[2025-12-10 19:41:42.445] [DEBUG] [tid:129356944758464] (main_gbm.cpp:334) 启动 gbm预测及训练! [2025-12-10 19:41:42.448] [ERROR] [tid:129356944758464] (KafkaConsumer.cpp:173) Created consumer rdkafka#consumer-2 [2025-12-10 19:41:42.448] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:453) subscribe successed: Success [2025-12-10 19:42:22.556] [ERROR] [tid:129356944758464] (KafkaConsumer.cpp:89) RebalanceCb: Local: Assign partitions: [2025-12-10 19:42:22.556] [ERROR] [tid:129356944758464] (KafkaConsumer.cpp:79) analyzed_queue_gbm[0], [2025-12-10 19:42:22.556] [ERROR] [tid:129356944758464] (KafkaConsumer.cpp:79) analyzed_queue_gbm[1], [2025-12-10 19:42:22.556] [ERROR] [tid:129356944758464] (KafkaConsumer.cpp:79) analyzed_queue_gbm[2], [2025-12-10 20:21:45.050] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[2] at offset 25517 key: NULL payload: {"bucket":"2025-12-10","object":"20/output/gbm/alert.pcap.9.1765360664.jsonl","url":"http://111.32.12.11:9000/2025-12-10/20/output/gbm/alert.pcap.9.1765360664.jsonl?X-Amz-Date=20251210T122144Z&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-SignedHeaders=host&X-Amz-Expires=604800&X-Amz-Signature=d5ef1f8713d62da2454c5009c44908d78859e49f26f4b4ec662f64ec1b08fc67&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251210%2Fus-east-1%2Fs3%2Faws4_request"} [2025-12-10 20:21:45.051] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-10 20:21:45.051] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-10 20:21:46.262] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-10 20:21:46.262] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-10 20:21:46.262] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-10 20:21:46.262] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-10 20:21:46.269] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-10|object:20/output/gbm/alert.pcap.9.1765360664.jsonl|result:{"code": 0, "total_count": 0, "alert_count": 0, "abnormal_count": 0, "normal_count": 0, "timestamp": 1765369306262, "module": "anquanchu", "alerted": false, "details": []} [2025-12-10 20:21:46.269] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 0|max_alert: 1000 [2025-12-10 20:21:46.269] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-10 20:21:52.567] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 25870 key: NULL payload: {"bucket":"2025-12-10","object":"20/output/gbm/alert.pcap.9.1765347149.jsonl","url":"http://111.32.12.11:9000/2025-12-10/20/output/gbm/alert.pcap.9.1765347149.jsonl?X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251210%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20251210T122152Z&X-Amz-Signature=28ac2842656c9315397506c9a8ff34a619bcc712a7d406333774507a3c2f7cdf&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Expires=604800&X-Amz-SignedHeaders=host"} [2025-12-10 20:21:52.567] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-10 20:21:52.567] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-10 20:21:52.567] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-10 20:21:52.567] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-10 20:21:52.568] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-10 20:21:52.568] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-10 20:21:52.575] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-10|object:20/output/gbm/alert.pcap.9.1765347149.jsonl|result:{"code": 0, "total_count": 0, "alert_count": 0, "abnormal_count": 0, "normal_count": 0, "timestamp": 1765369312568, "module": "anquanchu", "alerted": false, "details": []} [2025-12-10 20:21:52.575] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 0|max_alert: 1000 [2025-12-10 20:21:52.575] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-10 20:21:58.242] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 25871 key: NULL payload: {"bucket":"2025-12-10","object":"20/output/gbm/alert.pcap.9.1765357961.jsonl","url":"http://111.32.12.11:9000/2025-12-10/20/output/gbm/alert.pcap.9.1765357961.jsonl?X-Amz-Expires=604800&X-Amz-SignedHeaders=host&X-Amz-Signature=11a8b6d9d0b6257e42b82bd749947cf1ea2b60e70eea0190e408dc47646630b4&X-Amz-Date=20251210T122158Z&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251210%2Fus-east-1%2Fs3%2Faws4_request"} [2025-12-10 20:21:58.242] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-10 20:21:58.242] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-10 20:21:58.243] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-10 20:21:58.243] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-10 20:21:58.243] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-10 20:21:58.243] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-10 20:21:58.248] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-10|object:20/output/gbm/alert.pcap.9.1765357961.jsonl|result:{"code": 0, "total_count": 0, "alert_count": 0, "abnormal_count": 0, "normal_count": 0, "timestamp": 1765369318243, "module": "anquanchu", "alerted": false, "details": []} [2025-12-10 20:21:58.248] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 0|max_alert: 1000 [2025-12-10 20:21:58.248] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-10 20:22:01.743] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 25872 key: NULL payload: {"bucket":"2025-12-10","object":"20/output/gbm/alert.pcap.9.1765348050.jsonl","url":"http://111.32.12.11:9000/2025-12-10/20/output/gbm/alert.pcap.9.1765348050.jsonl?X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251210%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Date=20251210T122201Z&X-Amz-Expires=604800&X-Amz-Signature=e932c5ca216ad105d79bbcd801f13a188bb0747d17a4908f63fe9a78d78eed47&X-Amz-SignedHeaders=host"} [2025-12-10 20:22:01.743] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-10 20:22:01.743] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-10 20:22:01.743] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-10 20:22:01.743] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-10 20:22:01.743] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-10 20:22:01.743] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-10 20:22:01.747] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-10|object:20/output/gbm/alert.pcap.9.1765348050.jsonl|result:{"code": 0, "total_count": 0, "alert_count": 0, "abnormal_count": 0, "normal_count": 0, "timestamp": 1765369321744, "module": "anquanchu", "alerted": false, "details": []} [2025-12-10 20:22:01.747] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 0|max_alert: 1000 [2025-12-10 20:22:01.747] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-10 20:22:03.120] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[2] at offset 25518 key: NULL payload: {"bucket":"2025-12-10","object":"20/output/gbm/alert.pcap.9.1765346248.jsonl","url":"http://111.32.12.11:9000/2025-12-10/20/output/gbm/alert.pcap.9.1765346248.jsonl?X-Amz-SignedHeaders=host&X-Amz-Signature=85e23a16732186c1cfa2d68cbe177ce26a8aeb1937785c4574a191dd31728e5f&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Date=20251210T122203Z&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251210%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Expires=604800"} [2025-12-10 20:22:03.120] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-10 20:22:03.120] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-10 20:22:03.120] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-10 20:22:03.120] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-10 20:22:03.120] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-10 20:22:03.120] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-10 20:22:03.123] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-10|object:20/output/gbm/alert.pcap.9.1765346248.jsonl|result:{"code": 0, "total_count": 0, "alert_count": 0, "abnormal_count": 0, "normal_count": 0, "timestamp": 1765369323120, "module": "anquanchu", "alerted": false, "details": []} [2025-12-10 20:22:03.124] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 0|max_alert: 1000 [2025-12-10 20:22:03.124] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-10 20:22:04.429] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[2] at offset 25519 key: NULL payload: {"bucket":"2025-12-10","object":"20/output/gbm/alert.pcap.9.1765351654.jsonl","url":"http://111.32.12.11:9000/2025-12-10/20/output/gbm/alert.pcap.9.1765351654.jsonl?X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251210%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Signature=0b48255402cfac387f97c6e9cfa8fbaf6f1a662d908e3e690f5d1d44826a4766&X-Amz-Expires=604800&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-SignedHeaders=host&X-Amz-Date=20251210T122204Z"} [2025-12-10 20:22:04.429] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-10 20:22:04.429] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-10 20:22:04.429] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-10 20:22:04.429] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-10 20:22:04.429] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-10 20:22:04.430] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-10 20:22:04.433] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-10|object:20/output/gbm/alert.pcap.9.1765351654.jsonl|result:{"code": 0, "total_count": 0, "alert_count": 0, "abnormal_count": 0, "normal_count": 0, "timestamp": 1765369324430, "module": "anquanchu", "alerted": false, "details": []} [2025-12-10 20:22:04.433] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 0|max_alert: 1000 [2025-12-10 20:22:04.433] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-10 20:22:05.838] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[1] at offset 24730 key: NULL payload: {"bucket":"2025-12-10","object":"20/output/gbm/alert.pcap.9.1765350753.jsonl","url":"http://111.32.12.11:9000/2025-12-10/20/output/gbm/alert.pcap.9.1765350753.jsonl?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Date=20251210T122205Z&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251210%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-SignedHeaders=host&X-Amz-Signature=e7b88d854d15ba2853eac86de49a32d9f5f3014fc4dec7606ecb5200a0ed0fe2&X-Amz-Expires=604800"} [2025-12-10 20:22:05.838] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-10 20:22:05.838] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-10 20:22:05.839] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-10 20:22:05.839] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-10 20:22:05.839] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-10 20:22:05.839] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-10 20:22:05.843] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-10|object:20/output/gbm/alert.pcap.9.1765350753.jsonl|result:{"code": 0, "total_count": 0, "alert_count": 0, "abnormal_count": 0, "normal_count": 0, "timestamp": 1765369325839, "module": "anquanchu", "alerted": false, "details": []} [2025-12-10 20:22:05.843] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 0|max_alert: 1000 [2025-12-10 20:22:05.843] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-10 20:22:06.826] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 25873 key: NULL payload: {"bucket":"2025-12-10","object":"20/output/gbm/alert.pcap.9.1765348951.jsonl","url":"http://111.32.12.11:9000/2025-12-10/20/output/gbm/alert.pcap.9.1765348951.jsonl?X-Amz-SignedHeaders=host&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251210%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20251210T122206Z&X-Amz-Expires=604800&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Signature=ba00e17b23c691e8f1502b6666ab9c8889ac50bd758a2f9c4de9a472a774287a"} [2025-12-10 20:22:06.826] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-10 20:22:06.826] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-10 20:22:06.826] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-10 20:22:06.826] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-10 20:22:06.826] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-10 20:22:06.827] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-10 20:22:06.831] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-10|object:20/output/gbm/alert.pcap.9.1765348951.jsonl|result:{"code": 0, "total_count": 0, "alert_count": 0, "abnormal_count": 0, "normal_count": 0, "timestamp": 1765369326827, "module": "anquanchu", "alerted": false, "details": []} [2025-12-10 20:22:06.831] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 0|max_alert: 1000 [2025-12-10 20:22:06.831] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-10 20:22:07.703] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 25874 key: NULL payload: {"bucket":"2025-12-10","object":"20/output/gbm/alert.pcap.9.1765352555.jsonl","url":"http://111.32.12.11:9000/2025-12-10/20/output/gbm/alert.pcap.9.1765352555.jsonl?X-Amz-SignedHeaders=host&X-Amz-Signature=7041e3b1401466dc13b9374e9e032167a4ad7dcc300878f1f212a0c8d4ce2e81&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251210%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20251210T122207Z&X-Amz-Expires=604800"} [2025-12-10 20:22:07.703] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-10 20:22:07.703] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-10 20:22:07.704] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-10 20:22:07.704] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-10 20:22:07.704] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-10 20:22:07.704] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-10 20:22:07.708] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-10|object:20/output/gbm/alert.pcap.9.1765352555.jsonl|result:{"code": 0, "total_count": 0, "alert_count": 0, "abnormal_count": 0, "normal_count": 0, "timestamp": 1765369327704, "module": "anquanchu", "alerted": false, "details": []} [2025-12-10 20:22:07.708] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 0|max_alert: 1000 [2025-12-10 20:22:07.708] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-10 20:22:08.555] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[2] at offset 25520 key: NULL payload: {"bucket":"2025-12-10","object":"20/output/gbm/alert.pcap.9.1765349852.jsonl","url":"http://111.32.12.11:9000/2025-12-10/20/output/gbm/alert.pcap.9.1765349852.jsonl?X-Amz-Signature=6c608e8bf722b3dfe770fedc10e7f09f928fe1bcb18311a05f1a6fe402c88917&X-Amz-Date=20251210T122208Z&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251210%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Expires=604800&X-Amz-SignedHeaders=host"} [2025-12-10 20:22:08.555] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-10 20:22:08.555] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-10 20:22:08.555] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-10 20:22:08.555] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-10 20:22:08.555] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-10 20:22:08.555] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-10 20:22:08.559] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-10|object:20/output/gbm/alert.pcap.9.1765349852.jsonl|result:{"code": 0, "total_count": 0, "alert_count": 0, "abnormal_count": 0, "normal_count": 0, "timestamp": 1765369328555, "module": "anquanchu", "alerted": false, "details": []} [2025-12-10 20:22:08.559] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 0|max_alert: 1000 [2025-12-10 20:22:08.559] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-10 20:22:09.414] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[1] at offset 24731 key: NULL payload: {"bucket":"2025-12-10","object":"20/output/gbm/alert.pcap.9.1765353456.jsonl","url":"http://111.32.12.11:9000/2025-12-10/20/output/gbm/alert.pcap.9.1765353456.jsonl?X-Amz-Date=20251210T122209Z&X-Amz-Expires=604800&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251210%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Signature=c8cbd9d7bdc8cd7d5b146c50c7ff97418cd6fd44f68183311c54092b0356438d&X-Amz-SignedHeaders=host"} [2025-12-10 20:22:09.414] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-10 20:22:09.414] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-10 20:22:09.414] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-10 20:22:09.414] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-10 20:22:09.414] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-10 20:22:09.415] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-10 20:22:09.418] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-10|object:20/output/gbm/alert.pcap.9.1765353456.jsonl|result:{"code": 0, "total_count": 0, "alert_count": 0, "abnormal_count": 0, "normal_count": 0, "timestamp": 1765369329415, "module": "anquanchu", "alerted": false, "details": []} [2025-12-10 20:22:09.418] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 0|max_alert: 1000 [2025-12-10 20:22:09.418] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-10 20:22:10.288] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[2] at offset 25521 key: NULL payload: {"bucket":"2025-12-10","object":"20/output/gbm/alert.pcap.9.1765359763.jsonl","url":"http://111.32.12.11:9000/2025-12-10/20/output/gbm/alert.pcap.9.1765359763.jsonl?X-Amz-Signature=fcc01cba7dba5da3952d4c559f6d64acf06744c3b65169208efada0c4323da42&X-Amz-Date=20251210T122210Z&X-Amz-Expires=604800&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251210%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-SignedHeaders=host"} [2025-12-10 20:22:10.289] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-10 20:22:10.289] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-10 20:22:10.289] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-10 20:22:10.289] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-10 20:22:10.289] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-10 20:22:10.289] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-10 20:22:10.293] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-10|object:20/output/gbm/alert.pcap.9.1765359763.jsonl|result:{"code": 0, "total_count": 0, "alert_count": 0, "abnormal_count": 0, "normal_count": 0, "timestamp": 1765369330289, "module": "anquanchu", "alerted": false, "details": []} [2025-12-10 20:22:10.293] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 0|max_alert: 1000 [2025-12-10 20:22:10.293] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-10 20:22:11.132] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[2] at offset 25522 key: NULL payload: {"bucket":"2025-12-10","object":"20/output/gbm/alert.pcap.9.1765358862.jsonl","url":"http://111.32.12.11:9000/2025-12-10/20/output/gbm/alert.pcap.9.1765358862.jsonl?X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251210%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20251210T122211Z&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Signature=7ad52f9eb555a47e4253a060f8ffd43b9ff674b52ecbfc16d1511e2290fa911f&X-Amz-Expires=604800&X-Amz-SignedHeaders=host"} [2025-12-10 20:22:11.132] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-10 20:22:11.132] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-10 20:22:11.132] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-10 20:22:11.132] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-10 20:22:11.132] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-10 20:22:11.132] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-10 20:22:11.136] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-10|object:20/output/gbm/alert.pcap.9.1765358862.jsonl|result:{"code": 0, "total_count": 0, "alert_count": 0, "abnormal_count": 0, "normal_count": 0, "timestamp": 1765369331132, "module": "anquanchu", "alerted": false, "details": []} [2025-12-10 20:22:11.136] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 0|max_alert: 1000 [2025-12-10 20:22:11.136] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-10 20:22:12.353] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 25875 key: NULL payload: {"bucket":"2025-12-10","object":"20/output/gbm/alert.pcap.9.1765356159.jsonl","url":"http://111.32.12.11:9000/2025-12-10/20/output/gbm/alert.pcap.9.1765356159.jsonl?X-Amz-Signature=cfa36c9bd6f17bbc6faab59198c650dac3fc34dc0a4bb786f91f1ea16b077812&X-Amz-Date=20251210T122212Z&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251210%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Expires=604800&X-Amz-SignedHeaders=host&X-Amz-Algorithm=AWS4-HMAC-SHA256"} [2025-12-10 20:22:12.353] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-10 20:22:12.353] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-10 20:22:12.353] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-10 20:22:12.353] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-10 20:22:12.353] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-10 20:22:12.353] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-10 20:22:12.357] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-10|object:20/output/gbm/alert.pcap.9.1765356159.jsonl|result:{"code": 0, "total_count": 0, "alert_count": 0, "abnormal_count": 0, "normal_count": 0, "timestamp": 1765369332354, "module": "anquanchu", "alerted": false, "details": []} [2025-12-10 20:22:12.357] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 0|max_alert: 1000 [2025-12-10 20:22:12.357] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-10 20:22:14.015] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 25876 key: NULL payload: {"bucket":"2025-12-10","object":"20/output/gbm/alert.pcap.9.1765355258.jsonl","url":"http://111.32.12.11:9000/2025-12-10/20/output/gbm/alert.pcap.9.1765355258.jsonl?X-Amz-SignedHeaders=host&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251210%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20251210T122213Z&X-Amz-Expires=604800&X-Amz-Signature=534a92ccffcf1ca7b28e1d14b9214851f09c9071c590f9b1e937069d5cb97d57"} [2025-12-10 20:22:14.015] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-10 20:22:14.015] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-10 20:22:14.015] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-10 20:22:14.015] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-10 20:22:14.015] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-10 20:22:14.016] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-10 20:22:14.027] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-10|object:20/output/gbm/alert.pcap.9.1765355258.jsonl|result:{"code": 0, "total_count": 0, "alert_count": 0, "abnormal_count": 0, "normal_count": 0, "timestamp": 1765369334016, "module": "anquanchu", "alerted": false, "details": []} [2025-12-10 20:22:14.027] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 0|max_alert: 1000 [2025-12-10 20:22:14.027] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-10 20:22:14.916] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[1] at offset 24732 key: NULL payload: {"bucket":"2025-12-10","object":"20/output/gbm/alert.pcap.9.1765354357.jsonl","url":"http://111.32.12.11:9000/2025-12-10/20/output/gbm/alert.pcap.9.1765354357.jsonl?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-SignedHeaders=host&X-Amz-Signature=b7e04ed847329c9105b8066bab3e303f2573cbc174a17e856af29ff07e2adb3a&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251210%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20251210T122214Z&X-Amz-Expires=604800"} [2025-12-10 20:22:14.916] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-10 20:22:14.916] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-10 20:22:14.917] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-10 20:22:14.917] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-10 20:22:14.917] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-10 20:22:14.917] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-10 20:22:14.921] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-10|object:20/output/gbm/alert.pcap.9.1765354357.jsonl|result:{"code": 0, "total_count": 0, "alert_count": 0, "abnormal_count": 0, "normal_count": 0, "timestamp": 1765369334917, "module": "anquanchu", "alerted": false, "details": []} [2025-12-10 20:22:14.921] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 0|max_alert: 1000 [2025-12-10 20:22:14.921] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 09:14:26.549] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[2] at offset 25523 key: NULL payload: {"bucket":"2025-12-11","object":"09/output/gbm/alert.pcap.10.17610986930914.jsonl","url":"http://111.32.12.11:9000/2025-12-11/09/output/gbm/alert.pcap.10.17610986930914.jsonl?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-SignedHeaders=host&X-Amz-Signature=1bf8a273f55015a68d8060158e08f5b761cf106e7b8cc46a477b72b4add7390b&X-Amz-Expires=604800&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20251211T011426Z"} [2025-12-11 09:14:26.549] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 09:14:26.549] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 09:14:26.549] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 09:14:26.549] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 09:14:26.549] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 09:14:26.550] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 09:14:26.794] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:09/output/gbm/alert.pcap.10.17610986930914.jsonl|result:{"code": 1, "total_count": 18, "alert_count": 18, "abnormal_count": 18, "normal_count": 0, "timestamp": 1765415666550, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "124.70.62.170", "protocol": "tcp", "src_port": 50384, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9944584265644585, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.9", "protocol": "tcp", "src_port": 50354, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9266852516381958, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "124.70.37.167", "protocol": "tcp", "src_port": 50497, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9671327905226952, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50180, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "112.34.113.250", "protocol": "tcp", "src_port": 50417, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9871899379387804, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50510, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.162.10.192", "protocol": "tcp", "src_port": 50105, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8497049935950336, "2_count": 3, "2_sum": 3, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 49802, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50247, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.240.8.132", "protocol": "tcp", "src_port": 49942, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9833686131374094, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.162.10.192", "protocol": "tcp", "src_port": 50106, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7891251009837256, "2_count": 3, "2_sum": 3, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.162.10.192", "protocol": "tcp", "src_port": 50102, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9628606284766527, "2_count": 3, "2_sum": 3, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50197, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.38.119", "protocol": "tcp", "src_port": 50490, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9986222879414073, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50202, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.194.233", "protocol": "tcp", "src_port": 50251, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.6458299041355519, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50155, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50527, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 09:14:26.794] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 18|max_alert: 1000 [2025-12-11 09:14:26.794] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 09:14:26.794] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 09:14:26.794] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 09:14:27.111] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 25877 key: NULL payload: {"bucket":"2025-12-11","object":"09/output/gbm/alert.pcap.9.1765357060.jsonl","url":"http://111.32.12.11:9000/2025-12-11/09/output/gbm/alert.pcap.9.1765357060.jsonl?X-Amz-Signature=d54ae143c721160ec330ca8431842761ebc71f25c517af1f217d3cb1f3e7ceff&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-SignedHeaders=host&X-Amz-Expires=604800&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Date=20251211T011427Z"} [2025-12-11 09:14:27.111] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 09:14:27.112] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 09:14:27.112] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 09:14:27.112] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 09:14:27.112] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 09:14:27.112] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 09:14:27.115] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:09/output/gbm/alert.pcap.9.1765357060.jsonl|result:{"code": 0, "total_count": 0, "alert_count": 0, "abnormal_count": 0, "normal_count": 0, "timestamp": 1765415667112, "module": "anquanchu", "alerted": false, "details": []} [2025-12-11 09:14:27.115] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 0|max_alert: 1000 [2025-12-11 09:14:27.116] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 09:14:30.692] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[2] at offset 25524 key: NULL payload: {"bucket":"2025-12-11","object":"09/output/gbm/alert.pcap.11.17610986930914.jsonl","url":"http://111.32.12.11:9000/2025-12-11/09/output/gbm/alert.pcap.11.17610986930914.jsonl?X-Amz-Signature=010f49bc510e3a9fb7324c85d57e1a4c316db355693c8d638ab673733204feeb&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Date=20251211T011430Z&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Expires=604800&X-Amz-SignedHeaders=host"} [2025-12-11 09:14:30.692] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 09:14:30.692] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 09:14:30.692] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 09:14:30.692] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 09:14:30.692] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 09:14:30.693] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 09:14:30.927] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:09/output/gbm/alert.pcap.11.17610986930914.jsonl|result:{"code": 1, "total_count": 20, "alert_count": 20, "abnormal_count": 20, "normal_count": 0, "timestamp": 1765415670693, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50519, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.25", "protocol": "tcp", "src_port": 50379, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8940216726975259, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 49811, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.57.94.38", "protocol": "tcp", "src_port": 49888, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8913583475272854, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.131.139.241", "protocol": "tcp", "src_port": 50546, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8893268365633519, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50561, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50176, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.122.55", "protocol": "tcp", "src_port": 50503, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9854062911109006, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50520, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50050, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "106.52.100.183", "protocol": "tcp", "src_port": 