Testovaci dotazy MongoDB - stavajici¶
- Table of contents
- Testovaci dotazy MongoDB - stavajici
- Mentat
- HAWAT
- Vrat vsechny udalosti z casoveho okna ve kterych figurovala IP adresa ip
- Vrat vsechny udalosti z casoveho okna pro subnet ip_min - ip_max
- Vrat vsechny udalosti z casoveho okna pro zvolenou kategorii
- Vrat vsechny udalosti z casoveho okna pro zvoleny detektor
- Vrat vsechny udalosti z casoveho okna pro zvoleny detektor spadajici do dane kategorie
- Vrat vsechny udalosti z casoveho okna ve kterych figurovala IP adresa ip spadajici do dane kategorie
- Vrat vsechny udalosti z casoveho okna pro subnet ip_min - ip_max spadajici do dane kategorie
- COUNT
- ORDER
- Ostatni
Mentat¶
Vrat vsechny udalosti za 1 tyden¶
... WHERE startTime >= start AND endTime <= end;
{
"DetectTime": {
"$gte": start,
"$lte": end
}
}
start = 2016-06-06T12:00:00 (2v/IIAAAAAA=)
end = 2016-06-12T12:00:00 (2wexIAAAAAA=)
query =
db.alerts.find({
"DetectTime": {
"$gte": BinData(0,"2v/IIAAAAAA="),
"$lte": BinData(0,"2wexIAAAAAA=")}
}).count()
result = 6 747 529 events, time = 0:02,73 minutes
HAWAT¶
Vrat vsechny udalosti z casoveho okna ve kterych figurovala IP adresa ip¶
... WHERE ("DetectTime" >= start AND "DetectTime" <= end) AND ("Source.IP4.ip" = ip OR "Target.IP4.ip" = ip);
{
"DetectTime":{
"$gte":start,
"$lte":end
},
"$or":[
{
"Source.IP4.ip":ip
},
{
"Target.IP4.ip":ip
}
]
}
start = 2016-06-06T12:00:00 (2v/IIAAAAAA=)
end = 2016-06-12T12:00:00 (2wexIAAAAAA=)
ip = 195.113.252.33 (w3H8IQ==) (5,3% z celku)
query =
db.alerts.find({
"DetectTime": {
"$gte": BinData(0,"2v/IIAAAAAA="),
"$lte": BinData(0,"2wexIAAAAAA=")},
"$or": [
{
"Source.IP4.ip": BinData(0,"w3H8IQ==")
},
{
"Target.IP4.ip": BinData(0,"w3H8IQ==")
}
]
}).count()result = 364 527 events, time = 1:44,94 minutes
Vrat vsechny udalosti z casoveho okna pro subnet ip_min - ip_max¶
... WHERE ("DetectTime" >= start AND "DetectTime" <= end) AND (("Source.IP4" >= ip_min AND "Source.IP4.max" <= ip_max) OR ("Target.IP4.min" >= ip_min AND "Target.IP4.max" <= ip_max))
{
"DetectTime":{
"$gte":start,
"$lte":end
},
"$or":[
{
"Source.IP4.min":{
"$gte":net_min
},
"Source.IP4.max":{
"$lte":net_max
}
},
{
"Target.IP4.min":{
"$gte":net_min
},
"Target.IP4.max":{
"$lte":net_max
}
}
]
}
start = 2016-06-06T12:00:00 (2v/IIAAAAAA=)
end = 2016-06-12T12:00:00 (2wexIAAAAAA=)
net_min = 208.100.26.0 (0GQaAA==)
net_max = 208.100.26.255 (0GQa/w==)
query =
db.alerts.find({
"DetectTime":{
"$gte":BinData(0, "2v/IIAAAAAA="),
"$lte":BinData(0, "2wexIAAAAAA=")
},
"$or":[
{
"Source.IP4.min":{
"$gte":BinData(0, "0GQaAA==")
},
"Source.IP4.max":{
"$lte":BinData(0, "0GQa/w==")
}
},
{
"Target.IP4.min":{
"$gte":BinData(0, "0GQaAA==")
},
"Target.IP4.max":{
"$lte":BinData(0, "0GQa/w==")
}
}
]
}).count()
result = 72 334 events, 10:51,88 minutes (cold)
result = 72 334 events, 0:04,68 minutes (hot)
Vrat vsechny udalosti z casoveho okna pro zvolenou kategorii¶
... WHERE startTime >= start AND endTime <= end AND category = category;
{
"DetectTime":{
"$gte":start,
"$lte":end
},
"Category":category
}
start = 2016-06-06T12:00:00 (2v/IIAAAAAA=)
end = 2016-06-12T12:00:00 (2wexIAAAAAA=)
category = Recon.Scanning
query =
db.alerts.find({
"DetectTime":{
