Add WafPolicies
This commit is contained in:
Dan Milne
@@ -76,6 +76,57 @@ class AnalyticsController < ApplicationController
|
||||
end
|
||||
end
|
||||
|
||||
def networks
|
||||
authorize :analytics, :index?
|
||||
|
||||
# Time period selector (default: last 24 hours)
|
||||
@time_period = params[:period]&.to_sym || :day
|
||||
@start_time = calculate_start_time(@time_period)
|
||||
|
||||
# Top networks by request volume
|
||||
@top_networks = NetworkRange.joins("LEFT JOIN events ON events.ip_address <<= network_ranges.network")
|
||||
.where("events.timestamp >= ? OR events.timestamp IS NULL", @start_time)
|
||||
.group("network_ranges.id", "network_ranges.network", "network_ranges.company", "network_ranges.asn", "network_ranges.country", "network_ranges.is_datacenter", "network_ranges.is_vpn", "network_ranges.is_proxy")
|
||||
.select("network_ranges.*, COUNT(events.id) as event_count, COUNT(DISTINCT events.ip_address) as unique_ips")
|
||||
.order("event_count DESC")
|
||||
.limit(50)
|
||||
|
||||
# Network type breakdown with traffic stats
|
||||
@network_breakdown = calculate_network_type_stats(@start_time)
|
||||
|
||||
# Company breakdown for top traffic sources
|
||||
@top_companies = NetworkRange.joins("LEFT JOIN events ON events.ip_address <<= network_ranges.network")
|
||||
.where("events.timestamp >= ? AND network_ranges.company IS NOT NULL", @start_time)
|
||||
.group("network_ranges.company")
|
||||
.select("network_ranges.company, COUNT(events.id) as event_count, COUNT(DISTINCT events.ip_address) as unique_ips, COUNT(DISTINCT network_ranges.id) as network_count")
|
||||
.order("event_count DESC")
|
||||
.limit(20)
|
||||
|
||||
# ASN breakdown
|
||||
@top_asns = NetworkRange.joins("LEFT JOIN events ON events.ip_address <<= network_ranges.network")
|
||||
.where("events.timestamp >= ? AND network_ranges.asn IS NOT NULL", @start_time)
|
||||
.group("network_ranges.asn", "network_ranges.asn_org")
|
||||
.select("network_ranges.asn, network_ranges.asn_org, COUNT(events.id) as event_count, COUNT(DISTINCT events.ip_address) as unique_ips, COUNT(DISTINCT network_ranges.id) as network_count")
|
||||
.order("event_count DESC")
|
||||
.limit(15)
|
||||
|
||||
# Geographic breakdown
|
||||
@top_countries = NetworkRange.joins("LEFT JOIN events ON events.ip_address <<= network_ranges.network")
|
||||
.where("events.timestamp >= ? AND network_ranges.country IS NOT NULL", @start_time)
|
||||
.group("network_ranges.country")
|
||||
.select("network_ranges.country, COUNT(events.id) as event_count, COUNT(DISTINCT events.ip_address) as unique_ips, COUNT(DISTINCT network_ranges.id) as network_count")
|
||||
.order("event_count DESC")
|
||||
.limit(15)
|
||||
|
||||
# Suspicious network activity patterns
|
||||
@suspicious_patterns = calculate_suspicious_patterns(@start_time)
|
||||
|
||||
respond_to do |format|
|
||||
format.html
|
||||
format.json { render json: network_analytics_json }
|
||||
end
|
||||
end
|
||||
|
||||
private
|
||||
|
||||
def calculate_start_time(period)
|
||||
@@ -132,4 +183,132 @@ class AnalyticsController < ApplicationController
|
||||
]
|
||||
}
|
||||
end
|
||||
|
||||
def calculate_network_type_stats(start_time)
|
||||
# Get all network types with their traffic statistics
|
||||
network_types = [
|
||||
{ type: 'datacenter', label: 'Datacenter' },
|
||||
{ type: 'vpn', label: 'VPN' },
|
||||
{ type: 'proxy', label: 'Proxy' }
|
||||
]
|
||||
|
||||
results = {}
|
||||
total_events = Event.where("timestamp >= ?", start_time).count
|
||||
|
||||
network_types.each do |network_type|
|
||||
scope = case network_type[:type]
|
||||
when 'datacenter' then NetworkRange.datacenter
|
||||
when 'vpn' then NetworkRange.vpn
|
||||
when 'proxy' then NetworkRange.proxy
|
||||
end
|
||||
|
||||
if scope
|
||||
network_stats = scope.joins("LEFT JOIN events ON events.ip_address <<= network_ranges.network")
|
||||
.where("events.timestamp >= ? OR events.timestamp IS NULL", start_time)
|
||||
.select("COUNT(events.id) as event_count, COUNT(DISTINCT events.ip_address) as unique_ips, COUNT(DISTINCT network_ranges.id) as network_count")