50502, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9858931570717602, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.165.120", "protocol": "tcp", "src_port": 50305, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9986466602684037, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.45", "protocol": "tcp", "src_port": 50438, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9837569544664104, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.45", "protocol": "tcp", "src_port": 50447, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9871209269901958, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50523, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.38.119", "protocol": "tcp", "src_port": 50494, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9837251088220053, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.143.199.172", "protocol": "tcp", "src_port": 50142, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9881503019491974, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50179, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "57.155.120.218", "protocol": "tcp", "src_port": 50415, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9227656751828837, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "13.107.253.49", "protocol": "tcp", "src_port": 50479, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9204671188927631, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 09:14:30.928] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 20|max_alert: 1000 [2025-12-11 09:14:30.928] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 09:14:30.928] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 09:14:30.928] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 09:14:33.855] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 25878 key: NULL payload: {"bucket":"2025-12-11","object":"09/output/gbm/alert.pcap.1.17610986930914.jsonl","url":"http://111.32.12.11:9000/2025-12-11/09/output/gbm/alert.pcap.1.17610986930914.jsonl?X-Amz-Date=20251211T011433Z&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Expires=604800&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-SignedHeaders=host&X-Amz-Signature=9010c96235b5b45793512a54f76c18381620872d8f09bb3d3c7e1187f0c1c157"} [2025-12-11 09:14:33.855] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 09:14:33.855] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 09:14:33.855] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 09:14:33.855] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 09:14:33.855] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 09:14:33.856] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 09:14:34.109] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:09/output/gbm/alert.pcap.1.17610986930914.jsonl|result:{"code": 1, "total_count": 23, "alert_count": 22, "abnormal_count": 22, "normal_count": 1, "timestamp": 1765415673856, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "120.241.86.9", "protocol": "tcp", "src_port": 50355, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9178209457268623, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "123.249.12.207", "protocol": "tcp", "src_port": 50349, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9517653518955267, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.18", "protocol": "tcp", "src_port": 50526, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.166.151", "protocol": "tcp", "src_port": 50297, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.99961990187526, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.131.139.241", "protocol": "tcp", "src_port": 50548, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9166098868921807, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50203, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.18", "protocol": "tcp", "src_port": 50607, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50451, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9935841069204537, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50660, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.5160756214892233, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50246, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50154, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50511, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.254", "protocol": "tcp", "src_port": 50161, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9861184497791043, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.38.119", "protocol": "tcp", "src_port": 50487, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9993624819729473, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.2.16.16", "protocol": "tcp", "src_port": 49978, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9999741330258014, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.9", "protocol": "tcp", "src_port": 50352, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9822856114799795, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.2.16.16", "protocol": "tcp", "src_port": 49977, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9997183616258911, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50635, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.254", "protocol": "tcp", "src_port": 50236, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8758576397939718, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "104.18.38.233", "protocol": "tcp", "src_port": 49694, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50196, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.114.80", "protocol": "tcp", "src_port": 50380, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 09:14:34.109] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 22|max_alert: 1000 [2025-12-11 09:14:34.109] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 09:14:34.109] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 09:14:34.109] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 09:14:37.069] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 25879 key: NULL payload: {"bucket":"2025-12-11","object":"09/output/gbm/alert.pcap.12.17610986930914.jsonl","url":"http://111.32.12.11:9000/2025-12-11/09/output/gbm/alert.pcap.12.17610986930914.jsonl?X-Amz-Date=20251211T011436Z&X-Amz-Signature=704338678f7784a8f2a51e6741aa6a6309c58bc32fcea1ca563f003ce485fa25&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Expires=604800&X-Amz-SignedHeaders=host"} [2025-12-11 09:14:37.069] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 09:14:37.069] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 09:14:37.069] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 09:14:37.069] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 09:14:37.069] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 09:14:37.070] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 09:14:37.308] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:09/output/gbm/alert.pcap.12.17610986930914.jsonl|result:{"code": 1, "total_count": 23, "alert_count": 23, "abnormal_count": 23, "normal_count": 0, "timestamp": 1765415677070, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "36.156.39.91", "protocol": "tcp", "src_port": 50325, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9723471895815434, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50563, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 10, "2_sum": 10, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.88.223", "protocol": "tcp", "src_port": 50135, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9151737736531406, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "150.171.28.10", "protocol": "tcp", "src_port": 50098, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.979476406385797, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50063, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 10, "2_sum": 10, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "43.132.242.154", "protocol": "tcp", "src_port": 49882, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9890063873624129, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 49801, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.162.10.192", "protocol": "tcp", "src_port": 50115, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9982562146170709, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.88.223", "protocol": "tcp", "src_port": 50256, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9952297098413537, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.46.51.20", "protocol": "tcp", "src_port": 50273, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8949209220998952, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50289, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 10, "2_sum": 10, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.253", "protocol": "tcp", "src_port": 50374, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9124107711631884, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50043, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 10, "2_sum": 10, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.232.40.133", "protocol": "tcp", "src_port": 49918, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9434178651974208, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50036, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 10, "2_sum": 10, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 50446, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.32.132.48", "protocol": "tcp", "src_port": 50596, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8736367684939467, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50290, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 10, "2_sum": 10, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50327, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 10, "2_sum": 10, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50517, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 10, "2_sum": 10, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.91", "protocol": "tcp", "src_port": 50312, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8775283158754487, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50524, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 10, "2_sum": 10, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50048, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 10, "2_sum": 10, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 09:14:37.308] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 23|max_alert: 1000 [2025-12-11 09:14:37.308] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 09:14:37.308] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 09:14:37.308] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 09:14:40.240] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[2] at offset 25525 key: NULL payload: {"bucket":"2025-12-11","object":"09/output/gbm/alert.pcap.13.17610986930914.jsonl","url":"http://111.32.12.11:9000/2025-12-11/09/output/gbm/alert.pcap.13.17610986930914.jsonl?X-Amz-Date=20251211T011439Z&X-Amz-Expires=604800&X-Amz-Signature=3fa7589107c619159021fb8b39b52a733ed78d2e30bbd7c2bce90e695db2a929&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-SignedHeaders=host&X-Amz-Algorithm=AWS4-HMAC-SHA256"} [2025-12-11 09:14:40.240] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 09:14:40.240] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 09:14:40.240] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 09:14:40.240] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 09:14:40.240] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 09:14:40.240] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 09:14:40.445] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:09/output/gbm/alert.pcap.13.17610986930914.jsonl|result:{"code": 1, "total_count": 25, "alert_count": 25, "abnormal_count": 25, "normal_count": 0, "timestamp": 1765415680240, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50035, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50150, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.163.59.175", "protocol": "tcp", "src_port": 50009, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9898052087615025, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50074, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50153, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.38.119", "protocol": "tcp", "src_port": 50507, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.992095265861976, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.185.134", "protocol": "tcp", "src_port": 50405, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9906477192719227, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "202.89.233.96", "protocol": "tcp", "src_port": 49842, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50657, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9858390475712154, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.114.80", "protocol": "tcp", "src_port": 50364, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 50550, "dest_port": 37527, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50283, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50602, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.22.3", "protocol": "tcp", "src_port": 49941, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9027507773608666, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.4.224.113", "protocol": "tcp", "src_port": 49856, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.6505383816340582, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "150.171.30.11", "protocol": "tcp", "src_port": 50629, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9221505003231499, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50206, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.38.119", "protocol": "tcp", "src_port": 50493, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9895604510076603, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50483, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "150.171.29.11", "protocol": "tcp", "src_port": 50366, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9811379852086798, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "142.250.66.78", "protocol": "tcp", "src_port": 49939, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50029, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50276, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50167, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50280, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 09:14:40.445] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 25|max_alert: 1000 [2025-12-11 09:14:40.445] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 09:14:40.445] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 09:14:40.445] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 09:14:43.618] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[2] at offset 25526 key: NULL payload: {"bucket":"2025-12-11","object":"09/output/gbm/alert.pcap.14.17610986930914.jsonl","url":"http://111.32.12.11:9000/2025-12-11/09/output/gbm/alert.pcap.14.17610986930914.jsonl?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Date=20251211T011443Z&X-Amz-SignedHeaders=host&X-Amz-Signature=b4ade1ecd9de16909ca2dcd0e6d6442ab6515d27b18af774019d11e6de5062eb&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Expires=604800"} [2025-12-11 09:14:43.618] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 09:14:43.618] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 09:14:43.618] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 09:14:43.618] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 09:14:43.618] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 09:14:43.619] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 09:14:43.864] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:09/output/gbm/alert.pcap.14.17610986930914.jsonl|result:{"code": 1, "total_count": 22, "alert_count": 22, "abnormal_count": 22, "normal_count": 0, "timestamp": 1765415683619, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50282, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50431, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.92", "protocol": "tcp", "src_port": 50350, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9581254078848882, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.201.232.61", "protocol": "tcp", "src_port": 50406, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8074537105643911, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "150.171.28.10", "protocol": "tcp", "src_port": 50547, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9810893334081382, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.45", "protocol": "tcp", "src_port": 50232, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8427978520815071, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50464, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50045, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50148, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50151, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.201.232.63", "protocol": "tcp", "src_port": 50185, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8623842237021218, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.131.128.241", "protocol": "tcp", "src_port": 50628, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.6327220629300937, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.4.224.113", "protocol": "tcp", "src_port": 49858, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.948833755868132, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 50008, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7325211921496005, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50075, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50299, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50277, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.114.80", "protocol": "tcp", "src_port": 50462, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50481, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50488, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50509, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50087, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 09:14:43.864] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 22|max_alert: 1000 [2025-12-11 09:14:43.864] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 09:14:43.864] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 09:14:43.864] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 09:14:46.759] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[1] at offset 24733 key: NULL payload: {"bucket":"2025-12-11","object":"09/output/gbm/alert.pcap.15.17610986930914.jsonl","url":"http://111.32.12.11:9000/2025-12-11/09/output/gbm/alert.pcap.15.17610986930914.jsonl?X-Amz-Date=20251211T011446Z&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Signature=0ff6861ef3a07259f28f41f051fdd87be2463b670fec1cfcebae1e2870834eef&X-Amz-SignedHeaders=host&X-Amz-Expires=604800"} [2025-12-11 09:14:46.759] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 09:14:46.759] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 09:14:46.760] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 09:14:46.760] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 09:14:46.760] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 09:14:46.760] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 09:14:47.008] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:09/output/gbm/alert.pcap.15.17610986930914.jsonl|result:{"code": 1, "total_count": 21, "alert_count": 21, "abnormal_count": 21, "normal_count": 0, "timestamp": 1765415686761, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50061, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.114.80", "protocol": "tcp", "src_port": 50358, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.13.29.202", "protocol": "tcp", "src_port": 49899, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9319984670207415, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50298, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.165.120", "protocol": "tcp", "src_port": 50418, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9596977275034663, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50516, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.175.38.6", "protocol": "tcp", "src_port": 50508, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9251013815505887, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50489, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.194.233", "protocol": "tcp", "src_port": 50442, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9870391528574759, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.241.198", "protocol": "tcp", "src_port": 49881, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9908791961625715, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50542, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "13.89.179.10", "protocol": "tcp", "src_port": 49878, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9974829953380221, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.166.151", "protocol": "tcp", "src_port": 50300, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9931981638327161, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.194.189.11", "protocol": "tcp", "src_port": 50426, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9895428159947536, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.165.120", "protocol": "tcp", "src_port": 50427, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9451570018511891, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "13.107.213.50", "protocol": "tcp", "src_port": 50090, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9195643673584233, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "124.70.37.167", "protocol": "tcp", "src_port": 50505, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8862503171336631, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.51.80", "protocol": "tcp", "src_port": 49914, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.46.216.189", "protocol": "tcp", "src_port": 50192, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9854409930237161, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50452, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "142.250.66.78", "protocol": "tcp", "src_port": 50474, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 09:14:47.008] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 21|max_alert: 1000 [2025-12-11 09:14:47.008] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 09:14:47.008] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 09:14:47.008] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 09:14:50.133] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[1] at offset 24734 key: NULL payload: {"bucket":"2025-12-11","object":"09/output/gbm/alert.pcap.16.17610986930914.jsonl","url":"http://111.32.12.11:9000/2025-12-11/09/output/gbm/alert.pcap.16.17610986930914.jsonl?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Expires=604800&X-Amz-Date=20251211T011449Z&X-Amz-SignedHeaders=host&X-Amz-Signature=360af7336098e46d6cde0ae0b6bb418cc9142ae730483a43b81d3c2d13ab2702"} [2025-12-11 09:14:50.134] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 09:14:50.134] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 09:14:50.134] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 09:14:50.134] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 09:14:50.134] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 09:14:50.135] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 09:14:50.401] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:09/output/gbm/alert.pcap.16.17610986930914.jsonl|result:{"code": 1, "total_count": 26, "alert_count": 26, "abnormal_count": 26, "normal_count": 0, "timestamp": 1765415690135, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "172.16.92.2", "protocol": "tcp", "src_port": 49916, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50207, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.165.120", "protocol": "tcp", "src_port": 50304, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9425584919270099, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50331, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50496, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7047630891986135, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50500, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50522, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.185.134", "protocol": "tcp", "src_port": 50557, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9312191603697401, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.13.25.27", "protocol": "tcp", "src_port": 49953, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9999659947187012, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.219.73.130", "protocol": "tcp", "src_port": 49887, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.92", "protocol": "tcp", "src_port": 50344, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.4285159353571787, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "13.89.179.10", "protocol": "tcp", "src_port": 49873, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9740054173010114, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50051, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.88.223", "protocol": "tcp", "src_port": 50262, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9920454156536166, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50177, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50367, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.29.14.183", "protocol": "tcp", "src_port": 50404, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9858144175177987, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.46.216.189", "protocol": "tcp", "src_port": 50095, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8005313339363406, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.1", "protocol": "tcp", "src_port": 49927, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.220.77.56", "protocol": "tcp", "src_port": 50313, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9756469161092314, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.32.132.48", "protocol": "tcp", "src_port": 50416, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.872489769645985, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.253", "protocol": "tcp", "src_port": 50377, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9228634096625739, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.29.14.183", "protocol": "tcp", "src_port": 49861, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9202885873733923, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "211.151.19.148", "protocol": "tcp", "src_port": 50239, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9867736940219898, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.26", "protocol": "tcp", "src_port": 50053, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9859420979243508, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.4.224.113", "protocol": "tcp", "src_port": 49857, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.873642452450752, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 09:14:50.401] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 26|max_alert: 1000 [2025-12-11 09:14:50.401] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 09:14:50.401] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 09:14:50.401] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 09:14:53.589] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[1] at offset 24735 key: NULL payload: {"bucket":"2025-12-11","object":"09/output/gbm/alert.pcap.17.17610986930914.jsonl","url":"http://111.32.12.11:9000/2025-12-11/09/output/gbm/alert.pcap.17.17610986930914.jsonl?X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-SignedHeaders=host&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Date=20251211T011453Z&X-Amz-Signature=b468d74c19b90dc3ecd1ca2590f241c882335ce2cc18a44de1d55db92527128e&X-Amz-Expires=604800"} [2025-12-11 09:14:53.589] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 09:14:53.589] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 09:14:53.590] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 09:14:53.590] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 09:14:53.590] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 09:14:53.591] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 09:14:53.889] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:09/output/gbm/alert.pcap.17.17610986930914.jsonl|result:{"code": 1, "total_count": 18, "alert_count": 18, "abnormal_count": 18, "normal_count": 0, "timestamp": 1765415693591, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "120.233.38.151", "protocol": "tcp", "src_port": 49788, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.114.80", "protocol": "tcp", "src_port": 50476, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50606, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9790099228201751, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.162.10.192", "protocol": "tcp", "src_port": 50103, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.5419285978798709, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "124.70.62.170", "protocol": "tcp", "src_port": 50094, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9999212365720671, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50499, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.27", "protocol": "tcp", "src_port": 49990, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9979995189937263, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 50225, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9087545563693218, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "124.70.62.170", "protocol": "tcp", "src_port": 50395, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.999908459646488, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.27", "protocol": "tcp", "src_port": 49989, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8500557914131911, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.122.55", "protocol": "tcp", "src_port": 50448, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.5769980707430126, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.162.10.192", "protocol": "tcp", "src_port": 50114, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.976863610352734, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.122.55", "protocol": "tcp", "src_port": 50101, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9697454177805649, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.194.233", "protocol": "tcp", "src_port": 50435, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9837705668750215, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.2.16.16", "protocol": "tcp", "src_port": 49973, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9993460937257912, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.9", "protocol": "tcp", "src_port": 