"$gte":BinData(0,"2v/IIAAAAAA="),
"$lte":BinData(0,"2wexIAAAAAA=")
},
"Category":"Recon.Scanning"
}).count()
result = 6 237 248 events, time = 0:15,30 minutes
Vrat vsechny udalosti z casoveho okna pro zvoleny detektor¶
... WHERE startTime >= start AND endTime <= end AND node.name = name;
{
"DetectTime":{
"$gte":start,
"$lte":end
},
"Node.Name":node_name
}
start = 2016-06-06T12:00:00 (2v/IIAAAAAA=)
end = 2016-06-12T12:00:00 (2wexIAAAAAA=)
node_name = cz.cesnet.hoststats
query =
db.alerts.find({
"DetectTime":{
"$gte":BinData(0,"2v/IIAAAAAA="),
"$lte":BinData(0,"2wexIAAAAAA=")
},
"Node.Name":"cz.cesnet.hoststats"
}).count()
result = 961 836 events, time = 0:25,76 minutes
Vrat vsechny udalosti z casoveho okna pro zvoleny detektor spadajici do dane kategorie¶
... WHERE startTime >= start AND endTime <= end AND node.name = name AND category = category;
{
"DetectTime":{
"$gte":start,
"$lte":end
},
"Node.Name":node_name,
"Category":category
}
start = 2016-06-06T12:00:00 (2v/IIAAAAAA=)
end = 2016-06-12T12:00:00 (2wexIAAAAAA=)
node_name = cz.cesnet.hoststats
category = Recon.Scanning
query =
db.alerts.find({
"DetectTime":{
"$gte":BinData(0,"2v/IIAAAAAA="),
"$lte":BinData(0,"2wexIAAAAAA=")
},
"Node.Name":"cz.cesnet.hoststats",
"Category":"Recon.Scanning"
}).count()
result = 961 071 events, time = 0:28,46 minutes
Vrat vsechny udalosti z casoveho okna ve kterych figurovala IP adresa ip spadajici do dane kategorie¶
... WHERE ("DetectTime" >= start AND "DetectTime" <= end) AND ("Source.IP4.ip" = ip OR "Target.IP4.ip" = ip) AND ("Category" = category)
{
"DetectTime":{
"$gte":start,
"$lte":end
},
"$or":[
{
"Source.IP4.ip":ip
},
{
"Target.IP4.ip":ip
}
],
"Category":category
}
start = 2016-06-06T12:00:00 (2v/IIAAAAAA=)
end = 2016-06-12T12:00:00 (2wexIAAAAAA=)
ip = 195.113.252.33
category = Recon.Scanning
query =
db.alerts.find({
"DetectTime": {
"$gte": BinData(0,"2v/IIAAAAAA="),
"$lte": BinData(0,"2wexIAAAAAA=")},
"$or": [
{
"Source.IP4.ip": BinData(0,"w3H8IQ==")
},
{
"Target.IP4.ip": BinData(0,"w3H8IQ==")
}
],
"Category":"Recon.Scanning"
}).count()result = 364 527 events, time = 0:32,95 minutes
Vrat vsechny udalosti z casoveho okna pro subnet ip_min - ip_max spadajici do dane kategorie¶
... WHERE ("DetectTime" >= start AND "DetectTime" <= end) AND (("Source.IP4.min" >= ip_min AND "Source.IP4.max" <= ip_max) OR ("Target.IP4.min" >= ip_min AND "Target.IP4.max" <= ip_max)) AND ("Category" = category)
{
"DetectTime":{
"$gte":start,
"$lte":end
},
"$or":[
{
"Source.IP4.min":{
"$gte":net_min
},
"Source.IP4.max":{
"$lte":net_max
}
},
{
"Target.IP4.min":{
"$gte":net_min
},
"Target.IP4.max":{
"$lte":net_max
}
}
],
"Category":category
}
start = 2016-06-06T12:00:00 (2v/IIAAAAAA=)
end = 2016-06-12T12:00:00 (2wexIAAAAAA=)
net_min = 78.128.252.0
net_max = 78.128.252.255
category = Recon.Scanning
query =
db.alerts.find({
"DetectTime":{
"$gte":BinData(0, "2v/IIAAAAAA="),
"$lte":BinData(0, "2wexIAAAAAA=")
},
"$or":[
{
"Source.IP4.min":{
"$gte":BinData(0, "0GQaAA==")
},
"Source.IP4.max":{
"$lte":BinData(0, "0GQa/w==")
}
},
{
"Target.IP4.min":{
"$gte":BinData(0, "0GQaAA==")
},
"Target.IP4.max":{
"$lte":BinData(0, "0GQa/w==")
}
}
],
"Category":"Recon.Scanning"
}).count()