|
||||
.first
|
||||
|
||||
results[network_type[:type]] = {
|
||||
label: network_type[:label],
|
||||
networks: network_stats.network_count,
|
||||
events: network_stats.event_count,
|
||||
unique_ips: network_stats.unique_ips,
|
||||
percentage: total_events > 0 ? ((network_stats.event_count.to_f / total_events) * 100).round(1) : 0
|
||||
}
|
||||
end
|
||||
end
|
||||
|
||||
# Calculate standard networks (everything else)
|
||||
standard_stats = NetworkRange.where(is_datacenter: false, is_vpn: false, is_proxy: false)
|
||||
.joins("LEFT JOIN events ON events.ip_address <<= network_ranges.network")
|
||||
.where("events.timestamp >= ? OR events.timestamp IS NULL", start_time)
|
||||
.select("COUNT(events.id) as event_count, COUNT(DISTINCT events.ip_address) as unique_ips, COUNT(DISTINCT network_ranges.id) as network_count")
|
||||
.first
|
||||
|
||||
results['standard'] = {
|
||||
label: 'Standard',
|
||||
networks: standard_stats.network_count,
|
||||
events: standard_stats.event_count,
|
||||
unique_ips: standard_stats.unique_ips,
|
||||
percentage: total_events > 0 ? ((standard_stats.event_count.to_f / total_events) * 100).round(1) : 0
|
||||
}
|
||||
|
||||
results
|
||||
end
|
||||
|
||||
def calculate_suspicious_patterns(start_time)
|
||||
patterns = {}
|
||||
|
||||
# High volume networks (top 1% by request count)
|
||||
total_networks = NetworkRange.joins("LEFT JOIN events ON events.ip_address <<= network_ranges.network")
|
||||
.where("events.timestamp >= ?", start_time)
|
||||
.distinct.count
|
||||
|
||||
high_volume_threshold = [total_networks * 0.01, 1].max
|
||||
high_volume_networks = NetworkRange.joins("INNER JOIN events ON events.ip_address <<= network_ranges.network")
|
||||
.where("events.timestamp >= ?", start_time)
|
||||
.group("network_ranges.id")
|
||||
.having("COUNT(events.id) > ?", Event.where("timestamp >= ?", start_time).count / total_networks)
|
||||
.count
|
||||
|
||||
patterns[:high_volume] = {
|
||||
count: high_volume_networks.count,
|
||||
networks: high_volume_networks.keys
|
||||
}
|
||||
|
||||
# Networks with high deny rates (> 50% blocked requests)
|
||||
high_deny_networks = NetworkRange.joins("INNER JOIN events ON events.ip_address <<= network_ranges.network")
|
||||
.where("events.timestamp >= ?", start_time)
|
||||
.group("network_ranges.id")
|
||||
.select("network_ranges.id,
|
||||
COUNT(CASE WHEN events.waf_action = 1 THEN 1 END) as denied_count,
|
||||
COUNT(events.id) as total_count")
|
||||
.having("COUNT(CASE WHEN events.waf_action = 1 THEN 1 END)::float / COUNT(events.id) > 0.5")
|
||||
.having("COUNT(events.id) >= 10") # minimum threshold
|
||||
|
||||
patterns[:high_deny_rate] = {
|
||||
count: high_deny_networks.count,
|
||||
network_ids: high_deny_networks.map(&:id)
|
||||
}
|
||||
|
||||
# Networks appearing as multiple subnets (potential botnets)
|
||||
company_subnets = NetworkRange.where("company IS NOT NULL")
|
||||
.where("timestamp >= ? OR timestamp IS NULL", start_time)
|
||||
.group(:company)
|
||||
.select(:company, "COUNT(DISTINCT network) as subnet_count")
|
||||
.having("COUNT(DISTINCT network) > 5")
|
||||
.order("subnet_count DESC")
|
||||
.limit(10)
|
||||
|
||||
patterns[:distributed_companies] = company_subnets.map do |company|
|
||||
{
|
||||
company: company.company,
|
||||
subnets: company.subnet_count
|
||||
}
|
||||
end
|
||||
|
||||
patterns
|
||||
end
|
||||
|
||||
def network_analytics_json
|
||||
{
|
||||
top_networks: @top_networks.map { |network|
|
||||
{
|
||||
id: network.id,
|
||||
cidr: network.cidr,
|
||||
company: network.company,
|
||||
asn: network.asn,
|
||||
country: network.country,
|
||||
network_type: network.network_type,
|
||||
event_count: network.event_count,
|
||||
unique_ips: network.unique_ips
|
||||
}
|
||||
},
|
||||
network_breakdown: @network_breakdown,
|
||||
top_companies: @top_companies,
|
||||
top_asns: @top_asns,
|
||||
top_countries: @top_countries,
|
||||
suspicious_patterns: @suspicious_patterns
|
||||
}
|
||||
end
|
||||
end
|
||||
Reference in New Issue
Block a user