50012, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9956502822261911, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.88.223", "protocol": "tcp", "src_port": 50257, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9990492370434219, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.234.97.89", "protocol": "tcp", "src_port": 50409, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.733240780563495, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 09:14:53.889] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 18|max_alert: 1000 [2025-12-11 09:14:53.889] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 09:14:53.889] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 09:14:53.890] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 09:14:56.727] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[2] at offset 25527 key: NULL payload: {"bucket":"2025-12-11","object":"09/output/gbm/alert.pcap.18.17610986930914.jsonl","url":"http://111.32.12.11:9000/2025-12-11/09/output/gbm/alert.pcap.18.17610986930914.jsonl?X-Amz-SignedHeaders=host&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20251211T011456Z&X-Amz-Signature=2ccdfe0e64fd228716bd510c35b53c379fc866d8f1404ea857c55e7226f6c87d&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Expires=604800"} [2025-12-11 09:14:56.727] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 09:14:56.727] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 09:14:56.727] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 09:14:56.727] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 09:14:56.727] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 09:14:56.728] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 09:14:56.960] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:09/output/gbm/alert.pcap.18.17610986930914.jsonl|result:{"code": 1, "total_count": 19, "alert_count": 18, "abnormal_count": 18, "normal_count": 1, "timestamp": 1765415696728, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50475, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9477100345633777, "2_count": 4.0, "2_sum": 4, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.113.130.85", "protocol": "tcp", "src_port": 50373, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.232.40.133", "protocol": "tcp", "src_port": 49935, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8955605067471277, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.219.73.130", "protocol": "tcp", "src_port": 49893, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 50169, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50220, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.253.255.38", "protocol": "tcp", "src_port": 50449, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9496389457889445, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.92", "protocol": "tcp", "src_port": 50383, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7481021796885889, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50046, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50386, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.232.40.133", "protocol": "tcp", "src_port": 49929, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9272505117395095, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50141, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50554, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9489417371813754, "2_count": 4.0, "2_sum": 4, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50132, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50650, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9941374340185456, "2_count": 4.0, "2_sum": 4, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50088, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.166.151", "protocol": "tcp", "src_port": 50371, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9989794701501156, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50553, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9263918774338468, "2_count": 4.0, "2_sum": 4, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 09:14:56.960] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 18|max_alert: 1000 [2025-12-11 09:14:56.960] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 09:14:56.960] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 09:14:56.960] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 09:14:59.892] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 25880 key: NULL payload: {"bucket":"2025-12-11","object":"09/output/gbm/alert.pcap.19.17610986930914.jsonl","url":"http://111.32.12.11:9000/2025-12-11/09/output/gbm/alert.pcap.19.17610986930914.jsonl?X-Amz-Expires=604800&X-Amz-SignedHeaders=host&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Signature=f1e5fce940de26b4616160e88151bc542fd5a892467539646fd9a2ad0e809857&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Date=20251211T011459Z"} [2025-12-11 09:14:59.892] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 09:14:59.892] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 09:14:59.892] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 09:14:59.892] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 09:14:59.892] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 09:14:59.893] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 09:15:00.133] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:09/output/gbm/alert.pcap.19.17610986930914.jsonl|result:{"code": 1, "total_count": 17, "alert_count": 17, "abnormal_count": 17, "normal_count": 0, "timestamp": 1765415699893, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50267, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 5, "2_sum": 5, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.25", "protocol": "tcp", "src_port": 50345, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9053165640648995, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50222, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 5, "2_sum": 5, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "124.70.62.170", "protocol": "tcp", "src_port": 50385, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9998863446143573, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.131.128.241", "protocol": "tcp", "src_port": 50589, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9358989909907683, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "106.13.244.95", "protocol": "tcp", "src_port": 50626, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.991571871695044, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.26", "protocol": "tcp", "src_port": 49999, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9723690262017185, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 50183, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9671683755020176, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50221, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 5, "2_sum": 5, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.61.248", "protocol": "tcp", "src_port": 50006, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9986048917384169, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "211.151.19.148", "protocol": "tcp", "src_port": 50321, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9840336453751718, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "150.171.30.11", "protocol": "tcp", "src_port": 50623, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9724127917525347, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "13.89.179.10", "protocol": "tcp", "src_port": 49870, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9985463831905574, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.158.247.186", "protocol": "tcp", "src_port": 50254, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9923373572362969, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50651, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9127998696423738, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50140, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 5, "2_sum": 5, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50432, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 5, "2_sum": 5, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 09:15:00.133] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 17|max_alert: 1000 [2025-12-11 09:15:00.133] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 09:15:00.133] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 09:15:00.133] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 09:15:03.075] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 25881 key: NULL payload: {"bucket":"2025-12-11","object":"09/output/gbm/alert.pcap.20.17610986930914.jsonl","url":"http://111.32.12.11:9000/2025-12-11/09/output/gbm/alert.pcap.20.17610986930914.jsonl?X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-SignedHeaders=host&X-Amz-Signature=fd8f6b67b8346d513fc23773f1f4206da8a56958d7d050b407ca3d2524db98b3&X-Amz-Expires=604800&X-Amz-Date=20251211T011502Z"} [2025-12-11 09:15:03.075] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 09:15:03.075] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 09:15:03.075] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 09:15:03.075] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 09:15:03.075] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 09:15:03.075] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 09:15:03.311] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:09/output/gbm/alert.pcap.20.17610986930914.jsonl|result:{"code": 1, "total_count": 17, "alert_count": 17, "abnormal_count": 17, "normal_count": 0, "timestamp": 1765415703075, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50616, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.981431987646444, "2_count": 3, "2_sum": 3, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "124.71.234.74", "protocol": "tcp", "src_port": 50189, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8094812727311573, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.48.172.241", "protocol": "tcp", "src_port": 50129, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9417868802887015, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "124.71.236.98", "protocol": "tcp", "src_port": 50400, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9777942042208041, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50453, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "142.250.66.78", "protocol": "tcp", "src_port": 49773, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.220.151.49", "protocol": "tcp", "src_port": 49991, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9681277345350449, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.62.174.243", "protocol": "tcp", "src_port": 50555, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9719451686850884, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50622, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9949329167991451, "2_count": 3, "2_sum": 3, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50598, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.972751885055052, "2_count": 3, "2_sum": 3, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.253.253.233", "protocol": "tcp", "src_port": 50317, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.4786736570096651, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.166.151", "protocol": "tcp", "src_port": 50378, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.996645095315891, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.2.16.16", "protocol": "tcp", "src_port": 49970, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9999655776123294, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50082, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.46.68.203", "protocol": "tcp", "src_port": 50096, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9610043927222635, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.9", "protocol": "tcp", "src_port": 50356, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9753376675463165, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.219.73.130", "protocol": "tcp", "src_port": 49894, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 09:15:03.312] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 17|max_alert: 1000 [2025-12-11 09:15:03.312] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 09:15:03.312] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 09:15:03.312] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 09:15:06.211] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 25882 key: NULL payload: {"bucket":"2025-12-11","object":"09/output/gbm/alert.pcap.21.17610986930914.jsonl","url":"http://111.32.12.11:9000/2025-12-11/09/output/gbm/alert.pcap.21.17610986930914.jsonl?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Signature=179fd6218ca8a719a7526c3894f2803e66a0d8d70a0acced3d70aa55ff034f7e&X-Amz-Date=20251211T011505Z&X-Amz-SignedHeaders=host&X-Amz-Expires=604800&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request"} [2025-12-11 09:15:06.211] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 09:15:06.211] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 09:15:06.212] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 09:15:06.212] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 09:15:06.212] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 09:15:06.212] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 09:15:06.455] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:09/output/gbm/alert.pcap.21.17610986930914.jsonl|result:{"code": 1, "total_count": 20, "alert_count": 20, "abnormal_count": 20, "normal_count": 0, "timestamp": 1765415706212, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50574, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50633, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9961574170482782, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.26", "protocol": "tcp", "src_port": 50027, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8630319401034162, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.18", "protocol": "tcp", "src_port": 50191, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.232.40.133", "protocol": "tcp", "src_port": 49921, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9758065422065172, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50086, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50076, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50389, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.234.97.89", "protocol": "tcp", "src_port": 50477, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7967743601421772, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50233, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.27", "protocol": "tcp", "src_port": 50014, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7728545617685111, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 49933, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.983522767485445, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.194.233", "protocol": "tcp", "src_port": 50315, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9974657537062649, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.254", "protocol": "tcp", "src_port": 50018, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9989742169573105, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.253", "protocol": "tcp", "src_port": 50348, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9663875797170431, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "150.171.27.10", "protocol": "tcp", "src_port": 49871, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9792783921980416, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50330, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50407, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9700577356238725, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.25", "protocol": "tcp", "src_port": 50346, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7253580536479742, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 50211, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9942232611378077, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 09:15:06.455] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 20|max_alert: 1000 [2025-12-11 09:15:06.455] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 09:15:06.455] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 09:15:06.455] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 09:15:09.413] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[1] at offset 24736 key: NULL payload: {"bucket":"2025-12-11","object":"09/output/gbm/alert.pcap.2.17610986930914.jsonl","url":"http://111.32.12.11:9000/2025-12-11/09/output/gbm/alert.pcap.2.17610986930914.jsonl?X-Amz-SignedHeaders=host&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Expires=604800&X-Amz-Signature=76512695b905b2c4bb33c8f707ab97068683a3bc0153c94ba01a4a10bb704154&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Date=20251211T011509Z"} [2025-12-11 09:15:09.413] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 09:15:09.413] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 09:15:09.413] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 09:15:09.413] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 09:15:09.413] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 09:15:09.413] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 09:15:09.667] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:09/output/gbm/alert.pcap.2.17610986930914.jsonl|result:{"code": 1, "total_count": 27, "alert_count": 26, "abnormal_count": 26, "normal_count": 1, "timestamp": 1765415709413, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "118.89.204.198", "protocol": "tcp", "src_port": 50648, "dest_port": 443, "y_pred": 2, "y_pred_proba_max": 0.539671673599211, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "Behinder"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.166.151", "protocol": "tcp", "src_port": 50296, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9998741851816862, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50459, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8818531237715439, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50528, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50634, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.222.152.64", "protocol": "tcp", "src_port": 50658, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7337989747885654, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.29.14.183", "protocol": "tcp", "src_port": 50401, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9944651374268547, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.232.40.133", "protocol": "tcp", "src_port": 50004, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9448851526818528, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.26", "protocol": "tcp", "src_port": 49995, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9973271032011077, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50328, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.92", "protocol": "tcp", "src_port": 50398, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9866180027435798, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50278, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.29.14.183", "protocol": "tcp", "src_port": 50402, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9766503916105866, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50287, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50570, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.240.99.58", "protocol": "tcp", "src_port": 50480, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9758749087809037, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50471, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9971823306211751, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.63.215.47", "protocol": "tcp", "src_port": 49943, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9542007136130981, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50484, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.114.80", "protocol": "tcp", "src_port": 50381, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.2", "protocol": "tcp", "src_port": 49821, "dest_port": 8080, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.254", "protocol": "tcp", "src_port": 50237, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8347470129747349, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.165.120", "protocol": "tcp", "src_port": 50414, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9781294486115352, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.185.134", "protocol": "tcp", "src_port": 50337, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9998485770667981, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50580, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.105", "protocol": "tcp", "src_port": 50625, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9825246278129468, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 09:15:09.667] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 26|max_alert: 1000 [2025-12-11 09:15:09.667] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 09:15:09.667] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 09:15:09.667] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 09:15:12.909] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[2] at offset 25528 key: NULL payload: {"bucket":"2025-12-11","object":"09/output/gbm/alert.pcap.22.17610986930914.jsonl","url":"http://111.32.12.11:9000/2025-12-11/09/output/gbm/alert.pcap.22.17610986930914.jsonl?X-Amz-SignedHeaders=host&X-Amz-Signature=7375f4b2a4a8c015eb6f3abc75a1bdad0d05b9b76778effa9b8505ef0efb6542&X-Amz-Expires=604800&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20251211T011512Z&X-Amz-Algorithm=AWS4-HMAC-SHA256"} [2025-12-11 09:15:12.909] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 09:15:12.909] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 09:15:12.909] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 09:15:12.909] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 09:15:12.909] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 09:15:12.910] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 09:15:13.178] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:09/output/gbm/alert.pcap.22.17610986930914.jsonl|result:{"code": 1, "total_count": 18, "alert_count": 17, "abnormal_count": 17, "normal_count": 1, "timestamp": 1765415712910, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 49925, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.5747671805046822, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50028, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 3.0, "2_sum": 3, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.194.233", "protocol": "tcp", "src_port": 50440, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9902328849146982, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.63.215.47", "protocol": "tcp", "src_port": 49944, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9869387818080411, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.4.224.113", "protocol": "tcp", "src_port": 49854, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.5786036795604459, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.29.14.183", "protocol": "tcp", "src_port": 50026, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9986473928200259, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.131.128.241", "protocol": "tcp", "src_port": 50585, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8249611815657307, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50662, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8871346318388157, "2_count": 3.0, "2_sum": 3, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.165.120", "protocol": "tcp", "src_port": 50357, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9389862274330749, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.62.174.243", "protocol": "tcp", "src_port": 50545, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9624252679015631, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.92", "protocol": "tcp", "src_port": 50397, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9107999416750001, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.114.80", "protocol": "tcp", "src_port": 50365, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50368, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 3.0, "2_sum": 3, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.51.161.66", "protocol": "tcp", "src_port": 50123, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7731938946060795, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50118, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 3.0, "2_sum": 3, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50612, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.965275103129727, "2_count": 3.0, "2_sum": 3, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50530, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9024018957960891, "2_count": 3.0, "2_sum": 3, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 09:15:13.178] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 17|max_alert: 1000 [2025-12-11 09:15:13.178] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 09:15:13.178] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 09:15:13.178] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 09:15:16.754] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[1] at offset 24737 key: NULL payload: {"bucket":"2025-12-11","object":"09/output/gbm/alert.pcap.23.17610986930914.jsonl","url":"http://111.32.12.11:9000/2025-12-11/09/output/gbm/alert.pcap.23.17610986930914.jsonl?X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Expires=604800&X-Amz-Signature=6e0ac446d8b58c1cbceeb80d6ec2b37ba1fcbd5a351695f14966b17f09bb3fc4&X-Amz-Date=20251211T011516Z&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-SignedHeaders=host"} [2025-12-11 09:15:16.754] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 09:15:16.754] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 09:15:16.754] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 09:15:16.754] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 09:15:16.754] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 09:15:16.755] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 09:15:16.998] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:09/output/gbm/alert.pcap.23.17610986930914.jsonl|result:{"code": 1, "total_count": 21, "alert_count": 21, "abnormal_count": 21, "normal_count": 0, "timestamp": 1765415716755, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50085, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "13.107.246.74", "protocol": "tcp", "src_port": 50506, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9605298901417075, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.122.55", "protocol": "tcp", "src_port": 50498, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9793698927690696, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.13.104.59", "protocol": "tcp", "src_port": 50627, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9944505609423887, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50260, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50044, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.25", "protocol": "tcp", "src_port": 50073, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9992385224413204, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50514, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.222.152.64", "protocol": "tcp", "src_port": 50638, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9779043168436835, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.194.233", "protocol": "tcp", "src_port": 50126, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9961544144455967, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50429, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50042, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50640, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.25", "protocol": "tcp", "src_port": 50382, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7011351746711142, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50149, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.150.160.206", "protocol": "tcp", "src_port": 50124, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9747845243097288, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50037, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.158.247.186", "protocol": "tcp", "src_port": 50309, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.994290448467571, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50562, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50064, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50168, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 09:15:16.998] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 21|max_alert: 1000 [2025-12-11 09:15:16.998] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 09:15:16.998] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 09:15:16.998] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 09:15:19.991] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[1] at offset 24738 key: NULL payload: {"bucket":"2025-12-11","object":"09/output/gbm/alert.pcap.24.17610986930914.jsonl","url":"http://111.32.12.11:9000/2025-12-11/09/output/gbm/alert.pcap.24.17610986930914.jsonl?X-Amz-Expires=604800&X-Amz-SignedHeaders=host&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Date=20251211T011519Z&X-Amz-Signature=7742751ff8fa0bb080f1f5da297d9fd2ddf54ad9ffd659996de817b26c32229b"} [2025-12-11 09:15:19.991] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 09:15:19.991] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 09:15:19.991] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 09:15:19.991] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 09:15:19.991] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 09:15:19.991] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 09:15:20.224] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:09/output/gbm/alert.pcap.24.17610986930914.jsonl|result:{"code": 1, "total_count": 18, "alert_count": 17, "abnormal_count": 17, "normal_count": 1, "timestamp": 1765415719991, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "10.1.4.74", "protocol": "tcp", "src_port": 50319, "dest_port": 9000, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50259, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.38.119", "protocol": "tcp", "src_port": 50495, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9911306060967026, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50033, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50034, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.13.28.21", "protocol": "tcp", "src_port": 49947, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9999415747476534, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50603, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.13.104.59", "protocol": "tcp", "src_port": 50631, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9853386683896556, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50594, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.163.59.175", "protocol": "tcp", "src_port": 