result = 68 964 events, time = 0:22,00 minutes
COUNT¶
Vsechny dotazy HAWATu¶
ORDER¶
Vsechny dotazy HAWATu¶
Ostatni¶
Test skalovani v zavislosti na velikosti seznamu IP adres (2,4,8,16,32,64,128)¶
... WHERE ("DetectTime" >= start AND "DetectTime" <= end) AND ("Source.IP4.ip" IN (ip1, ip2) OR "Target.IP4.ip" IN (ip1, ip2))
{
"DetectTime":{
"$gte":start,
"$lte":end
},
"$or":[
{
"Source.IP4.ip":{
"$in":[
ip_list
]
}
},
{
"Target.IP4.ip":{
"$in":[
ip_list
]
}
}
]
}
start = 2016-06-06T12:00:00 (2v/IIAAAAAA=)
end = 2016-06-12T12:00:00 (2wexIAAAAAA=)
ip_list(2)¶
ip_list(2)= 217.23.5.2, 195.113.252.49
db.alerts.find({
"DetectTime":{
"$gte":BinData(0, "2v/IIAAAAAA="),
"$lte":BinData(0, "2wexIAAAAAA=")
},
"$or":[
{
"Source.IP4.ip":{
"$in":[
BinData(0, "2RcFAg=="),
BinData(0, "w3H8MQ==")
]
}
},
{
"Target.IP4.ip":{
"$in":[
BinData(0, "2RcFAg=="),
BinData(0, "w3H8MQ==")
]
}
}
]
}).count()
result = 585092, time = 0:31,52 minutes
ip_list(4)¶
- ip_list(4)=
217.23.5.2, 91.192.197.204, 195.113.252.49, 195.113.252.177
db.alerts.find({
"DetectTime":{
"$gte":BinData(0, "2v/IIAAAAAA="),
"$lte":BinData(0, "2wexIAAAAAA=")
},
"$or":[
{
"Source.IP4.ip":{
"$in":[
BinData(0, "2RcFAg=="),
BinData(0, "W8DFzA=="),
BinData(0, "w3H8MQ=="),
BinData(0, "w3H8sQ==")
]
}
},
{
"Target.IP4.ip":{
"$in":[
BinData(0, "2RcFAg=="),
BinData(0, "W8DFzA=="),
BinData(0, "w3H8MQ=="),
BinData(0, "w3H8sQ==")
]
}
}
]
}).count()
result = 1 065 895, time = 0:31,41 minutes
ip_list(8)¶
- ip_list(8)=
217.23.5.2, 91.192.197.204, 93.174.93.94, 207.244.70.169, 195.113.252.49, 195.113.252.177, 195.113.252.161, 195.113.252.33
db.alerts.find({
"DetectTime":{
"$gte":BinData(0, "2v/IIAAAAAA="),
"$lte":BinData(0, "2wexIAAAAAA=")
},
"$or":[
{
"Source.IP4.ip":{
"$in":[
BinData(0, "2RcFAg=="),
BinData(0, "W8DFzA=="),
BinData(0, "Xa5dXg=="),
BinData(0, "z/RGqQ=="),
BinData(0, "w3H8MQ=="),
BinData(0, "w3H8sQ=="),
BinData(0, "w3H8oQ=="),
BinData(0, "w3H8IQ==")
]
}
},
{
"Target.IP4.ip":{
"$in":[
BinData(0, "2RcFAg=="),
BinData(0, "W8DFzA=="),
BinData(0, "Xa5dXg=="),
BinData(0, "z/RGqQ=="),
BinData(0, "w3H8MQ=="),
BinData(0, "w3H8sQ=="),
BinData(0, "w3H8oQ=="),
BinData(0, "w3H8IQ==")
]
}
}
]
}).count()
result = 1949772, time = 0:31,30 minutes
ip_list(16)¶
- ip_list(16)=
217.23.5.2, 91.192.197.204, 93.174.93.94, 207.244.70.169, 217.23.5.21, 89.248.172.140, 84.22.2.142, 195.62.52.90, 195.113.252.49, 195.113.252.177, 195.113.252.161, 195.113.252.33, 147.229.104.0, 217.31.192.0, 195.113.255.1, 195.113.253.1
db.alerts.find({
"DetectTime":{
"$gte":BinData(0, "2v/IIAAAAAA="),
"$lte":BinData(0, "2wexIAAAAAA=")
},
"$or":[
{
"Source.IP4.ip":{
"$in":[
BinData(0, "2RcFAg=="),
BinData(0, "W8DFzA=="),
BinData(0, "Xa5dXg=="),
BinData(0, "z/RGqQ=="),
BinData(0, "2RcFFQ=="),
BinData(0, "WfisjA=="),
BinData(0, "VBYCjg=="),
BinData(0, "wz40Wg=="),
BinData(0, "w3H8MQ=="),
BinData(0, "w3H8sQ=="),
BinData(0, "w3H8oQ=="),
BinData(0, "w3H8IQ=="),
BinData(0, "k+VoAA=="),
BinData(0, "2R/AAA=="),
BinData(0, "w3H/AQ=="),
BinData(0, "w3H9AQ==")
]
}
},
{
"Target.IP4.ip":{
"$in":[
BinData(0, "2RcFAg=="),
BinData(0, "W8DFzA=="),
BinData(0, "Xa5dXg=="),
BinData(0, "z/RGqQ=="),
BinData(0, "2RcFFQ=="),
BinData(0, "WfisjA=="),
BinData(0, "VBYCjg=="),
BinData(0, "wz40Wg=="),
