaSparkContext jsc) {

        JavaRDD<Map<String, Object>> esRDD = JavaEsSpark.esRDD(jsc, getCurrentDate(true) + "/syslog").values().filter(doc -> doc.containsValue(" Generic ICMP event"));

        long lastCheck = getLastCheck();
        List<Map<String, Object>> ICMPevents = getOnlyICMPEvents(esRDD, lastCheck);

        if (ICMPevents.size() > THRESHOLD){
            writeEventToES(ICMPevents, jsc, THRESHOLD);
        }
        updateLastCheck();
    }

    // writes an ICMP warning to ElasticSearch
    private static void writeEventToES(List<Map<String, Object>> ICMPevents, JavaSparkContext jsc, int THRESHOLD) {
        System.out.println("Writing events to Elasticsearch.");
        jsc.close();
        SparkConf confSave = new SparkConf().setAppName("myApp").setMaster("local");
        confSave.set("es.index.auto.create", "true");
        JavaSparkContext jscSave = new JavaSparkContext(confSave);

        Map<String, ?> numbers = ImmutableMap.of("event","The number of ICMP events from the last check exceeded the specified threshold(" + THRESHOLD + ")", "ICMPcount", ICMPevents.size()+"", "date", getCurrentDate(false) + "");

        JavaRDD<Map<String, ?>> javaRDD = jscSave.parallelize(ImmutableList.of(numbers));
        JavaEsSpark.saveToEs(javaRDD, "threats/icmp");
    }

    // writes the last ICMP checked to file, to know from where to read in next iteration of running this program
    private static void updateLastCheck() {
        try {
            String nowInms = getCurrentDate(false);
            File file = new File("last_check.txt");
            file.delete();
            FileWriter fw = new FileWriter(new File("last_check.txt"), false);
            fw.write(nowInms + "");
            fw.close();
        } catch (Exception e) {
            e.printStackTrace();
        }


    }

    // called by ICMPTesting()
    public static List<Map<String, Object>> getOnlyICMPEvents(JavaRDD<Map<String, Object>> esRDD, long lastCheck){
        SimpleDateFormat sdf = new SimpleDateFormat("MMM d yyyy HH:mm:ss");
        List<Map<String, Object>> onlyICMPevents = new ArrayList<>();
        try {
            for (Map<String, Object> a : esRDD.collect()) {
                String[] date = a.get("@timestamp").toString().split(" ");
                String time = date[3];
                String month = date[1];
                String day = date[2];
                String year = date[5];
                String wholeDate = String.format("%s %s %s %s",month, day, year, time );
                Date d = sdf.parse(wholeDate);
                if (d.getTime() > lastCheck){
                    onlyICMPevents.add(a);
                }
            }
        } catch (Exception e){
            e.printStackTrace();
        }

        for (Map<String, Object> a : onlyICMPevents){
            System.out.println(a.get("@timestamp") + "");
        }
        return onlyICMPevents;
    }

    // if boolean full == true; returns full name of the index, else returns @String time in miliseconds
    public static String getCurrentDate(boolean full){
        Calendar now = Calendar.getInstance();
        int day = now.get(Calendar.DAY_OF_MONTH);
        int month = now.get(Calendar.MONTH) + 1;
        int year = now.get(Calendar.YEAR);
        if (full) {
            return "syslog-" + year + "." + String.format("%02d", month) + "." + String.format("%02d", day);
        } else return now.getTimeInMillis() + "";
    }

    // reads time from file. Time = when the last iteration of this program was performed, so we dont need to check the whole index every time we run this program
    public static long getLastCheck() {
        try {
            Scanner sc = new Scanner(new File("last_check.txt"));
            Long time = sc.nextLong();
            sc.close();
            return time;
        } catch (FileNotFoundException e) {
            e.printStackTrace();
        }
        return 0;
    }
}