50011, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9883959426357691, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.27", "protocol": "tcp", "src_port": 49985, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8652710729389349, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.46.68.203", "protocol": "tcp", "src_port": 50195, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9897633686170296, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50281, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 50229, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7784157580153467, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50031, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.163.59.175", "protocol": "tcp", "src_port": 50478, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.990150959540726, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50482, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 09:15:20.224] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 17|max_alert: 1000 [2025-12-11 09:15:20.224] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 09:15:20.224] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 09:15:20.224] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 09:15:23.406] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[1] at offset 24739 key: NULL payload: {"bucket":"2025-12-11","object":"09/output/gbm/alert.pcap.25.17610986930914.jsonl","url":"http://111.32.12.11:9000/2025-12-11/09/output/gbm/alert.pcap.25.17610986930914.jsonl?X-Amz-Signature=1942b5118ff4872a3abcc86119a13b04bc37597651f7bd10813293c39abff3b0&X-Amz-Expires=604800&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20251211T011522Z&X-Amz-SignedHeaders=host"} [2025-12-11 09:15:23.406] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 09:15:23.406] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 09:15:23.407] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 09:15:23.407] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 09:15:23.407] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 09:15:23.407] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 09:15:23.646] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:09/output/gbm/alert.pcap.25.17610986930914.jsonl|result:{"code": 1, "total_count": 18, "alert_count": 17, "abnormal_count": 17, "normal_count": 1, "timestamp": 1765415723407, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "223.111.88.223", "protocol": "tcp", "src_port": 50134, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9851867603065232, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.155.160.140", "protocol": "tcp", "src_port": 49790, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.232.40.133", "protocol": "tcp", "src_port": 49919, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9172603475203133, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.91", "protocol": "tcp", "src_port": 50334, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9530506499197517, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50551, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8059095115195145, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.240.99.58", "protocol": "tcp", "src_port": 50641, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9750652642107684, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "202.89.233.96", "dest_ip": "10.1.131.158", "protocol": "tcp", "src_port": 443, "dest_port": 49847, "y_pred": 1, "y_pred_proba_max": 0.9988023204669473, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.88.223", "protocol": "tcp", "src_port": 50258, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9955188316394289, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.201.232.63", "protocol": "tcp", "src_port": 50419, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.5238760318986195, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50062, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4.0, "2_sum": 4, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50652, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4.0, "2_sum": 4, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 50013, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50288, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4.0, "2_sum": 4, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50038, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4.0, "2_sum": 4, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.232.40.133", "protocol": "tcp", "src_port": 50005, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8427110539814073, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "142.250.66.78", "protocol": "tcp", "src_port": 49742, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.2", "protocol": "tcp", "src_port": 50125, "dest_port": 8080, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 09:15:23.646] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 17|max_alert: 1000 [2025-12-11 09:15:23.646] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 09:15:23.646] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 09:15:23.646] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 09:15:26.646] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[1] at offset 24740 key: NULL payload: {"bucket":"2025-12-11","object":"09/output/gbm/alert.pcap.26.17610986930914.jsonl","url":"http://111.32.12.11:9000/2025-12-11/09/output/gbm/alert.pcap.26.17610986930914.jsonl?X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Signature=e1fcd9146122963f4cbd2e885bd9839c7a84c4a2dbaaa04e8fcfe441ec36e9a1&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-SignedHeaders=host&X-Amz-Date=20251211T011526Z&X-Amz-Expires=604800"} [2025-12-11 09:15:26.646] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 09:15:26.646] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 09:15:26.646] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 09:15:26.646] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 09:15:26.646] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 09:15:26.646] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 09:15:26.929] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:09/output/gbm/alert.pcap.26.17610986930914.jsonl|result:{"code": 1, "total_count": 23, "alert_count": 22, "abnormal_count": 22, "normal_count": 1, "timestamp": 1765415726647, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50040, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7.0, "2_sum": 7, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 50230, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9601621867432435, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.253", "protocol": "tcp", "src_port": 50347, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9363461552085169, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.45", "protocol": "tcp", "src_port": 50445, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9894949279716366, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.13.29.202", "protocol": "tcp", "src_port": 49897, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.99989131645703, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.13.29.134", "protocol": "tcp", "src_port": 49954, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9940003495439546, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.163.59.175", "protocol": "tcp", "src_port": 49930, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9813722275948225, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50463, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7.0, "2_sum": 7, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50593, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7.0, "2_sum": 7, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.165.120", "protocol": "tcp", "src_port": 50314, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.998447736613844, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "151.101.1.229", "protocol": "tcp", "src_port": 50316, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.5882853156839113, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50322, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7.0, "2_sum": 7, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.114.80", "protocol": "tcp", "src_port": 50375, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.9", "protocol": "tcp", "src_port": 50353, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9248568229582469, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.194.233", "protocol": "tcp", "src_port": 50439, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9853373018252618, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.253", "protocol": "tcp", "src_port": 50117, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9786811180845782, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.92", "protocol": "tcp", "src_port": 50362, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9737436655985068, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50512, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7.0, "2_sum": 7, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "43.140.12.43", "protocol": "tcp", "src_port": 50318, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9759535265977303, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50467, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7.0, "2_sum": 7, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50521, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7.0, "2_sum": 7, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.27", "protocol": "tcp", "src_port": 49986, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9907578643456904, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 09:15:26.929] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 22|max_alert: 1000 [2025-12-11 09:15:26.929] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 09:15:26.929] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 09:15:26.929] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 09:15:29.870] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 25883 key: NULL payload: {"bucket":"2025-12-11","object":"09/output/gbm/alert.pcap.3.17610986930914.jsonl","url":"http://111.32.12.11:9000/2025-12-11/09/output/gbm/alert.pcap.3.17610986930914.jsonl?X-Amz-Signature=b71c476b083d6e77573dbf423a7e9b6e1e7d73d785392f91860efa346c10bd33&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20251211T011529Z&X-Amz-Expires=604800&X-Amz-SignedHeaders=host"} [2025-12-11 09:15:29.870] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 09:15:29.870] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 09:15:29.870] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 09:15:29.870] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 09:15:29.870] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 09:15:29.871] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 09:15:30.125] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:09/output/gbm/alert.pcap.3.17610986930914.jsonl|result:{"code": 1, "total_count": 31, "alert_count": 30, "abnormal_count": 30, "normal_count": 1, "timestamp": 1765415729871, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50128, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.219.73.130", "protocol": "tcp", "src_port": 49890, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.194.189.11", "protocol": "tcp", "src_port": 50307, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9974631042458713, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.2", "protocol": "tcp", "src_port": 50143, "dest_port": 8080, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50390, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 49824, "dest_port": 37527, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.166.151", "protocol": "tcp", "src_port": 50286, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9998887397093179, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.27", "protocol": "tcp", "src_port": 49983, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9683054451954104, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50468, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50560, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9372883613254258, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50573, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.27", "protocol": "tcp", "src_port": 49987, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9439550958667982, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.219.73.130", "protocol": "tcp", "src_port": 49889, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.13.104.59", "protocol": "tcp", "src_port": 50630, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9949141468870227, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.165.120", "protocol": "tcp", "src_port": 50423, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9079618105919538, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.253.253.233", "protocol": "tcp", "src_port": 50436, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8619378326923961, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "124.70.62.170", "protocol": "tcp", "src_port": 50093, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9302011994091218, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.63.215.47", "protocol": "tcp", "src_port": 49982, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9977918468988228, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50579, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.232.40.133", "protocol": "tcp", "src_port": 49922, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7619577796081339, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.92", "protocol": "tcp", "src_port": 49915, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8858063837145578, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 50399, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50032, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 50231, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9912641259791639, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "142.250.66.68", "protocol": "tcp", "src_port": 50437, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.13.104.59", "protocol": "tcp", "src_port": 50639, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.5747755261992421, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50041, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.29.14.183", "protocol": "tcp", "src_port": 50020, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9995274668813986, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50131, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.114.80", "protocol": "tcp", "src_port": 50473, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 09:15:30.125] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 30|max_alert: 1000 [2025-12-11 09:15:30.125] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 09:15:30.125] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 09:15:30.125] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 09:15:33.017] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[1] at offset 24741 key: NULL payload: {"bucket":"2025-12-11","object":"09/output/gbm/alert.pcap.4.17610986930914.jsonl","url":"http://111.32.12.11:9000/2025-12-11/09/output/gbm/alert.pcap.4.17610986930914.jsonl?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Expires=604800&X-Amz-SignedHeaders=host&X-Amz-Date=20251211T011532Z&X-Amz-Signature=a881b87e53673e03cd2beccce650a53b38465d7215988c7dcca35f1519c8823f"} [2025-12-11 09:15:33.017] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 09:15:33.017] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 09:15:33.017] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 09:15:33.017] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 09:15:33.017] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 09:15:33.018] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 09:15:33.234] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:09/output/gbm/alert.pcap.4.17610986930914.jsonl|result:{"code": 1, "total_count": 16, "alert_count": 16, "abnormal_count": 16, "normal_count": 0, "timestamp": 1765415733018, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50170, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 9, "2_sum": 9, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "104.18.38.233", "protocol": "tcp", "src_port": 49696, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50271, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 9, "2_sum": 9, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.2", "protocol": "tcp", "src_port": 49815, "dest_port": 8080, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50664, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 9, "2_sum": 9, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "150.171.30.11", "protocol": "tcp", "src_port": 50007, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8576461187690411, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.131.128.241", "protocol": "tcp", "src_port": 50461, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9531336479755481, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50039, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 9, "2_sum": 9, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.4.224.113", "protocol": "tcp", "src_port": 49860, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8325953986089363, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50428, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 9, "2_sum": 9, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "142.250.66.78", "protocol": "tcp", "src_port": 49761, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50268, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 9, "2_sum": 9, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50599, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 9, "2_sum": 9, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50642, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 9, "2_sum": 9, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50653, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 9, "2_sum": 9, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.25", "protocol": "tcp", "src_port": 50340, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9557360906725153, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 09:15:33.234] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 16|max_alert: 1000 [2025-12-11 09:15:33.234] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 09:15:33.234] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 09:15:33.234] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 09:15:36.536] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[1] at offset 24742 key: NULL payload: {"bucket":"2025-12-11","object":"09/output/gbm/alert.pcap.5.17610986930914.jsonl","url":"http://111.32.12.11:9000/2025-12-11/09/output/gbm/alert.pcap.5.17610986930914.jsonl?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Expires=604800&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-SignedHeaders=host&X-Amz-Signature=0bd2a1b571f6f110072ed79cbad25e96fc523bea81d328bc845e5cddc0625f5c&X-Amz-Date=20251211T011536Z"} [2025-12-11 09:15:36.536] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 09:15:36.536] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 09:15:36.537] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 09:15:36.537] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 09:15:36.537] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 09:15:36.538] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 09:15:36.786] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:09/output/gbm/alert.pcap.5.17610986930914.jsonl|result:{"code": 1, "total_count": 19, "alert_count": 18, "abnormal_count": 18, "normal_count": 1, "timestamp": 1765415736538, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "117.163.59.175", "protocol": "tcp", "src_port": 50422, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9849394001481901, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.4.74", "protocol": "tcp", "src_port": 50320, "dest_port": 9000, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.91", "protocol": "tcp", "src_port": 50242, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9588125203903446, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 50549, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50171, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 5.0, "2_sum": 5, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50654, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9423199405388736, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "13.89.179.10", "protocol": "tcp", "src_port": 49867, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8945460691510866, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.158.247.186", "protocol": "tcp", "src_port": 50121, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9753820447058325, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.46.72.204", "protocol": "tcp", "src_port": 50136, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.956663066769366, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "112.34.111.235", "protocol": "tcp", "src_port": 50587, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9795590475790195, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50564, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 5.0, "2_sum": 5, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 49924, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8509806284431485, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50624, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9747306537408316, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.91", "protocol": "tcp", "src_port": 50333, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9577733114926612, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50119, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 5.0, "2_sum": 5, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50030, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 5.0, "2_sum": 5, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50541, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 5.0, "2_sum": 5, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.51.80", "protocol": "tcp", "src_port": 49902, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 09:15:36.786] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 18|max_alert: 1000 [2025-12-11 09:15:36.786] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 09:15:36.786] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 09:15:36.786] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 09:15:39.676] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[1] at offset 24743 key: NULL payload: {"bucket":"2025-12-11","object":"09/output/gbm/alert.pcap.6.17610986930914.jsonl","url":"http://111.32.12.11:9000/2025-12-11/09/output/gbm/alert.pcap.6.17610986930914.jsonl?X-Amz-Date=20251211T011539Z&X-Amz-SignedHeaders=host&X-Amz-Signature=cf9d57658c708db29ad994dc2e93b712e235a7abeb5986ec0b41b06ff753ca5e&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Expires=604800&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request"} [2025-12-11 09:15:39.676] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 09:15:39.676] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 09:15:39.677] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 09:15:39.677] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 09:15:39.677] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 09:15:39.677] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 09:15:39.906] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:09/output/gbm/alert.pcap.6.17610986930914.jsonl|result:{"code": 1, "total_count": 13, "alert_count": 13, "abnormal_count": 13, "normal_count": 0, "timestamp": 1765415739677, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "121.36.68.44", "protocol": "tcp", "src_port": 50504, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9358189956292381, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.26", "protocol": "tcp", "src_port": 50003, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8694093805364917, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.102.211", "protocol": "tcp", "src_port": 50413, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9734791177969814, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.57.94.38", "protocol": "tcp", "src_port": 49892, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9998694918181811, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50515, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "139.9.117.192", "protocol": "tcp", "src_port": 50372, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8894850327223105, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.2.16.16", "protocol": "tcp", "src_port": 49975, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9999376387945121, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.91", "protocol": "tcp", "src_port": 50339, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.986405059765616, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.13.28.239", "protocol": "tcp", "src_port": 49901, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.938456651589145, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "13.89.179.10", "protocol": "tcp", "src_port": 49883, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9941602682227848, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "139.9.117.192", "protocol": "tcp", "src_port": 50450, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9837263446909994, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50391, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50465, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.5306824619789472, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 09:15:39.906] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 13|max_alert: 1000 [2025-12-11 09:15:39.906] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 09:15:39.906] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 09:15:39.906] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 09:15:42.897] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 25884 key: NULL payload: {"bucket":"2025-12-11","object":"09/output/gbm/alert.pcap.7.17610986930914.jsonl","url":"http://111.32.12.11:9000/2025-12-11/09/output/gbm/alert.pcap.7.17610986930914.jsonl?X-Amz-Date=20251211T011542Z&X-Amz-Expires=604800&X-Amz-SignedHeaders=host&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Signature=261a76b51f8c376bd7a846ec55810d1b07baf2f2de0310da00b3a51577cb97a8&X-Amz-Algorithm=AWS4-HMAC-SHA256"} [2025-12-11 09:15:42.897] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 09:15:42.897] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 09:15:42.897] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 09:15:42.897] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 09:15:42.897] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 09:15:42.898] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 09:15:43.130] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:09/output/gbm/alert.pcap.7.17610986930914.jsonl|result:{"code": 1, "total_count": 18, "alert_count": 18, "abnormal_count": 18, "normal_count": 0, "timestamp": 1765415742898, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50083, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4, "2_sum": 4, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.185.125.188", "protocol": "tcp", "src_port": 49872, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9978759357079158, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50270, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4, "2_sum": 4, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.4.224.113", "protocol": "tcp", "src_port": 49849, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9532634905214581, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.240.8.132", "protocol": "tcp", "src_port": 50227, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8897661563929269, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 50116, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50156, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4, "2_sum": 4, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 50172, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9400817611226765, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50581, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4, "2_sum": 4, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.27", "protocol": "tcp", "src_port": 50100, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8412893359572905, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.194.233", "protocol": "tcp", "src_port": 50441, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9878625671600126, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.194.233", "protocol": "tcp", "src_port": 50255, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9107155218087142, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50663, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.719260591950917, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.51.80", "protocol": "tcp", "src_port": 50010, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.26", "protocol": "tcp", "src_port": 49994, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9896285535627298, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.219.73.130", "protocol": "tcp", "src_port": 49885, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "112.34.111.235", "protocol": "tcp", "src_port": 50411, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.998549290571419, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.254", "protocol": "tcp", "src_port": 50199, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9600487826290192, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 09:15:43.130] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 18|max_alert: 1000 [2025-12-11 09:15:43.130] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 09:15:43.130] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 09:15:43.130] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 09:15:46.084] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[1] at offset 24744 key: NULL payload: {"bucket":"2025-12-11","object":"09/output/gbm/alert.pcap.8.17610986930914.jsonl","url":"http://111.32.12.11:9000/2025-12-11/09/output/gbm/alert.pcap.8.17610986930914.jsonl?X-Amz-Signature=3bb4bd1425a27f30d435bf0f42019cd0a7b91791e8b692673d1c77393d3da3d7&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20251211T011545Z&X-Amz-Expires=604800&X-Amz-SignedHeaders=host&X-Amz-Algorithm=AWS4-HMAC-SHA256"} [2025-12-11 09:15:46.084] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 09:15:46.084] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 09:15:46.084] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 09:15:46.084] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 09:15:46.084] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 09:15:46.084] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 09:15:46.318] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:09/output/gbm/alert.pcap.8.17610986930914.jsonl|result:{"code": 1, "total_count": 19, "alert_count": 19, "abnormal_count": 19, "normal_count": 0, "timestamp": 1765415746085, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50077, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4, "2_sum": 4, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 50184, "dest_port": 37527, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50223, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4, "2_sum": 4, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "202.89.233.96", "protocol": "tcp", "src_port": 49865, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9973910874567038, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50127, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4, "2_sum": 4, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.131.139.241", "protocol": "tcp", "src_port": 50556, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9803786101644398, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.131.128.241", "protocol": "tcp", "src_port": 50591, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9050869489117033, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.26", "protocol": "tcp", "src_port": 49997, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.984269050955257, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.63.215.47", "protocol": "tcp", "src_port": 49980, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9999657034539758, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 49923, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.777270406334166, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.232.40.133", "protocol": "tcp", "src_port": 49920, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9117178716777372, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50649, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9766422035502361, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.45", "protocol": "tcp", "src_port": 50408, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9967591338452444, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.219.73.130", "protocol": "tcp", "src_port": 49891, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50388, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4, "2_sum": 4, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "40.74.78.229", "protocol": "tcp", "src_port": 50370, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9939770881097445, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "121.36.47.3", "protocol": "tcp", "src_port": 50015, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9995715118177109, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.201.232.63", "protocol": "tcp", "src_port": 50420, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9757408487177269, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50661, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.647571366572099, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 09:15:46.318] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 19|max_alert: 1000 [2025-12-11 09:15:46.318] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 09:15:46.318] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 09:15:46.319] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 09:15:49.278] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 25885 key: NULL payload: {"bucket":"2025-12-11","object":"09/output/gbm/alert.pcap.9.17610986930914.jsonl","url":"http://111.32.12.11:9000/2025-12-11/09/output/gbm/alert.pcap.9.17610986930914.jsonl?