BinData(0, "w3H8MQ=="),
BinData(0, "w3H8sQ=="),
BinData(0, "w3H8oQ=="),
BinData(0, "w3H8IQ=="),
BinData(0, "k+VoAA=="),
BinData(0, "2R/AAA=="),
BinData(0, "w3H/AQ=="),
BinData(0, "w3H9AQ==")
]
}
}
]
}).count()
result = 2 141 519, time = 0:31,37 minutes
ip_list(32)¶
- ip_list(32)=
217.23.5.2, 91.192.197.204, 93.174.93.94, 207.244.70.169, 217.23.5.21, 89.248.172.140, 84.22.2.142, 195.62.52.90, 77.247.181.162, 109.230.85.155, 80.82.70.198, 80.82.65.61, 71.6.135.131, 169.229.3.91, 46.234.125.89, 71.6.167.142, 195.113.252.49, 195.113.252.177, 195.113.252.161, 195.113.252.33, 147.229.104.0, 217.31.192.0, 195.113.255.1, 195.113.253.1, 195.113.254.1, 78.128.253.1, 78.128.254.1, 195.113.254.5, 195.113.254.2, 78.128.255.1, 195.113.253.6, 195.113.252.3
db.alerts.find({
"DetectTime":{
"$gte":BinData(0, "2v/IIAAAAAA="),
"$lte":BinData(0, "2wexIAAAAAA=")
},
"$or":[
{
"Source.IP4.ip":{
"$in":[
BinData(0, "2RcFAg=="),
BinData(0, "W8DFzA=="),
BinData(0, "Xa5dXg=="),
BinData(0, "z/RGqQ=="),
BinData(0, "2RcFFQ=="),
BinData(0, "WfisjA=="),
BinData(0, "VBYCjg=="),
BinData(0, "wz40Wg=="),
BinData(0, "Tfe1og=="),
BinData(0, "beZVmw=="),
BinData(0, "UFJGxg=="),
BinData(0, "UFJBPQ=="),
BinData(0, "RwaHgw=="),
BinData(0, "qeUDWw=="),
BinData(0, "Lup9WQ=="),
BinData(0, "Rwanjg=="),
BinData(0, "w3H8MQ=="),
BinData(0, "w3H8sQ=="),
BinData(0, "w3H8oQ=="),
BinData(0, "w3H8IQ=="),
BinData(0, "k+VoAA=="),
BinData(0, "2R/AAA=="),
BinData(0, "w3H/AQ=="),
BinData(0, "w3H9AQ=="),
BinData(0, "w3H+AQ=="),
BinData(0, "ToD9AQ=="),
BinData(0, "ToD+AQ=="),
BinData(0, "w3H+BQ=="),
BinData(0, "w3H+Ag=="),
BinData(0, "ToD/AQ=="),
BinData(0, "w3H9Bg=="),
BinData(0, "w3H8Aw==")
]
}
},
{
"Target.IP4.ip":{
"$in":[
BinData(0, "2RcFAg=="),
BinData(0, "W8DFzA=="),
BinData(0, "Xa5dXg=="),
BinData(0, "z/RGqQ=="),
BinData(0, "2RcFFQ=="),
BinData(0, "WfisjA=="),
BinData(0, "VBYCjg=="),
BinData(0, "wz40Wg=="),
BinData(0, "Tfe1og=="),
BinData(0, "beZVmw=="),
BinData(0, "UFJGxg=="),
BinData(0, "UFJBPQ=="),
BinData(0, "RwaHgw=="),
BinData(0, "qeUDWw=="),
BinData(0, "Lup9WQ=="),
BinData(0, "Rwanjg=="),
BinData(0, "w3H8MQ=="),
BinData(0, "w3H8sQ=="),
BinData(0, "w3H8oQ=="),
BinData(0, "w3H8IQ=="),
BinData(0, "k+VoAA=="),
BinData(0, "2R/AAA=="),
BinData(0, "w3H/AQ=="),
BinData(0, "w3H9AQ=="),
BinData(0, "w3H+AQ=="),
BinData(0, "ToD9AQ=="),
BinData(0, "ToD+AQ=="),
BinData(0, "w3H+BQ=="),
BinData(0, "w3H+Ag=="),
BinData(0, "ToD/AQ=="),
BinData(0, "w3H9Bg=="),
BinData(0, "w3H8Aw==")
]
}
}
]
}).count()
result = 2 454 499, time = 0:31,92 minutes
ip_list(64)¶
- ip_list(64)=
217.23.5.2, 91.192.197.204, 93.174.93.94, 207.244.70.169, 217.23.5.21, 89.248.172.140, 84.22.2.142, 195.62.52.90, 77.247.181.162, 109.230.85.155, 80.82.70.198, 80.82.65.61, 71.6.135.131, 169.229.3.91, 46.234.125.89, 71.6.167.142, 104.40.234.225, 185.72.179.19, 66.240.192.138, 66.240.236.119, 104.193.252.230, 198.20.69.98, 198.20.87.98, 66.240.219.146, 198.20.69.74, 71.6.158.166, 91.236.75.4, 71.6.165.200, 71.6.146.185, 164.132.110.97, 50.63.202.9, 216.243.31.2, 195.113.252.49, 195.113.252.177, 195.113.252.161, 195.113.252.33, 147.229.104.0, 217.31.192.0, 195.113.255.1, 195.113.253.1, 195.113.254.1, 78.128.253.1, 78.128.254.1, 195.113.254.5, 195.113.254.2, 78.128.255.1, 195.113.253.6, 195.113.252.3, 195.113.254.4, 195.113.254.6, 195.113.254.7, 195.113.252.2, 195.113.254.3, 195.113.253.3, 195.113.252.7, 195.113.252.6, 195.113.252.4, 195.113.253.5, 195.113.253.4, 195.113.252.5, 195.113.253.7, 195.113.253.2, 195.113.255.4, 195.113.255.2
db.alerts.find({
"DetectTime":{
"$gte":BinData(0, "2v/IIAAAAAA="),
"$lte":BinData(0, "2wexIAAAAAA=")
},
"$or":[
{
"Source.IP4.ip":{
"$in":[
BinData(0, "2RcFAg=="),
BinData(0, "W8DFzA=="),
BinData(0, "Xa5dXg=="),
BinData(0, "z/RGqQ=="),
BinData(0, "2RcFFQ=="),
BinData(0, "WfisjA=="),
BinData(0, "VBYCjg=="),
BinData(0, "wz40Wg=="),
BinData(0, "Tfe1og=="),
BinData(0, "beZVmw=="),
BinData(0, "UFJGxg=="),
BinData(0, "UFJBPQ=="),
BinData(0, "RwaHgw=="),
BinData(0, "qeUDWw=="),
BinData(0, "Lup9WQ=="),
BinData(0, "Rwanjg=="),
BinData(0, "aCjq4Q=="),
BinData(0, "uUizEw=="),
BinData(0, "QvDAig=="),
BinData(0, "QvDsdw=="),
BinData(0, "aMH85g=="),
BinData(0, "xhRFYg=="),
BinData(0, "xhRXYg=="),
BinData(0, "QvDbkg=="),
BinData(0, "xhRFSg=="),
BinData(0, "Rwaepg=="),
BinData(0, "W+xLBA=="),
BinData(0, "RwalyA=="),
BinData(0, "RwaSuQ=="),
BinData(0, "pIRuYQ=="),
BinData(0, "Mj/KCQ=="),
BinData(0, "2PMfAg=="),
BinData(0, "w3H8MQ=="),
BinData(0, "w3H8sQ=="),
BinData(0, "w3H8oQ=="),
BinData(0, "w3H8IQ=="),
BinData(0, "k+VoAA=="),
BinData(0, "2R/AAA=="),
BinData(0, "w3H/AQ=="),
BinData(0, "w3H9AQ=="),
BinData(0, "w3H+AQ=="),
BinData(0, "ToD9AQ=="),
BinData(0, "ToD+AQ=="),
BinData(0, "w3H+BQ=="),
BinData(0, "w3H+Ag=="),
BinData(0, "ToD/AQ=="),
BinData(0, "w3H9Bg=="),
BinData(0, "w3H8Aw=="),
BinData(0, "w3H+BA=="),
BinData(0, "w3H+Bg=="),
BinData(0, "w3H+Bw=="),
BinData(0, "w3H8Ag=="),
BinData(0, "w3H+Aw=="),
BinData(0, "w3H9Aw=="),
BinData(0, "w3H8Bw=="),
BinData(0, "w3H8Bg=="),
BinData(0, "w3H8BA=="),
BinData(0, "w3H9BQ=="),
BinData(0, "w3H9BA=="),
BinData(0, "w3H8BQ=="),
BinData(0, "w3H9Bw=="),
BinData(0, "w3H9Ag=="),
BinData(0, "w3H/BA=="),
BinData(0, "w3H/Ag==")
]
}
},
{
"Target.IP4.ip":{
"$in":[
BinData(0, "2RcFAg=="),
BinData(0, "W8DFzA=="),
BinData(0, "Xa5dXg=="),
BinData(0, "z/RGqQ=="),
BinData(0, "2RcFFQ=="),
BinData(0, "WfisjA=="),
BinData(0, "VBYCjg=="),
BinData(0, "wz40Wg=="),
BinData(0, "Tfe1og=="),
BinData(0, "beZVmw=="),
BinData(0, "UFJGxg=="),
BinData(0, "UFJBPQ=="),
BinData(0, "RwaHgw=="),
BinData(0, "qeUDWw=="),
BinData(0, "Lup9WQ=="),
BinData(0, "Rwanjg=="),
BinData(0, "aCjq4Q=="),
BinData(0, "uUizEw=="),
BinData(0, "QvDAig=="),
BinData(0, "QvDsdw=="),
BinData(0, "aMH85g=="),
BinData(0, "xhRFYg=="),
BinData(0, "xhRXYg=="),
BinData(0, "QvDbkg=="),
BinData(0, "xhRFSg=="),
BinData(0, "Rwaepg=="),
BinData(0, "W+xLBA=="),
BinData(0, "RwalyA=="),
BinData(0, "RwaSuQ=="),
BinData(0, "pIRuYQ=="),
BinData(0, "Mj/KCQ=="),
BinData(0, "2PMfAg=="),
BinData(0, "w3H8MQ=="),
BinData(0, "w3H8sQ=="),
BinData(0, "w3H8oQ=="),
BinData(0, "w3H8IQ=="),
BinData(0, "k+VoAA=="),
BinData(0, "2R/AAA=="),
BinData(0, "w3H/AQ=="),
BinData(0, "w3H9AQ=="),
BinData(0, "w3H+AQ=="),
BinData(0, "ToD9AQ=="),
BinData(0, "ToD+AQ=="),
BinData(0, "w3H+BQ=="),
BinData(0, "w3H+Ag=="),
BinData(0, "ToD/AQ=="),
BinData(0, "w3H9Bg=="),
BinData(0, "w3H8Aw=="),
BinData(0, "w3H+BA=="),
BinData(0, "w3H+Bg=="),