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Expires=604800&X-Amz-SignedHeaders=host&X-Amz-Signature=a1d7fe69a49a90f0da22fbd2791a0616984fba4b843901e1c9e10580a8d0c408&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20251211T011548Z"} [2025-12-11 09:15:49.278] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 09:15:49.278] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 09:15:49.278] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 09:15:49.278] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 09:15:49.278] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 09:15:49.279] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 09:15:49.527] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:09/output/gbm/alert.pcap.9.17610986930914.jsonl|result:{"code": 1, "total_count": 19, "alert_count": 19, "abnormal_count": 19, "normal_count": 0, "timestamp": 1765415749279, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "120.233.3.26", "protocol": "tcp", "src_port": 49993, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.987471741326815, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.163.59.175", "protocol": "tcp", "src_port": 50443, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9947042004868148, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "150.171.30.11", "protocol": "tcp", "src_port": 50434, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.975176941910785, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50323, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50571, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50047, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50279, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50234, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "112.2.102.140", "protocol": "tcp", "src_port": 49880, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8833391308810551, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.45", "protocol": "tcp", "src_port": 50444, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9975171238915119, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50552, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9460026832017429, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50582, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50387, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.29.14.183", "protocol": "tcp", "src_port": 50403, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9756646950440937, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50577, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8828376373447289, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.219.73.130", "protocol": "tcp", "src_port": 49895, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "157.148.32.174", "protocol": "tcp", "src_port": 50216, "dest_port": 8106, "y_pred": 1, "y_pred_proba_max": 0.7815374741509655, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "124.71.234.74", "protocol": "tcp", "src_port": 50079, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8967653329082704, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 49928, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9931314740190077, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 09:15:49.527] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 19|max_alert: 1000 [2025-12-11 09:15:49.527] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 09:15:49.527] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 09:15:49.527] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 09:20:09.330] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[1] at offset 24745 key: NULL payload: {"bucket":"2025-12-11","object":"09/output/gbm/alert.pcap.10.17610986930920.jsonl","url":"http://111.32.12.11:9000/2025-12-11/09/output/gbm/alert.pcap.10.17610986930920.jsonl?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20251211T012008Z&X-Amz-Expires=604800&X-Amz-SignedHeaders=host&X-Amz-Signature=1c344ceb71ca08241cb61be7cc4243796b72e155053014b8cf8b6ee019bc120f"} [2025-12-11 09:20:09.330] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 09:20:09.330] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 09:20:09.330] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 09:20:09.330] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 09:20:09.330] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 09:20:09.331] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 09:20:09.612] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:09/output/gbm/alert.pcap.10.17610986930920.jsonl|result:{"code": 1, "total_count": 18, "alert_count": 18, "abnormal_count": 18, "normal_count": 0, "timestamp": 1765416009331, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50180, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50510, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50527, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.162.10.192", "protocol": "tcp", "src_port": 50105, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8497049935950336, "2_count": 3, "2_sum": 3, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.9", "protocol": "tcp", "src_port": 50354, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9266852516381958, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50202, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50197, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "124.70.62.170", "protocol": "tcp", "src_port": 50384, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9944584265644585, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50247, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.38.119", "protocol": "tcp", "src_port": 50490, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9986222879414073, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.162.10.192", "protocol": "tcp", "src_port": 50102, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9628606284766527, "2_count": 3, "2_sum": 3, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50155, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "124.70.37.167", "protocol": "tcp", "src_port": 50497, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9671327905226952, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.194.233", "protocol": "tcp", "src_port": 50251, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.6458299041355519, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.240.8.132", "protocol": "tcp", "src_port": 49942, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9833686131374094, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "112.34.113.250", "protocol": "tcp", "src_port": 50417, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9871899379387804, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 49802, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.162.10.192", "protocol": "tcp", "src_port": 50106, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7891251009837256, "2_count": 3, "2_sum": 3, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 09:20:09.612] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 18|max_alert: 1000 [2025-12-11 09:20:09.612] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 09:20:09.612] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 09:20:09.612] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 09:20:12.483] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[1] at offset 24746 key: NULL payload: {"bucket":"2025-12-11","object":"09/output/gbm/alert.pcap.11.17610986930920.jsonl","url":"http://111.32.12.11:9000/2025-12-11/09/output/gbm/alert.pcap.11.17610986930920.jsonl?X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Date=20251211T012012Z&X-Amz-Expires=604800&X-Amz-SignedHeaders=host&X-Amz-Signature=077e9cf3d4dab37e2c11cf22684c2c1e0a08bbf5eb38ae211703a22168653587"} [2025-12-11 09:20:12.483] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 09:20:12.483] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 09:20:12.483] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 09:20:12.483] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 09:20:12.483] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 09:20:12.484] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 09:20:12.727] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:09/output/gbm/alert.pcap.11.17610986930920.jsonl|result:{"code": 1, "total_count": 20, "alert_count": 20, "abnormal_count": 20, "normal_count": 0, "timestamp": 1765416012484, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "39.156.8.45", "protocol": "tcp", "src_port": 50447, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9871209269901958, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50519, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50176, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.25", "protocol": "tcp", "src_port": 50379, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8940216726975259, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.165.120", "protocol": "tcp", "src_port": 50305, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9986466602684037, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50050, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.57.94.38", "protocol": "tcp", "src_port": 49888, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8913583475272854, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.122.55", "protocol": "tcp", "src_port": 50503, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9854062911109006, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.143.199.172", "protocol": "tcp", "src_port": 50142, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9881503019491974, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50520, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.131.139.241", "protocol": "tcp", "src_port": 50546, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8893268365633519, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "106.52.100.183", "protocol": "tcp", "src_port": 50502, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9858931570717602, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50523, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 49811, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50179, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.45", "protocol": "tcp", "src_port": 50438, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9837569544664104, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50561, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "13.107.253.49", "protocol": "tcp", "src_port": 50479, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9204671188927631, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.38.119", "protocol": "tcp", "src_port": 50494, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9837251088220053, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "57.155.120.218", "protocol": "tcp", "src_port": 50415, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9227656751828837, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 09:20:12.727] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 20|max_alert: 1000 [2025-12-11 09:20:12.727] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 09:20:12.727] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 09:20:12.727] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 09:20:15.667] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[1] at offset 24747 key: NULL payload: {"bucket":"2025-12-11","object":"09/output/gbm/alert.pcap.1.17610986930920.jsonl","url":"http://111.32.12.11:9000/2025-12-11/09/output/gbm/alert.pcap.1.17610986930920.jsonl?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Expires=604800&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-SignedHeaders=host&X-Amz-Signature=fc7b613ebbb68eacf03bfe3571ed307419a4b37383c006abd4bdf750aad8d6a9&X-Amz-Date=20251211T012015Z"} [2025-12-11 09:20:15.667] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 09:20:15.667] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 09:20:15.667] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 09:20:15.667] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 09:20:15.667] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 09:20:15.667] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 09:20:15.936] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:09/output/gbm/alert.pcap.1.17610986930920.jsonl|result:{"code": 1, "total_count": 23, "alert_count": 22, "abnormal_count": 22, "normal_count": 1, "timestamp": 1765416015667, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50246, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.2.16.16", "protocol": "tcp", "src_port": 49977, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9997183616258911, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50451, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9935841069204537, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.18", "protocol": "tcp", "src_port": 50526, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.9", "protocol": "tcp", "src_port": 50352, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9822856114799795, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50196, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.18", "protocol": "tcp", "src_port": 50607, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50660, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.5160756214892233, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.254", "protocol": "tcp", "src_port": 50236, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8758576397939718, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50154, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.114.80", "protocol": "tcp", "src_port": 50380, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.254", "protocol": "tcp", "src_port": 50161, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9861184497791043, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.166.151", "protocol": "tcp", "src_port": 50297, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.99961990187526, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "104.18.38.233", "protocol": "tcp", "src_port": 49694, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.9", "protocol": "tcp", "src_port": 50355, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9178209457268623, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.38.119", "protocol": "tcp", "src_port": 50487, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9993624819729473, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.131.139.241", "protocol": "tcp", "src_port": 50548, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9166098868921807, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.2.16.16", "protocol": "tcp", "src_port": 49978, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9999741330258014, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50635, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50511, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "123.249.12.207", "protocol": "tcp", "src_port": 50349, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9517653518955267, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50203, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 09:20:15.936] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 22|max_alert: 1000 [2025-12-11 09:20:15.936] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 09:20:15.936] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 09:20:15.936] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 09:20:18.883] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[2] at offset 25529 key: NULL payload: {"bucket":"2025-12-11","object":"09/output/gbm/alert.pcap.12.17610986930920.jsonl","url":"http://111.32.12.11:9000/2025-12-11/09/output/gbm/alert.pcap.12.17610986930920.jsonl?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Expires=604800&X-Amz-Signature=60442d437744e0c15c68ccd636393d1ac93c8289bb7e5c337f2324ff71eb83db&X-Amz-Date=20251211T012018Z&X-Amz-SignedHeaders=host&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request"} [2025-12-11 09:20:18.883] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 09:20:18.883] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 09:20:18.883] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 09:20:18.883] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 09:20:18.883] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 09:20:18.884] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 09:20:19.122] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:09/output/gbm/alert.pcap.12.17610986930920.jsonl|result:{"code": 1, "total_count": 23, "alert_count": 23, "abnormal_count": 23, "normal_count": 0, "timestamp": 1765416018884, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50524, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 10, "2_sum": 10, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 49801, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "43.132.242.154", "protocol": "tcp", "src_port": 49882, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9890063873624129, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50043, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 10, "2_sum": 10, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.46.51.20", "protocol": "tcp", "src_port": 50273, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8949209220998952, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 50446, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50517, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 10, "2_sum": 10, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50327, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 10, "2_sum": 10, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.88.223", "protocol": "tcp", "src_port": 50256, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9952297098413537, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50063, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 10, "2_sum": 10, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50290, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 10, "2_sum": 10, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.32.132.48", "protocol": "tcp", "src_port": 50596, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8736367684939467, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.232.40.133", "protocol": "tcp", "src_port": 49918, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9434178651974208, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50036, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 10, "2_sum": 10, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50048, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 10, "2_sum": 10, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "150.171.28.10", "protocol": "tcp", "src_port": 50098, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.979476406385797, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50289, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 10, "2_sum": 10, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.253", "protocol": "tcp", "src_port": 50374, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9124107711631884, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50563, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 10, "2_sum": 10, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.88.223", "protocol": "tcp", "src_port": 50135, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9151737736531406, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.162.10.192", "protocol": "tcp", "src_port": 50115, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9982562146170709, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.91", "protocol": "tcp", "src_port": 50325, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9723471895815434, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.91", "protocol": "tcp", "src_port": 50312, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8775283158754487, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 09:20:19.122] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 23|max_alert: 1000 [2025-12-11 09:20:19.122] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 09:20:19.122] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 09:20:19.122] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 09:20:22.039] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 25886 key: NULL payload: {"bucket":"2025-12-11","object":"09/output/gbm/alert.pcap.13.17610986930920.jsonl","url":"http://111.32.12.11:9000/2025-12-11/09/output/gbm/alert.pcap.13.17610986930920.jsonl?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20251211T012021Z&X-Amz-SignedHeaders=host&X-Amz-Signature=3f0132add8bb586c00cb55810a624ba75b839b48687a6f622ebcad4589184018&X-Amz-Expires=604800"} [2025-12-11 09:20:22.040] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 09:20:22.040] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 09:20:22.040] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 09:20:22.040] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 09:20:22.040] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 09:20:22.040] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 09:20:22.282] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:09/output/gbm/alert.pcap.13.17610986930920.jsonl|result:{"code": 1, "total_count": 25, "alert_count": 25, "abnormal_count": 25, "normal_count": 0, "timestamp": 1765416022040, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "120.233.38.119", "protocol": "tcp", "src_port": 50507, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.992095265861976, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.185.134", "protocol": "tcp", "src_port": 50405, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9906477192719227, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50602, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "202.89.233.96", "protocol": "tcp", "src_port": 49842, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50029, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50167, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50276, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50483, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50283, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50280, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50074, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.4.224.113", "protocol": "tcp", "src_port": 49856, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.6505383816340582, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "142.250.66.78", "protocol": "tcp", "src_port": 49939, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.22.3", "protocol": "tcp", "src_port": 49941, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9027507773608666, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "150.171.30.11", "protocol": "tcp", "src_port": 50629, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9221505003231499, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50035, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50150, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50206, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50153, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.163.59.175", "protocol": "tcp", "src_port": 50009, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9898052087615025, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.38.119", "protocol": "tcp", "src_port": 50493, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9895604510076603, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50657, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9858390475712154, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.114.80", "protocol": "tcp", "src_port": 50364, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "150.171.29.11", "protocol": "tcp", "src_port": 50366, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9811379852086798, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 50550, "dest_port": 37527, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 09:20:22.282] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 25|max_alert: 1000 [2025-12-11 09:20:22.282] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 09:20:22.282] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 09:20:22.282] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 09:20:25.448] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[1] at offset 24748 key: NULL payload: {"bucket":"2025-12-11","object":"09/output/gbm/alert.pcap.14.17610986930920.jsonl","url":"http://111.32.12.11:9000/2025-12-11/09/output/gbm/alert.pcap.14.17610986930920.jsonl?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-SignedHeaders=host&X-Amz-Expires=604800&X-Amz-Date=20251211T012024Z&X-Amz-Signature=6725e0846ff57a0c2085356a22dedf665069844cbb9a7d72af7990912f5298d3"} [2025-12-11 09:20:25.448] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 09:20:25.448] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 09:20:25.448] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 09:20:25.448] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 09:20:25.448] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 09:20:25.449] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 09:20:25.708] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:09/output/gbm/alert.pcap.14.17610986930920.jsonl|result:{"code": 1, "total_count": 22, "alert_count": 22, "abnormal_count": 22, "normal_count": 0, "timestamp": 1765416025449, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "183.201.232.61", "protocol": "tcp", "src_port": 50406, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8074537105643911, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50075, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50087, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50148, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.114.80", "protocol": "tcp", "src_port": 50462, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.4.224.113", "protocol": "tcp", "src_port": 49858, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.948833755868132, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50464, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50481, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50488, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.201.232.63", "protocol": "tcp", "src_port": 50185, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8623842237021218, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "150.171.28.10", "protocol": "tcp", "src_port": 50547, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9810893334081382, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.131.128.241", "protocol": "tcp", "src_port": 50628, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.6327220629300937, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50299, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50509, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 50008, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7325211921496005, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50151, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50277, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.92", "protocol": "tcp", "src_port": 50350, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9581254078848882, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50431, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50282, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50045, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.45", "protocol": "tcp", "src_port": 50232, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8427978520815071, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 09:20:25.708] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 22|max_alert: 1000 [2025-12-11 09:20:25.708] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 09:20:25.708] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 09:20:25.708] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 09:20:28.571] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[1] at offset 24749 key: NULL payload: {"bucket":"2025-12-11","object":"09/output/gbm/alert.pcap.15.17610986930920.jsonl","url":"http://111.32.12.11:9000/2025-12-11/09/output/gbm/alert.pcap.15.17610986930920.jsonl?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-SignedHeaders=host&X-Amz-Date=20251211T012028Z&X-Amz-Expires=604800&X-Amz-Signature=69c48f0aa372890db7de9f8ff6a66b40d2a51663dc35184ec710083462195e83"} [2025-12-11 09:20:28.571] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 09:20:28.571] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 09:20:28.571] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 09:20:28.571] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 09:20:28.571] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 09:20:28.572] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 09:20:28.812] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:09/output/gbm/alert.pcap.15.17610986930920.jsonl|result:{"code": 1, "total_count": 21, "alert_count": 21, "abnormal_count": 21, "normal_count": 0, "timestamp": 1765416028572, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "172.175.38.6", "protocol": "tcp", "src_port": 50508, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9251013815505887, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50516, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.46.216.189", "protocol": "tcp", "src_port": 50192, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9854409930237161, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.13.29.202", "protocol": "tcp", "src_port": 49899, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9319984670207415, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.51.80", "protocol": "tcp", "src_port": 49914, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50298, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.194.233", "protocol": "tcp", "src_port": 50442, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9870391528574759, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50452, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "13.89.179.10", "protocol": "tcp", "src_port": 49878, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9974829953380221, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50061, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.166.151", "protocol": "tcp", "src_port": 50300, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9931981638327161, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "142.250.66.78", "protocol": "tcp", "src_port": 50474, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.165.120", "protocol": "tcp", "src_port": 50418, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9596977275034663, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50542, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "13.107.213.50", "protocol": "tcp", "src_port": 50090, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9195643673584233, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "124.70.37.167", "protocol": "tcp", "src_port": 50505, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8862503171336631, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.114.80", "protocol": "tcp", "src_port": 50358, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.194.189.11", "protocol": "tcp", "src_port": 50426, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9895428159947536, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50489, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.241.198", "protocol": "tcp", "src_port": 49881, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9908791961625715, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.165.120", "protocol": "tcp", "src_port": 50427, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9451570018511891, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 09:20:28.812] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 21|max_alert: 1000 [2025-12-11 09:20:28.812] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 09:20:28.812] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 09:20:28.812] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 09:20:31.936] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[1] at offset 24750 key: NULL payload: {"bucket":"2025-12-11","object":"09/output/gbm/alert.pcap.16.17610986930920.jsonl","url":"http://111.32.12.11:9000/2025-12-11/09/output/gbm/alert.pcap.16.17610986930920.jsonl?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Expires=604800&X-Amz-Signature=c081538078f240cde723cd69a78850e4f6b4fd543bd4c2b4b4342933b01a37ad&X-Amz-Date=20251211T012031Z&X-Amz-SignedHeaders=host&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request"} [2025-12-11 09:20:31.937] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 09:20:31.937] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 09:20:31.937] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 09:20:31.937] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 09:20:31.937] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 09:20:31.937] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 09:20:32.199] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:09/output/gbm/alert.pcap.16.17610986930920.jsonl|result:{"code": 1, "total_count": 26, "alert_count": 26, "abnormal_count": 26, "normal_count": 0, "timestamp": 1765416031937, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "23.219.73.130", "protocol": "tcp", "src_port": 49887, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50331, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.92", "protocol": "tcp", "src_port": 50344, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.4285159353571787, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.13.25.27", "protocol": "tcp", "src_port": 49953, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9999659947187012, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.29.14.183", "protocol": "tcp", "src_port": 50404, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9858144175177987, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50496, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7047630891986135, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50207, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.88.223", "protocol": "tcp", "src_port": 50262, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9920454156536166, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50522, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "211.151.19.148", "protocol": "tcp", "src_port": 50239, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9867736940219898, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50500, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.1", "protocol": "tcp", "src_port": 49927, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50051, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.253", "protocol": "tcp", "src_port": 50377, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9228634096625739, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.32.132.48", "protocol": "tcp", "src_port": 50416, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.872489769645985, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.4.224.113", "protocol": "tcp", "src_port": 49857, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.873642452450752, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50367, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "13.89.179.10", "protocol": "tcp", "src_port": 49873, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9740054173010114, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.220.77.56", "protocol": "tcp", "src_port": 50313, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9756469161092314, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50177, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.46.216.189", "protocol": "tcp", "src_port": 50095, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8005313339363406, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.185.134", "protocol": "tcp", "src_port": 50557, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9312191603697401, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.2", "protocol": "tcp", "src_port": 49916, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.26", "protocol": "tcp", "src_port": 50053, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9859420979243508, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.165.120", "protocol": "tcp", "src_port": 50304, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9425584919270099, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.29.14.183", "protocol": "tcp", "src_port": 49861, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9202885873733923, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 09:20:32.200] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 26|max_alert: 1000 [2025-12-11 09:20:32.200] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 09:20:32.200] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 09:20:32.200] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 09:20:35.318] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 25887 key: NULL payload: {"bucket":"2025-12-11","object":"09/output/gbm/alert.pcap.17.17610986930920.jsonl","url":"http://111.32.12.11:9000/2025-12-11/09/output/gbm/alert.pcap.17.17610986930920.jsonl?X-Amz-Signature=c91eb8478829949b6e86f021979aa41d376c0c09599bb504af513a6ebb1aeae3&X-Amz-Expires=604800&X-Amz-SignedHeaders=host&X-Amz-Date=20251211T012034Z&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request"} [2025-12-11 09:20:35.318] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 09:20:35.318] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 09:20:35.318] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 09:20:35.318] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 09:20:35.318] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 09:20:35.319] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 09:20:35.574] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:09/output/gbm/alert.pcap.17.17610986930920.jsonl|result:{"code": 1, "total_count": 18, "alert_count": 18, "abnormal_count": 18, "normal_count": 0, "timestamp": 1765416035319, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "124.70.62.170", "protocol": "tcp", "src_port": 50094, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9999212365720671, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50606, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9790099228201751, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.162.10.192", "protocol": "tcp", "src_port": 50103, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.5419285978798709, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50499, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.2.16.16", "protocol": "tcp", "src_port": 49973, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9993460937257912, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.234.97.89", "protocol": "tcp", "src_port": 50409, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.733240780563495, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.194.233", "protocol": "tcp", "src_port": 50435, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9837705668750215, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "124.70.62.170", "protocol": "tcp", "src_port": 50395, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.999908459646488, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.122.55", "protocol": "tcp", "src_port": 50448, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.5769980707430126, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 50225, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9087545563693218, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.27", "protocol": "tcp", "src_port": 49989, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8500557914131911, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.9", "protocol": "tcp", "src_port": 50012, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9956502822261911, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.162.10.192", "protocol": "tcp", "src_port": 50114, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.976863610352734, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.38.151", "protocol": "tcp", "src_port": 49788, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.114.80", "protocol": "tcp", "src_port": 50476, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.122.55", "protocol": "tcp", "src_port": 50101, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9697454177805649, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.88.223", "protocol": "tcp", "src_port": 50257, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9990492370434219, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.27", "protocol": "tcp", "src_port": 49990, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9979995189937263, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 09:20:35.574] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 18|max_alert: 1000 [2025-12-11 09:20:35.574] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 09:20:35.574] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 09:20:35.574] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 09:20:38.444] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[1] at offset 24751 key: NULL payload: {"bucket":"2025-12-11","object":"09/output/gbm/alert.pcap.18.17610986930920.jsonl","url":"http://111.32.12.11:9000/2025-12-11/09/output/gbm/alert.pcap.18.17610986930920.jsonl?X-Amz-Date=20251211T012038Z&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Expires=604800&X-Amz-SignedHeaders=host&X-Amz-Signature=84f12fd283901d98cac97ec825c6298641e14c8d645a576103780bda32d97101"} [2025-12-11 09:20:38.444] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 09:20:38.444] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 09:20:38.444] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 09:20:38.444] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 09:20:38.444] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 09:20:38.445] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 09:20:38.691] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:09/output/gbm/alert.pcap.18.17610986930920.jsonl|result:{"code": 1, "total_count": 19, "alert_count": 18, "abnormal_count": 18, "normal_count": 1, "timestamp": 1765416038445, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 50169, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50553, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9263918774338468, "2_count": 4.0, "2_sum": 4, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50088, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.166.151", "protocol": "tcp", "src_port": 50371, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9989794701501156, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50132, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50046, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.113.130.85", "protocol": "tcp", "src_port": 50373, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.253.255.38", "protocol": "tcp", "src_port": 50449, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9496389457889445, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50650, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9941374340185456, "2_count": 4.0, "2_sum": 4, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50220, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.232.40.133", "protocol": "tcp", "src_port": 49929, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9272505117395095, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50141, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.92", "protocol": "tcp", "src_port": 50383, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7481021796885889, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50554, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9489417371813754, "2_count": 4.0, "2_sum": 4, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.232.40.133", "protocol": "tcp", "src_port": 49935, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8955605067471277, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50475, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9477100345633777, "2_count": 4.0, "2_sum": 4, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.219.73.130", "protocol": "tcp", "src_port": 49893, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50386, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 09:20:38.691] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 18|max_alert: 1000 [2025-12-11 09:20:38.691] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 09:20:38.691] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 09:20:38.691] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 09:20:41.589] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[2] at offset 25530 key: NULL payload: {"bucket":"2025-12-11","object":"09/output/gbm/alert.pcap.19.17610986930920.jsonl","url":"http://111.32.12.11:9000/2025-12-11/09/output/gbm/alert.pcap.19.17610986930920.jsonl?X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Date=20251211T012041Z&X-Amz-Signature=644962eefec30ef8c7fda1b1c8c3ebfeac13b873b4eec66151ee7ff4361bcc91&X-Amz-SignedHeaders=host&X-Amz-Expires=604800"} [2025-12-11 09:20:41.589] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 09:20:41.589] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 09:20:41.589] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 09:20:41.589] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 09:20:41.589] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 09:20:41.590] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 09:20:41.828] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:09/output/gbm/alert.pcap.19.17610986930920.jsonl|result:{"code": 1, "total_count": 17, "alert_count": 17, "abnormal_count": 17, "normal_count": 0, "timestamp": 1765416041590, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "124.70.62.170", "protocol": "tcp", "src_port": 50385, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9998863446143573, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "13.89.179.10", "protocol": "tcp", "src_port": 49870, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9985463831905574, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 50183, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9671683755020176, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.25", "protocol": "tcp", "src_port": 50345, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9053165640648995, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50267, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 5, "2_sum": 5, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "150.171.30.11", "protocol": "tcp", "src_port": 50623, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9724127917525347, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.131.128.241", "protocol": "tcp", "src_port": 50589, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9358989909907683, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50222, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 5, "2_sum": 5, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50432, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 5, "2_sum": 5, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.26", "protocol": "tcp", "src_port": 49999, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9723690262017185, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.61.248", "protocol": "tcp", "src_port": 50006, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9986048917384169, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50140, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 5, "2_sum": 5, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "211.151.19.148", "protocol": "tcp", "src_port": 50321, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9840336453751718, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50221, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 5, "2_sum": 5, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "106.13.244.95", "protocol": "tcp", "src_port": 50626, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.991571871695044, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.158.247.186", "protocol": "tcp", "src_port": 50254, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9923373572362969, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50651, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9127998696423738, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 09:20:41.828] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 17|max_alert: 1000 [2025-12-11 09:20:41.828] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 09:20:41.828] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 09:20:41.828] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 09:20:44.791] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[1] at offset 24752 key: NULL payload: {"bucket":"2025-12-11","object":"09/output/gbm/alert.pcap.20.17610986930920.jsonl","url":"http://111.32.12.11:9000/2025-12-11/09/output/gbm/alert.pcap.20.17610986930920.jsonl?X-Amz-Expires=604800&X-Amz-SignedHeaders=host&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Date=20251211T012044Z&X-Amz-Signature=3c432b6f12c919623bd22cb2abdd9ad77c938f0ccfadd4afa3d201f44414a7ea&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request"} [2025-12-11 09:20:44.791] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 09:20:44.791] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 09:20:44.792] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 09:20:44.792] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 09:20:44.792] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 09:20:44.792] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 09:20:45.031] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:09/output/gbm/alert.pcap.20.17610986930920.jsonl|result:{"code": 1, "total_count": 17, "alert_count": 17, "abnormal_count": 17, "normal_count": 0, "timestamp": 1765416044792, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "120.241.86.9", "protocol": "tcp", "src_port": 50356, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9753376675463165, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "124.71.234.74", "protocol": "tcp", "src_port": 50189, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8094812727311573, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50598, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.972751885055052, "2_count": 3, "2_sum": 3, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50622, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9949329167991451, "2_count": 3, "2_sum": 3, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50082, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.220.151.49", "protocol": "tcp", "src_port": 49991, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9681277345350449, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.219.73.130", "protocol": "tcp", "src_port": 49894, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "124.71.236.98", "protocol": "tcp", "src_port": 50400, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9777942042208041, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.253.253.233", "protocol": "tcp", "src_port": 50317, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.4786736570096651, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.166.151", "protocol": "tcp", "src_port": 50378, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.996645095315891, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.48.172.241", "protocol": "tcp", "src_port": 50129, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9417868802887015, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "142.250.66.78", "protocol": "tcp", "src_port": 49773, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.62.174.243", "protocol": "tcp", "src_port": 50555, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9719451686850884, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.2.16.16", "protocol": "tcp", "src_port": 49970, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9999655776123294, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50616, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.981431987646444, "2_count": 3, "2_sum": 3, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.46.68.203", "protocol": "tcp", "src_port": 50096, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9610043927222635, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50453, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 09:20:45.032] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 17|max_alert: 1000 [2025-12-11 09:20:45.032] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 09:20:45.032] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 09:20:45.032] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 09:20:47.925] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 25888 key: NULL payload: {"bucket":"2025-12-11","object":"09/output/gbm/alert.pcap.21.17610986930920.jsonl","url":"http://111.32.12.11:9000/2025-12-11/09/output/gbm/alert.pcap.21.17610986930920.jsonl?X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-SignedHeaders=host&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Signature=8e33f5cc4a5a818b80e40665405ce24226c3a81ade8af64552f675ed3734c6d8&X-Amz-Expires=604800&X-Amz-Date=20251211T012047Z"} [2025-12-11 09:20:47.925] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 09:20:47.925] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 09:20:47.925] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 09:20:47.925] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 09:20:47.925] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 09:20:47.926] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 09:20:48.193] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:09/output/gbm/alert.pcap.21.17610986930920.jsonl|result:{"code": 1, "total_count": 20, "alert_count": 20, "abnormal_count": 20, "normal_count": 0, "timestamp": 1765416047926, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50330, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.25", "protocol": "tcp", "src_port": 50346, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7253580536479742, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "150.171.27.10", "protocol": "tcp", "src_port": 49871, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9792783921980416, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50389, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.232.40.133", "protocol": "tcp", "src_port": 49921, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9758065422065172, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 50211, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9942232611378077, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50574, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50633, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9961574170482782, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50233, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.194.233", "protocol": "tcp", "src_port": 50315, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9974657537062649, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.234.97.89", "protocol": "tcp", "src_port": 50477, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7967743601421772, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50407, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9700577356238725, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.18", "protocol": "tcp", "src_port": 50191, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50086, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.26", "protocol": "tcp", "src_port": 50027, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8630319401034162, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.27", "protocol": "tcp", "src_port": 50014, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7728545617685111, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 49933, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.983522767485445, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.253", "protocol": "tcp", "src_port": 50348, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9663875797170431, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.254", "protocol": "tcp", "src_port": 50018, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9989742169573105, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50076, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 09:20:48.194] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 20|max_alert: 1000 [2025-12-11 09:20:48.194] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 09:20:48.194] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 09:20:48.194] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 09:20:51.122] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[1] at offset 24753 key: NULL payload: {"bucket":"2025-12-11","object":"09/output/gbm/alert.pcap.2.17610986930920.jsonl","url":"http://111.32.12.11:9000/2025-12-11/09/output/gbm/alert.pcap.2.17610986930920.jsonl?X-Amz-Signature=2ec24d7cdd3fdad943b4709700a64b99d258ae82756a0295e9b8f57da3eba3a0&X-Amz-Expires=604800&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20251211T012050Z&X-Amz-SignedHeaders=host"} [2025-12-11 09:20:51.122] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 09:20:51.123] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 09:20:51.123] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 09:20:51.123] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 09:20:51.123] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 09:20:51.123] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 09:20:51.373] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:09/output/gbm/alert.pcap.2.17610986930920.jsonl|result:{"code": 1, "total_count": 27, "alert_count": 26, "abnormal_count": 26, "normal_count": 1, "timestamp": 1765416051123, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50580, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.232.40.133", "protocol": "tcp", "src_port": 50004, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9448851526818528, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50528, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50634, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "118.89.204.198", "protocol": "tcp", "src_port": 50648, "dest_port": 443, "y_pred": 2, "y_pred_proba_max": 0.539671673599211, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "Behinder"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.166.151", "protocol": "tcp", "src_port": 50296, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9998741851816862, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.2", "protocol": "tcp", "src_port": 