BinData(0, "w3H+Bw=="),
BinData(0, "w3H8Ag=="),
BinData(0, "w3H+Aw=="),
BinData(0, "w3H9Aw=="),
BinData(0, "w3H8Bw=="),
BinData(0, "w3H8Bg=="),
BinData(0, "w3H8BA=="),
BinData(0, "w3H9BQ=="),
BinData(0, "w3H9BA=="),
BinData(0, "w3H8BQ=="),
BinData(0, "w3H9Bw=="),
BinData(0, "w3H9Ag=="),
BinData(0, "w3H/BA=="),
BinData(0, "w3H/Ag==")
]
}
}
]
}).count()
result = 2 877 964, time = 0:32,25 minutes
ip_list(128)¶
- ip_list(128)=
217.23.5.2, 91.192.197.204, 93.174.93.94, 207.244.70.169, 217.23.5.21, 89.248.172.140, 84.22.2.142, 195.62.52.90, 77.247.181.162, 109.230.85.155, 80.82.70.198, 80.82.65.61, 71.6.135.131, 169.229.3.91, 46.234.125.89, 71.6.167.142, 104.40.234.225, 185.72.179.19, 66.240.192.138, 66.240.236.119, 104.193.252.230, 198.20.69.98, 198.20.87.98, 66.240.219.146, 198.20.69.74, 71.6.158.166, 91.236.75.4, 71.6.165.200, 71.6.146.185, 164.132.110.97, 50.63.202.9, 216.243.31.2, 51.255.197.220, 87.98.190.53, 220.243.235.15, 82.135.32.210, 37.207.230.155, 46.100.58.85, 208.100.26.230, 208.100.26.231, 208.100.26.232, 208.100.26.229, 198.20.70.114, 188.138.1.218, 169.228.66.91, 198.20.99.130, 88.159.17.130, 96.228.211.79, 96.89.241.6, 82.221.105.7, 82.221.105.6, 31.44.191.229, 209.95.43.8, 198.27.69.222, 37.49.225.53, 186.2.161.93, 85.25.43.94, 122.226.213.231, 141.212.122.129, 157.255.26.0, 207.244.76.204, 91.197.232.85, 193.28.179.25, 94.102.48.194, 195.113.252.49, 195.113.252.177, 195.113.252.161, 195.113.252.33, 147.229.104.0, 217.31.192.0, 195.113.255.1, 195.113.253.1, 195.113.254.1, 78.128.253.1, 78.128.254.1, 195.113.254.5, 195.113.254.2, 78.128.255.1, 195.113.253.6, 195.113.252.3, 195.113.254.4, 195.113.254.6, 195.113.254.7, 195.113.252.2, 195.113.254.3, 195.113.253.3, 195.113.252.7, 195.113.252.6, 195.113.252.4, 195.113.253.5, 195.113.253.4, 195.113.252.5, 195.113.253.7, 195.113.253.2, 195.113.255.4, 195.113.255.2, 195.113.255.3, 195.113.255.6, 195.113.255.5, 195.113.165.128, 78.128.253.2, 78.128.254.2, 78.128.252.2, 78.128.255.2, 195.113.254.8, 78.104.177.26, 195.178.94.39, 195.113.252.8, 78.128.252.3, 195.113.0.0, 78.128.254.169, 195.113.255.181, 195.113.254.169, 147.230.185.94, 78.128.254.41, 147.230.121.151, 78.128.252.121, 78.128.252.147, 147.230.77.10, 147.230.97.230, 78.128.253.161, 78.128.253.152, 78.128.252.241, 78.128.252.225, 78.128.254.23, 195.113.252.94, 78.128.174.42, 78.128.252.52
db.alerts.find({
"DetectTime":{
"$gte":BinData(0, "2v/IIAAAAAA="),
"$lte":BinData(0, "2wexIAAAAAA=")
},
"$or":[
{
"Source.IP4.ip":{
"$in":[
BinData(0, "2RcFAg=="),
BinData(0, "W8DFzA=="),
BinData(0, "Xa5dXg=="),
BinData(0, "z/RGqQ=="),
BinData(0, "2RcFFQ=="),
BinData(0, "WfisjA=="),
BinData(0, "VBYCjg=="),
BinData(0, "wz40Wg=="),
BinData(0, "Tfe1og=="),
BinData(0, "beZVmw=="),
BinData(0, "UFJGxg=="),
BinData(0, "UFJBPQ=="),
BinData(0, "RwaHgw=="),
BinData(0, "qeUDWw=="),
BinData(0, "Lup9WQ=="),
BinData(0, "Rwanjg=="),
BinData(0, "aCjq4Q=="),
BinData(0, "uUizEw=="),
BinData(0, "QvDAig=="),
BinData(0, "QvDsdw=="),
BinData(0, "aMH85g=="),
BinData(0, "xhRFYg=="),
BinData(0, "xhRXYg=="),
BinData(0, "QvDbkg=="),
BinData(0, "xhRFSg=="),
BinData(0, "Rwaepg=="),
BinData(0, "W+xLBA=="),
BinData(0, "RwalyA=="),
BinData(0, "RwaSuQ=="),
BinData(0, "pIRuYQ=="),
BinData(0, "Mj/KCQ=="),
BinData(0, "2PMfAg=="),
BinData(0, "M//F3A=="),
BinData(0, "V2K+NQ=="),
BinData(0, "3PPrDw=="),
BinData(0, "Uocg0g=="),
BinData(0, "Jc/mmw=="),
BinData(0, "LmQ6VQ=="),
BinData(0, "0GQa5g=="),
BinData(0, "0GQa5w=="),
BinData(0, "0GQa6A=="),
BinData(0, "0GQa5Q=="),
BinData(0, "xhRGcg=="),
BinData(0, "vIoB2g=="),
BinData(0, "qeRCWw=="),
BinData(0, "xhRjgg=="),
BinData(0, "WJ8Rgg=="),
BinData(0, "YOTTTw=="),
BinData(0, "YFnxBg=="),
BinData(0, "Ut1pBw=="),
BinData(0, "Ut1pBg=="),
BinData(0, "Hyy/5Q=="),
BinData(0, "0V8rCA=="),
BinData(0, "xhtF3g=="),
BinData(0, "JTHhNQ=="),
BinData(0, "ugKhXQ=="),
BinData(0, "VRkrXg=="),
BinData(0, "euLV5w=="),
BinData(0, "jdR6gQ=="),
BinData(0, "nf8aAA=="),
BinData(0, "z/RMzA=="),
BinData(0, "W8XoVQ=="),
BinData(0, "wRyzGQ=="),
BinData(0, "XmYwwg=="),
BinData(0, "w3H8MQ=="),
BinData(0, "w3H8sQ=="),
BinData(0, "w3H8oQ=="),
BinData(0, "w3H8IQ=="),
BinData(0, "k+VoAA=="),
BinData(0, "2R/AAA=="),
BinData(0, "w3H/AQ=="),
BinData(0, "w3H9AQ=="),
BinData(0, "w3H+AQ=="),
BinData(0, "ToD9AQ=="),
BinData(0, "ToD+AQ=="),
BinData(0, "w3H+BQ=="),
BinData(0, "w3H+Ag=="),
BinData(0, "ToD/AQ=="),
BinData(0, "w3H9Bg=="),
BinData(0, "w3H8Aw=="),
BinData(0, "w3H+BA=="),
BinData(0, "w3H+Bg=="),
BinData(0, "w3H+Bw=="),
BinData(0, "w3H8Ag=="),
BinData(0, "w3H+Aw=="),
BinData(0, "w3H9Aw=="),
BinData(0, "w3H8Bw=="),
BinData(0, "w3H8Bg=="),
BinData(0, "w3H8BA=="),
BinData(0, "w3H9BQ=="),
BinData(0, "w3H9BA=="),
BinData(0, "w3H8BQ=="),
BinData(0, "w3H9Bw=="),
BinData(0, "w3H9Ag=="),
BinData(0, "w3H/BA=="),
BinData(0, "w3H/Ag=="),
BinData(0, "w3H/Aw=="),
BinData(0, "w3H/Bg=="),
BinData(0, "w3H/BQ=="),
BinData(0, "w3GlgA=="),
BinData(0, "ToD9Ag=="),
BinData(0, "ToD+Ag=="),
BinData(0, "ToD8Ag=="),
BinData(0, "ToD/Ag=="),
BinData(0, "w3H+CA=="),
BinData(0, "TmixGg=="),
BinData(0, "w7JeJw=="),
BinData(0, "w3H8CA=="),
BinData(0, "ToD8Aw=="),
BinData(0, "w3EAAA=="),
BinData(0, "ToD+qQ=="),
BinData(0, "w3H/tQ=="),
BinData(0, "w3H+qQ=="),
BinData(0, "k+a5Xg=="),
BinData(0, "ToD+KQ=="),
BinData(0, "k+Z5lw=="),
BinData(0, "ToD8eQ=="),
BinData(0, "ToD8kw=="),
BinData(0, "k+ZNCg=="),
BinData(0, "k+Zh5g=="),
BinData(0, "ToD9oQ=="),
BinData(0, "ToD9mA=="),
BinData(0, "ToD88Q=="),
BinData(0, "ToD84Q=="),
BinData(0, "ToD+Fw=="),
BinData(0, "w3H8Xg=="),
BinData(0, "ToCuKg=="),
BinData(0, "ToD8NA==")
]
}
},
{
"Target.IP4.ip":{
"$in":[
BinData(0, "2RcFAg=="),
BinData(0, "W8DFzA=="),
BinData(0, "Xa5dXg=="),
BinData(0, "z/RGqQ=="),
BinData(0, "2RcFFQ=="),
BinData(0, "WfisjA=="),
BinData(0, "VBYCjg=="),
BinData(0, "wz40Wg=="),
BinData(0, "Tfe1og=="),
BinData(0, "beZVmw=="),
BinData(0, "UFJGxg=="),
BinData(0, "UFJBPQ=="),
BinData(0, "RwaHgw=="),
BinData(0, "qeUDWw=="),
BinData(0, "Lup9WQ=="),
BinData(0, "Rwanjg=="),
BinData(0, "aCjq4Q=="),
BinData(0, "uUizEw=="),
BinData(0, "QvDAig=="),
BinData(0, "QvDsdw=="),
BinData(0, "aMH85g=="),
BinData(0, "xhRFYg=="),
BinData(0, "xhRXYg=="),
BinData(0, "QvDbkg=="),
BinData(0, "xhRFSg=="),
BinData(0, "Rwaepg=="),
BinData(0, "W+xLBA=="),
BinData(0, "RwalyA=="),
BinData(0, "RwaSuQ=="),
BinData(0, "pIRuYQ=="),
BinData(0, "Mj/KCQ=="),
BinData(0, "2PMfAg=="),
BinData(0, "M//F3A=="),