49821, "dest_port": 8080, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.114.80", "protocol": "tcp", "src_port": 50381, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.29.14.183", "protocol": "tcp", "src_port": 50401, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9944651374268547, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.254", "protocol": "tcp", "src_port": 50237, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8347470129747349, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.185.134", "protocol": "tcp", "src_port": 50337, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9998485770667981, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50471, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9971823306211751, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.222.152.64", "protocol": "tcp", "src_port": 50658, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7337989747885654, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.92", "protocol": "tcp", "src_port": 50398, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9866180027435798, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.165.120", "protocol": "tcp", "src_port": 50414, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9781294486115352, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.105", "protocol": "tcp", "src_port": 50625, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9825246278129468, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50328, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50459, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8818531237715439, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.240.99.58", "protocol": "tcp", "src_port": 50480, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9758749087809037, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.26", "protocol": "tcp", "src_port": 49995, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9973271032011077, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50287, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.63.215.47", "protocol": "tcp", "src_port": 49943, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9542007136130981, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.29.14.183", "protocol": "tcp", "src_port": 50402, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9766503916105866, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50278, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50484, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50570, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 09:20:51.373] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 26|max_alert: 1000 [2025-12-11 09:20:51.373] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 09:20:51.373] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 09:20:51.373] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 09:20:54.656] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[2] at offset 25531 key: NULL payload: {"bucket":"2025-12-11","object":"09/output/gbm/alert.pcap.22.17610986930920.jsonl","url":"http://111.32.12.11:9000/2025-12-11/09/output/gbm/alert.pcap.22.17610986930920.jsonl?X-Amz-SignedHeaders=host&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Expires=604800&X-Amz-Signature=83ac8284fe02411382c952b9b972625f39089e91f19b4ca60679ba98a478f645&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Date=20251211T012054Z"} [2025-12-11 09:20:54.656] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 09:20:54.656] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 09:20:54.656] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 09:20:54.656] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 09:20:54.656] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 09:20:54.657] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 09:20:54.909] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:09/output/gbm/alert.pcap.22.17610986930920.jsonl|result:{"code": 1, "total_count": 18, "alert_count": 17, "abnormal_count": 17, "normal_count": 1, "timestamp": 1765416054657, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "36.131.128.241", "protocol": "tcp", "src_port": 50585, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8249611815657307, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.51.161.66", "protocol": "tcp", "src_port": 50123, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7731938946060795, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50118, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 3.0, "2_sum": 3, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50028, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 3.0, "2_sum": 3, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 49925, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.5747671805046822, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50368, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 3.0, "2_sum": 3, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50662, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8871346318388157, "2_count": 3.0, "2_sum": 3, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.92", "protocol": "tcp", "src_port": 50397, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9107999416750001, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.114.80", "protocol": "tcp", "src_port": 50365, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50612, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.965275103129727, "2_count": 3.0, "2_sum": 3, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.62.174.243", "protocol": "tcp", "src_port": 50545, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9624252679015631, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.4.224.113", "protocol": "tcp", "src_port": 49854, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.5786036795604459, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.63.215.47", "protocol": "tcp", "src_port": 49944, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9869387818080411, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.29.14.183", "protocol": "tcp", "src_port": 50026, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9986473928200259, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.165.120", "protocol": "tcp", "src_port": 50357, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9389862274330749, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50530, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9024018957960891, "2_count": 3.0, "2_sum": 3, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.194.233", "protocol": "tcp", "src_port": 50440, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9902328849146982, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 09:20:54.909] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 17|max_alert: 1000 [2025-12-11 09:20:54.909] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 09:20:54.909] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 09:20:54.909] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 09:20:58.509] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[2] at offset 25532 key: NULL payload: {"bucket":"2025-12-11","object":"09/output/gbm/alert.pcap.23.17610986930920.jsonl","url":"http://111.32.12.11:9000/2025-12-11/09/output/gbm/alert.pcap.23.17610986930920.jsonl?X-Amz-SignedHeaders=host&X-Amz-Signature=6703c62a0fbbf07cee47616704231e66acb1131436babceb38cfdc0d32efec1a&X-Amz-Expires=604800&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20251211T012058Z&X-Amz-Algorithm=AWS4-HMAC-SHA256"} [2025-12-11 09:20:58.509] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 09:20:58.509] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 09:20:58.509] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 09:20:58.509] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 09:20:58.509] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 09:20:58.510] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 09:20:58.740] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:09/output/gbm/alert.pcap.23.17610986930920.jsonl|result:{"code": 1, "total_count": 21, "alert_count": 21, "abnormal_count": 21, "normal_count": 0, "timestamp": 1765416058511, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50037, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50168, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.158.247.186", "protocol": "tcp", "src_port": 50309, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.994290448467571, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50429, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "13.107.246.74", "protocol": "tcp", "src_port": 50506, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9605298901417075, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50042, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.25", "protocol": "tcp", "src_port": 50382, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7011351746711142, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50562, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50044, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.150.160.206", "protocol": "tcp", "src_port": 50124, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9747845243097288, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50085, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50514, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.222.152.64", "protocol": "tcp", "src_port": 50638, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9779043168436835, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.194.233", "protocol": "tcp", "src_port": 50126, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9961544144455967, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50064, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50640, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50260, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.122.55", "protocol": "tcp", "src_port": 50498, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9793698927690696, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.25", "protocol": "tcp", "src_port": 50073, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9992385224413204, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.13.104.59", "protocol": "tcp", "src_port": 50627, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9944505609423887, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50149, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 09:20:58.740] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 21|max_alert: 1000 [2025-12-11 09:20:58.740] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 09:20:58.740] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 09:20:58.740] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 09:21:01.758] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 25889 key: NULL payload: {"bucket":"2025-12-11","object":"09/output/gbm/alert.pcap.24.17610986930920.jsonl","url":"http://111.32.12.11:9000/2025-12-11/09/output/gbm/alert.pcap.24.17610986930920.jsonl?X-Amz-SignedHeaders=host&X-Amz-Date=20251211T012101Z&X-Amz-Expires=604800&X-Amz-Signature=61977074e59aaa5032684d5279d7b51b2b3c65584d8cc181665a21b0205aad2d&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Algorithm=AWS4-HMAC-SHA256"} [2025-12-11 09:21:01.758] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 09:21:01.758] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 09:21:01.758] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 09:21:01.759] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 09:21:01.759] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 09:21:01.759] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 09:21:02.005] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:09/output/gbm/alert.pcap.24.17610986930920.jsonl|result:{"code": 1, "total_count": 18, "alert_count": 17, "abnormal_count": 17, "normal_count": 1, "timestamp": 1765416061759, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "111.13.28.21", "protocol": "tcp", "src_port": 49947, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9999415747476534, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50281, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.46.68.203", "protocol": "tcp", "src_port": 50195, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9897633686170296, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50034, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.163.59.175", "protocol": "tcp", "src_port": 50011, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9883959426357691, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 50229, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7784157580153467, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50259, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.27", "protocol": "tcp", "src_port": 49985, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8652710729389349, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.163.59.175", "protocol": "tcp", "src_port": 50478, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.990150959540726, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50594, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50033, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.4.74", "protocol": "tcp", "src_port": 50319, "dest_port": 9000, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50482, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50031, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.38.119", "protocol": "tcp", "src_port": 50495, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9911306060967026, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50603, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.13.104.59", "protocol": "tcp", "src_port": 50631, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9853386683896556, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 09:21:02.005] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 17|max_alert: 1000 [2025-12-11 09:21:02.005] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 09:21:02.005] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 09:21:02.005] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 09:21:05.172] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[2] at offset 25533 key: NULL payload: {"bucket":"2025-12-11","object":"09/output/gbm/alert.pcap.25.17610986930920.jsonl","url":"http://111.32.12.11:9000/2025-12-11/09/output/gbm/alert.pcap.25.17610986930920.jsonl?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-SignedHeaders=host&X-Amz-Expires=604800&X-Amz-Date=20251211T012104Z&X-Amz-Signature=eb7f3383ae049fdf747517338a688818026e7fb88af5e275b213a35d1e31fc70"} [2025-12-11 09:21:05.172] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 09:21:05.172] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 09:21:05.172] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 09:21:05.172] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 09:21:05.172] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 09:21:05.173] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 09:21:05.428] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:09/output/gbm/alert.pcap.25.17610986930920.jsonl|result:{"code": 1, "total_count": 18, "alert_count": 17, "abnormal_count": 17, "normal_count": 1, "timestamp": 1765416065173, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "120.232.40.133", "protocol": "tcp", "src_port": 49919, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9172603475203133, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50062, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4.0, "2_sum": 4, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50551, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8059095115195145, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50288, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4.0, "2_sum": 4, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 50013, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.201.232.63", "protocol": "tcp", "src_port": 50419, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.5238760318986195, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.91", "protocol": "tcp", "src_port": 50334, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9530506499197517, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.2", "protocol": "tcp", "src_port": 50125, "dest_port": 8080, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50652, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4.0, "2_sum": 4, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "202.89.233.96", "dest_ip": "10.1.131.158", "protocol": "tcp", "src_port": 443, "dest_port": 49847, "y_pred": 1, "y_pred_proba_max": 0.9988023204669473, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.88.223", "protocol": "tcp", "src_port": 50258, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9955188316394289, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.232.40.133", "protocol": "tcp", "src_port": 50005, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8427110539814073, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.155.160.140", "protocol": "tcp", "src_port": 49790, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50038, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4.0, "2_sum": 4, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.240.99.58", "protocol": "tcp", "src_port": 50641, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9750652642107684, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.88.223", "protocol": "tcp", "src_port": 50134, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9851867603065232, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "142.250.66.78", "protocol": "tcp", "src_port": 49742, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 09:21:05.428] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 17|max_alert: 1000 [2025-12-11 09:21:05.428] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 09:21:05.428] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 09:21:05.428] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 09:21:08.416] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[1] at offset 24754 key: NULL payload: {"bucket":"2025-12-11","object":"09/output/gbm/alert.pcap.26.17610986930920.jsonl","url":"http://111.32.12.11:9000/2025-12-11/09/output/gbm/alert.pcap.26.17610986930920.jsonl?X-Amz-Expires=604800&X-Amz-Date=20251211T012107Z&X-Amz-SignedHeaders=host&X-Amz-Signature=aab9030b828bbca3c964544516286140408826bdecbba2099970a5bd2a7e7711&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request"} [2025-12-11 09:21:08.416] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 09:21:08.416] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 09:21:08.416] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 09:21:08.416] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 09:21:08.416] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 09:21:08.417] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 09:21:08.660] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:09/output/gbm/alert.pcap.26.17610986930920.jsonl|result:{"code": 1, "total_count": 23, "alert_count": 22, "abnormal_count": 22, "normal_count": 1, "timestamp": 1765416068417, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "120.241.86.9", "protocol": "tcp", "src_port": 50353, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9248568229582469, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50521, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7.0, "2_sum": 7, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.27", "protocol": "tcp", "src_port": 49986, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9907578643456904, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "151.101.1.229", "protocol": "tcp", "src_port": 50316, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.5882853156839113, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50463, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7.0, "2_sum": 7, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50593, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7.0, "2_sum": 7, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.13.29.202", "protocol": "tcp", "src_port": 49897, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.99989131645703, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50040, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7.0, "2_sum": 7, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 50230, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9601621867432435, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.92", "protocol": "tcp", "src_port": 50362, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9737436655985068, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.163.59.175", "protocol": "tcp", "src_port": 49930, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9813722275948225, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50322, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7.0, "2_sum": 7, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.13.29.134", "protocol": "tcp", "src_port": 49954, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9940003495439546, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "43.140.12.43", "protocol": "tcp", "src_port": 50318, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9759535265977303, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.194.233", "protocol": "tcp", "src_port": 50439, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9853373018252618, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.165.120", "protocol": "tcp", "src_port": 50314, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.998447736613844, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.114.80", "protocol": "tcp", "src_port": 50375, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.45", "protocol": "tcp", "src_port": 50445, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9894949279716366, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50512, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7.0, "2_sum": 7, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.253", "protocol": "tcp", "src_port": 50117, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9786811180845782, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.253", "protocol": "tcp", "src_port": 50347, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9363461552085169, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50467, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7.0, "2_sum": 7, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 09:21:08.660] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 22|max_alert: 1000 [2025-12-11 09:21:08.660] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 09:21:08.660] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 09:21:08.660] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 09:21:11.635] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[1] at offset 24755 key: NULL payload: {"bucket":"2025-12-11","object":"09/output/gbm/alert.pcap.3.17610986930920.jsonl","url":"http://111.32.12.11:9000/2025-12-11/09/output/gbm/alert.pcap.3.17610986930920.jsonl?X-Amz-Expires=604800&X-Amz-Signature=e47867bd6cbe6a2749190b94f005901a60c2a575f158e20e2b6f00fad7dba10f&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20251211T012111Z&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-SignedHeaders=host"} [2025-12-11 09:21:11.635] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 09:21:11.635] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 09:21:11.635] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 09:21:11.635] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 09:21:11.635] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 09:21:11.635] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 09:21:11.887] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:09/output/gbm/alert.pcap.3.17610986930920.jsonl|result:{"code": 1, "total_count": 31, "alert_count": 30, "abnormal_count": 30, "normal_count": 1, "timestamp": 1765416071635, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "120.233.3.27", "protocol": "tcp", "src_port": 49983, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9683054451954104, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "124.70.62.170", "protocol": "tcp", "src_port": 50093, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9302011994091218, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.166.151", "protocol": "tcp", "src_port": 50286, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9998887397093179, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50573, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50041, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.219.73.130", "protocol": "tcp", "src_port": 49889, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.92", "protocol": "tcp", "src_port": 49915, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8858063837145578, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.194.189.11", "protocol": "tcp", "src_port": 50307, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9974631042458713, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.29.14.183", "protocol": "tcp", "src_port": 50020, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9995274668813986, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50131, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.27", "protocol": "tcp", "src_port": 49987, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9439550958667982, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 50231, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9912641259791639, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.63.215.47", "protocol": "tcp", "src_port": 49982, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9977918468988228, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.13.104.59", "protocol": "tcp", "src_port": 50630, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9949141468870227, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50128, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.253.253.233", "protocol": "tcp", "src_port": 50436, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8619378326923961, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.114.80", "protocol": "tcp", "src_port": 50473, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50560, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9372883613254258, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50468, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.13.104.59", "protocol": "tcp", "src_port": 50639, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.5747755261992421, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.219.73.130", "protocol": "tcp", "src_port": 49890, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.2", "protocol": "tcp", "src_port": 50143, "dest_port": 8080, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.165.120", "protocol": "tcp", "src_port": 50423, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9079618105919538, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 50399, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "142.250.66.68", "protocol": "tcp", "src_port": 50437, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50579, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50390, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 49824, "dest_port": 37527, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50032, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.232.40.133", "protocol": "tcp", "src_port": 49922, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7619577796081339, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 09:21:11.887] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 30|max_alert: 1000 [2025-12-11 09:21:11.887] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 09:21:11.887] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 09:21:11.887] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 09:21:14.764] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[1] at offset 24756 key: NULL payload: {"bucket":"2025-12-11","object":"09/output/gbm/alert.pcap.4.17610986930920.jsonl","url":"http://111.32.12.11:9000/2025-12-11/09/output/gbm/alert.pcap.4.17610986930920.jsonl?X-Amz-Signature=c085302248d8318b01c5890d294676df9e4a54d30844a2a1342c9eea5202e00c&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Expires=604800&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Date=20251211T012114Z&X-Amz-SignedHeaders=host"} [2025-12-11 09:21:14.764] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 09:21:14.765] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 09:21:14.765] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 09:21:14.765] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 09:21:14.765] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 09:21:14.765] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 09:21:14.980] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:09/output/gbm/alert.pcap.4.17610986930920.jsonl|result:{"code": 1, "total_count": 16, "alert_count": 16, "abnormal_count": 16, "normal_count": 0, "timestamp": 1765416074765, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50268, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 9, "2_sum": 9, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.4.224.113", "protocol": "tcp", "src_port": 49860, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8325953986089363, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50170, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 9, "2_sum": 9, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "142.250.66.78", "protocol": "tcp", "src_port": 49761, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50271, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 9, "2_sum": 9, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50599, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 9, "2_sum": 9, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "150.171.30.11", "protocol": "tcp", "src_port": 50007, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8576461187690411, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "104.18.38.233", "protocol": "tcp", "src_port": 49696, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50428, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 9, "2_sum": 9, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.25", "protocol": "tcp", "src_port": 50340, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9557360906725153, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50653, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 9, "2_sum": 9, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.131.128.241", "protocol": "tcp", "src_port": 50461, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9531336479755481, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50642, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 9, "2_sum": 9, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.2", "protocol": "tcp", "src_port": 49815, "dest_port": 8080, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50039, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 9, "2_sum": 9, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50664, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 