BinData(0, "V2K+NQ=="),
BinData(0, "3PPrDw=="),
BinData(0, "Uocg0g=="),
BinData(0, "Jc/mmw=="),
BinData(0, "LmQ6VQ=="),
BinData(0, "0GQa5g=="),
BinData(0, "0GQa5w=="),
BinData(0, "0GQa6A=="),
BinData(0, "0GQa5Q=="),
BinData(0, "xhRGcg=="),
BinData(0, "vIoB2g=="),
BinData(0, "qeRCWw=="),
BinData(0, "xhRjgg=="),
BinData(0, "WJ8Rgg=="),
BinData(0, "YOTTTw=="),
BinData(0, "YFnxBg=="),
BinData(0, "Ut1pBw=="),
BinData(0, "Ut1pBg=="),
BinData(0, "Hyy/5Q=="),
BinData(0, "0V8rCA=="),
BinData(0, "xhtF3g=="),
BinData(0, "JTHhNQ=="),
BinData(0, "ugKhXQ=="),
BinData(0, "VRkrXg=="),
BinData(0, "euLV5w=="),
BinData(0, "jdR6gQ=="),
BinData(0, "nf8aAA=="),
BinData(0, "z/RMzA=="),
BinData(0, "W8XoVQ=="),
BinData(0, "wRyzGQ=="),
BinData(0, "XmYwwg=="),
BinData(0, "w3H8MQ=="),
BinData(0, "w3H8sQ=="),
BinData(0, "w3H8oQ=="),
BinData(0, "w3H8IQ=="),
BinData(0, "k+VoAA=="),
BinData(0, "2R/AAA=="),
BinData(0, "w3H/AQ=="),
BinData(0, "w3H9AQ=="),
BinData(0, "w3H+AQ=="),
BinData(0, "ToD9AQ=="),
BinData(0, "ToD+AQ=="),
BinData(0, "w3H+BQ=="),
BinData(0, "w3H+Ag=="),
BinData(0, "ToD/AQ=="),
BinData(0, "w3H9Bg=="),
BinData(0, "w3H8Aw=="),
BinData(0, "w3H+BA=="),
BinData(0, "w3H+Bg=="),
BinData(0, "w3H+Bw=="),
BinData(0, "w3H8Ag=="),
BinData(0, "w3H+Aw=="),
BinData(0, "w3H9Aw=="),
BinData(0, "w3H8Bw=="),
BinData(0, "w3H8Bg=="),
BinData(0, "w3H8BA=="),
BinData(0, "w3H9BQ=="),
BinData(0, "w3H9BA=="),
BinData(0, "w3H8BQ=="),
BinData(0, "w3H9Bw=="),
BinData(0, "w3H9Ag=="),
BinData(0, "w3H/BA=="),
BinData(0, "w3H/Ag=="),
BinData(0, "w3H/Aw=="),
BinData(0, "w3H/Bg=="),
BinData(0, "w3H/BQ=="),
BinData(0, "w3GlgA=="),
BinData(0, "ToD9Ag=="),
BinData(0, "ToD+Ag=="),
BinData(0, "ToD8Ag=="),
BinData(0, "ToD/Ag=="),
BinData(0, "w3H+CA=="),
BinData(0, "TmixGg=="),
BinData(0, "w7JeJw=="),
BinData(0, "w3H8CA=="),
BinData(0, "ToD8Aw=="),
BinData(0, "w3EAAA=="),
BinData(0, "ToD+qQ=="),
BinData(0, "w3H/tQ=="),
BinData(0, "w3H+qQ=="),
BinData(0, "k+a5Xg=="),
BinData(0, "ToD+KQ=="),
BinData(0, "k+Z5lw=="),
BinData(0, "ToD8eQ=="),
BinData(0, "ToD8kw=="),
BinData(0, "k+ZNCg=="),
BinData(0, "k+Zh5g=="),
BinData(0, "ToD9oQ=="),
BinData(0, "ToD9mA=="),
BinData(0, "ToD88Q=="),
BinData(0, "ToD84Q=="),
BinData(0, "ToD+Fw=="),
BinData(0, "w3H8Xg=="),
BinData(0, "ToCuKg=="),
BinData(0, "ToD8NA==")
]
}
}
]
}).count()
result = 3 274 716, time = 0:31,87 minutes
Vrat vsechny udalosti z casoveho okna ve kterych figurovala IP adresa ip a Port port¶
... WHERE ("DetectTime" >= start AND "DetectTime" <= end) AND ("Source.IP4.ip" = ip OR "Target.IP4.ip" = ip) AND ("Port" = port)
{
"$and":[
{
"DetectTime":{
"$gte":start,
"$lte":end
}
},
{
"$or":[
{
"Source.IP4.ip":ip
},
{
"Target.IP4.ip":ip
}
]
},
{
"$or":[
{
"Source.Port":port
},
{
"Target.Port":port
}
]
}
]
}start = 2016-06-06T12:00:00 (2v/IIAAAAAA=)
end = 2016-06-12T12:00:00 (2wexIAAAAAA=)
ip= 195.113.252.33 (w3H8IQ==)
port = 666
query =
db.alerts.find({
"$and":[
{
"DetectTime":{
"$gte":BinData(0, "2v/IIAAAAAA="),
"$lte":BinData(0, "2wexIAAAAAA=")
}
},
{
"$or":[
{
"Source.IP4.ip":BinData(0,"w3H8IQ==")
},
{
"Target.IP4.ip":BinData(0,"w3H8IQ==")
}
]
},
{
"$or":[
{
"Source.Port":666
},
{
"Target.Port":666
}
]
}
]
}).count()
result = 353365 events, time = 0:03,36 minutes