9, "2_sum": 9, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 09:21:14.980] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 16|max_alert: 1000 [2025-12-11 09:21:14.980] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 09:21:14.980] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 09:21:14.980] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 09:21:18.290] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[2] at offset 25534 key: NULL payload: {"bucket":"2025-12-11","object":"09/output/gbm/alert.pcap.5.17610986930920.jsonl","url":"http://111.32.12.11:9000/2025-12-11/09/output/gbm/alert.pcap.5.17610986930920.jsonl?X-Amz-Date=20251211T012117Z&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-SignedHeaders=host&X-Amz-Expires=604800&X-Amz-Signature=3f6fd2e43b34e318c8f2f573fd435465f6caec76546897b1a9af0d4ae6e57f86&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request"} [2025-12-11 09:21:18.290] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 09:21:18.290] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 09:21:18.291] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 09:21:18.291] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 09:21:18.291] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 09:21:18.291] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 09:21:18.536] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:09/output/gbm/alert.pcap.5.17610986930920.jsonl|result:{"code": 1, "total_count": 19, "alert_count": 18, "abnormal_count": 18, "normal_count": 1, "timestamp": 1765416078292, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50030, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 5.0, "2_sum": 5, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 49924, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8509806284431485, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.46.72.204", "protocol": "tcp", "src_port": 50136, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.956663066769366, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.91", "protocol": "tcp", "src_port": 50333, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9577733114926612, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.163.59.175", "protocol": "tcp", "src_port": 50422, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9849394001481901, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "13.89.179.10", "protocol": "tcp", "src_port": 49867, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8945460691510866, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50171, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 5.0, "2_sum": 5, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.91", "protocol": "tcp", "src_port": 50242, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9588125203903446, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50119, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 5.0, "2_sum": 5, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50654, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9423199405388736, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50624, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9747306537408316, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "112.34.111.235", "protocol": "tcp", "src_port": 50587, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9795590475790195, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.51.80", "protocol": "tcp", "src_port": 49902, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50541, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 5.0, "2_sum": 5, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 50549, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.4.74", "protocol": "tcp", "src_port": 50320, "dest_port": 9000, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50564, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 5.0, "2_sum": 5, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.158.247.186", "protocol": "tcp", "src_port": 50121, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9753820447058325, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 09:21:18.536] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 18|max_alert: 1000 [2025-12-11 09:21:18.536] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 09:21:18.536] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 09:21:18.536] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 09:21:21.434] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[1] at offset 24757 key: NULL payload: {"bucket":"2025-12-11","object":"09/output/gbm/alert.pcap.6.17610986930920.jsonl","url":"http://111.32.12.11:9000/2025-12-11/09/output/gbm/alert.pcap.6.17610986930920.jsonl?X-Amz-Expires=604800&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-SignedHeaders=host&X-Amz-Signature=97cefcb7f25efb43de64a6efbc49c5e9f43e526e375445cdd7474dc7c521832f&X-Amz-Date=20251211T012121Z&X-Amz-Algorithm=AWS4-HMAC-SHA256"} [2025-12-11 09:21:21.434] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 09:21:21.434] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 09:21:21.434] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 09:21:21.434] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 09:21:21.434] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 09:21:21.435] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 09:21:21.663] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:09/output/gbm/alert.pcap.6.17610986930920.jsonl|result:{"code": 1, "total_count": 13, "alert_count": 13, "abnormal_count": 13, "normal_count": 0, "timestamp": 1765416081436, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "23.2.16.16", "protocol": "tcp", "src_port": 49975, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9999376387945121, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "139.9.117.192", "protocol": "tcp", "src_port": 50450, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9837263446909994, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "13.89.179.10", "protocol": "tcp", "src_port": 49883, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9941602682227848, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.91", "protocol": "tcp", "src_port": 50339, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.986405059765616, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "121.36.68.44", "protocol": "tcp", "src_port": 50504, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9358189956292381, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.13.28.239", "protocol": "tcp", "src_port": 49901, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.938456651589145, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.57.94.38", "protocol": "tcp", "src_port": 49892, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9998694918181811, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.102.211", "protocol": "tcp", "src_port": 50413, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9734791177969814, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50465, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.5306824619789472, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50391, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "139.9.117.192", "protocol": "tcp", "src_port": 50372, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8894850327223105, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.26", "protocol": "tcp", "src_port": 50003, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8694093805364917, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50515, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 09:21:21.663] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 13|max_alert: 1000 [2025-12-11 09:21:21.663] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 09:21:21.663] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 09:21:21.663] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 09:21:24.657] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[1] at offset 24758 key: NULL payload: {"bucket":"2025-12-11","object":"09/output/gbm/alert.pcap.7.17610986930920.jsonl","url":"http://111.32.12.11:9000/2025-12-11/09/output/gbm/alert.pcap.7.17610986930920.jsonl?X-Amz-Date=20251211T012124Z&X-Amz-Expires=604800&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-SignedHeaders=host&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Signature=d0f0e31a2fa16d514e712dab2da8f05603479bdccceb67ccab7b97384984d949"} [2025-12-11 09:21:24.657] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 09:21:24.657] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 09:21:24.657] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 09:21:24.657] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 09:21:24.657] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 09:21:24.658] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 09:21:24.922] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:09/output/gbm/alert.pcap.7.17610986930920.jsonl|result:{"code": 1, "total_count": 18, "alert_count": 18, "abnormal_count": 18, "normal_count": 0, "timestamp": 1765416084659, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "112.34.111.235", "protocol": "tcp", "src_port": 50411, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.998549290571419, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.194.233", "protocol": "tcp", "src_port": 50255, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9107155218087142, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50663, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.719260591950917, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50270, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4, "2_sum": 4, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.27", "protocol": "tcp", "src_port": 50100, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8412893359572905, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.4.224.113", "protocol": "tcp", "src_port": 49849, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9532634905214581, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.219.73.130", "protocol": "tcp", "src_port": 49885, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.26", "protocol": "tcp", "src_port": 49994, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9896285535627298, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.194.233", "protocol": "tcp", "src_port": 50441, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9878625671600126, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 50172, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9400817611226765, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 50116, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50156, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4, "2_sum": 4, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.254", "protocol": "tcp", "src_port": 50199, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9600487826290192, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50581, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4, "2_sum": 4, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50083, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4, "2_sum": 4, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.240.8.132", "protocol": "tcp", "src_port": 50227, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8897661563929269, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.185.125.188", "protocol": "tcp", "src_port": 49872, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9978759357079158, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.51.80", "protocol": "tcp", "src_port": 50010, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 09:21:24.922] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 18|max_alert: 1000 [2025-12-11 09:21:24.922] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 09:21:24.922] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 09:21:24.922] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 09:21:27.869] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[1] at offset 24759 key: NULL payload: {"bucket":"2025-12-11","object":"09/output/gbm/alert.pcap.8.17610986930920.jsonl","url":"http://111.32.12.11:9000/2025-12-11/09/output/gbm/alert.pcap.8.17610986930920.jsonl?X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20251211T012127Z&X-Amz-Expires=604800&X-Amz-SignedHeaders=host&X-Amz-Signature=a42e4e120014d482dc107a50889e3c1b3f386c4c4eaaa541763b20f63997aa41&X-Amz-Algorithm=AWS4-HMAC-SHA256"} [2025-12-11 09:21:27.869] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 09:21:27.869] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 09:21:27.869] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 09:21:27.869] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 09:21:27.869] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 09:21:27.869] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 09:21:28.109] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:09/output/gbm/alert.pcap.8.17610986930920.jsonl|result:{"code": 1, "total_count": 19, "alert_count": 19, "abnormal_count": 19, "normal_count": 0, "timestamp": 1765416087869, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 49923, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.777270406334166, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.232.40.133", "protocol": "tcp", "src_port": 49920, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9117178716777372, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50077, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4, "2_sum": 4, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.45", "protocol": "tcp", "src_port": 50408, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9967591338452444, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50661, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.647571366572099, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.201.232.63", "protocol": "tcp", "src_port": 50420, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9757408487177269, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.219.73.130", "protocol": "tcp", "src_port": 49891, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "40.74.78.229", "protocol": "tcp", "src_port": 50370, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9939770881097445, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "202.89.233.96", "protocol": "tcp", "src_port": 49865, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9973910874567038, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.63.215.47", "protocol": "tcp", "src_port": 49980, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9999657034539758, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50388, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4, "2_sum": 4, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50649, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9766422035502361, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.26", "protocol": "tcp", "src_port": 49997, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.984269050955257, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50223, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4, "2_sum": 4, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.131.139.241", "protocol": "tcp", "src_port": 50556, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9803786101644398, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.131.128.241", "protocol": "tcp", "src_port": 50591, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9050869489117033, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 50184, "dest_port": 37527, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "121.36.47.3", "protocol": "tcp", "src_port": 50015, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9995715118177109, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50127, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4, "2_sum": 4, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 09:21:28.109] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 19|max_alert: 1000 [2025-12-11 09:21:28.109] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 09:21:28.109] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 09:21:28.109] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 09:21:31.084] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[2] at offset 25535 key: NULL payload: {"bucket":"2025-12-11","object":"09/output/gbm/alert.pcap.9.17610986930920.jsonl","url":"http://111.32.12.11:9000/2025-12-11/09/output/gbm/alert.pcap.9.17610986930920.jsonl?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-SignedHeaders=host&X-Amz-Signature=753b0e3f4af2d74d11520fcf98abda28cf5b313018dbf04e987e227d64617efe&X-Amz-Expires=604800&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20251211T012130Z"} [2025-12-11 09:21:31.084] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 09:21:31.084] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 09:21:31.084] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 09:21:31.084] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 09:21:31.084] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 09:21:31.085] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 09:21:31.333] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:09/output/gbm/alert.pcap.9.17610986930920.jsonl|result:{"code": 1, "total_count": 19, "alert_count": 19, "abnormal_count": 19, "normal_count": 0, "timestamp": 1765416091085, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50582, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50234, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "112.2.102.140", "protocol": "tcp", "src_port": 49880, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8833391308810551, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50047, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.29.14.183", "protocol": "tcp", "src_port": 50403, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9756646950440937, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.45", "protocol": "tcp", "src_port": 50444, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9975171238915119, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "150.171.30.11", "protocol": "tcp", "src_port": 50434, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.975176941910785, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.26", "protocol": "tcp", "src_port": 49993, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.987471741326815, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50279, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50571, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 49928, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9931314740190077, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50387, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.219.73.130", "protocol": "tcp", "src_port": 49895, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50577, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8828376373447289, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "124.71.234.74", "protocol": "tcp", "src_port": 50079, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8967653329082704, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "157.148.32.174", "protocol": "tcp", "src_port": 50216, "dest_port": 8106, "y_pred": 1, "y_pred_proba_max": 0.7815374741509655, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.163.59.175", "protocol": "tcp", "src_port": 50443, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9947042004868148, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50323, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50552, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9460026832017429, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 09:21:31.333] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 19|max_alert: 1000 [2025-12-11 09:21:31.333] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 09:21:31.333] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 09:21:31.333] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 09:21:56.588] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[2] at offset 25536 key: NULL payload: {"bucket":"2025-12-11","object":"09/output/gbm/alert.pcap.9.1765416108.jsonl","url":"http://111.32.12.11:9000/2025-12-11/09/output/gbm/alert.pcap.9.1765416108.jsonl?X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Date=20251211T012156Z&X-Amz-Expires=604800&X-Amz-SignedHeaders=host&X-Amz-Signature=7a0d6b1cd58b39d469e4bcdfb4302d35799b12a701aecf630658c4aa3db97073"} [2025-12-11 09:21:56.588] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 09:21:56.588] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 09:21:56.588] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 09:21:56.588] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 09:21:56.588] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 09:21:56.589] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 09:21:56.600] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:09/output/gbm/alert.pcap.9.1765416108.jsonl|result:{"code": 0, "total_count": 0, "alert_count": 0, "abnormal_count": 0, "normal_count": 0, "timestamp": 1765416116590, "module": "anquanchu", "alerted": false, "details": []} [2025-12-11 09:21:56.600] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 0|max_alert: 1000 [2025-12-11 09:21:56.600] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 09:30:09.416] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 25890 key: NULL payload: {"bucket":"2025-12-11","object":"09/output/gbm/alert.pcap.10.17610986930930.jsonl","url":"http://111.32.12.11:9000/2025-12-11/09/output/gbm/alert.pcap.10.17610986930930.jsonl?X-Amz-Signature=c96f448e796702a365a73a983210c800bc2b52f8654242661bc752b0192da04b&X-Amz-SignedHeaders=host&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20251211T013008Z&X-Amz-Expires=604800"} [2025-12-11 09:30:09.416] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 09:30:09.417] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 09:30:09.417] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 09:30:09.417] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 09:30:09.417] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 09:30:09.418] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 09:30:09.698] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:09/output/gbm/alert.pcap.10.17610986930930.jsonl|result:{"code": 1, "total_count": 18, "alert_count": 18, "abnormal_count": 18, "normal_count": 0, "timestamp": 1765416609418, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "117.162.10.192", "protocol": "tcp", "src_port": 50106, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7891251009837256, "2_count": 3, "2_sum": 3, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50202, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.9", "protocol": "tcp", "src_port": 50354, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9266852516381958, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.162.10.192", "protocol": "tcp", "src_port": 50102, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9628606284766527, "2_count": 3, "2_sum": 3, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "112.34.113.250", "protocol": "tcp", "src_port": 50417, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9871899379387804, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50197, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "124.70.62.170", "protocol": "tcp", "src_port": 50384, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9944584265644585, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.240.8.132", "protocol": "tcp", "src_port": 49942, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9833686131374094, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50247, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50180, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.194.233", "protocol": "tcp", "src_port": 50251, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.6458299041355519, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "124.70.37.167", "protocol": "tcp", "src_port": 50497, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9671327905226952, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50155, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50527, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.38.119", "protocol": "tcp", "src_port": 50490, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9986222879414073, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.162.10.192", "protocol": "tcp", "src_port": 50105, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8497049935950336, "2_count": 3, "2_sum": 3, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 49802, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50510, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 09:30:09.698] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 18|max_alert: 1000 [2025-12-11 09:30:09.698] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 09:30:09.698] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 09:30:09.698] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 09:30:12.544] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[1] at offset 24760 key: NULL payload: {"bucket":"2025-12-11","object":"09/output/gbm/alert.pcap.11.17610986930930.jsonl","url":"http://111.32.12.11:9000/2025-12-11/09/output/gbm/alert.pcap.11.17610986930930.jsonl?X-Amz-Expires=604800&X-Amz-Signature=1a9ee43c2187b88f124dd067019e9ffd73fb44a3486e1773514e3c52d2b0adb8&X-Amz-SignedHeaders=host&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20251211T013012Z&X-Amz-Algorithm=AWS4-HMAC-SHA256"} [2025-12-11 09:30:12.544] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 09:30:12.544] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 09:30:12.544] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 09:30:12.544] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 09:30:12.544] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 09:30:12.544] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 09:30:12.794] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:09/output/gbm/alert.pcap.11.17610986930930.jsonl|result:{"code": 1, "total_count": 20, "alert_count": 20, "abnormal_count": 20, "normal_count": 0, "timestamp": 1765416612545, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50519, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.25", "protocol": "tcp", "src_port": 50379, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8940216726975259, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.131.139.241", "protocol": "tcp", "src_port": 50546, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8893268365633519, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50176, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50050, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50179, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.57.94.38", "protocol": "tcp", "src_port": 49888, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8913583475272854, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.45", "protocol": "tcp", "src_port": 50438, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9837569544664104, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.165.120", "protocol": "tcp", "src_port": 50305, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9986466602684037, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 49811, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.45", "protocol": "tcp", "src_port": 50447, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9871209269901958, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.143.199.172", "protocol": "tcp", "src_port": 50142, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9881503019491974, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.38.119", "protocol": "tcp", "src_port": 50494, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9837251088220053, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50520, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "13.107.253.49", "protocol": "tcp", "src_port": 50479, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9204671188927631, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "106.52.100.183", "protocol": "tcp", "src_port": 50502, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9858931570717602, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.122.55", "protocol": "tcp", "src_port": 50503, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9854062911109006, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "57.155.120.218", "protocol": "tcp", "src_port": 50415, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9227656751828837, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50523, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50561, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 09:30:12.794] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 20|max_alert: 1000 [2025-12-11 09:30:12.794] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 09:30:12.794] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 09:30:12.794] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 09:30:15.696] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[1] at offset 24761 key: NULL payload: {"bucket":"2025-12-11","object":"09/output/gbm/alert.pcap.1.17610986930930.jsonl","url":"http://111.32.12.11:9000/2025-12-11/09/output/gbm/alert.pcap.1.17610986930930.jsonl?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-SignedHeaders=host&X-Amz-Date=20251211T013015Z&X-Amz-Expires=604800&X-Amz-Signature=9a3b088130de641c3e14034780408942fda781192bfe053a03e98b8723645c6a"} [2025-12-11 09:30:15.696] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 09:30:15.696] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 09:30:15.696] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 09:30:15.696] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 09:30:15.696] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 09:30:15.696] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 09:30:15.936] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:09/output/gbm/alert.pcap.1.17610986930930.jsonl|result:{"code": 1, "total_count": 23, "alert_count": 22, "abnormal_count": 22, "normal_count": 1, "timestamp": 1765416615697, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50203, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.254", "protocol": "tcp", "src_port": 50161, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9861184497791043, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50196, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.254", "protocol": "tcp", "src_port": 50236, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8758576397939718, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "104.18.38.233", "protocol": "tcp", "src_port": 49694, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.131.139.241", "protocol": "tcp", "src_port": 50548, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9166098868921807, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.38.119", "protocol": "tcp", "src_port": 50487, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9993624819729473, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "123.249.12.207", "protocol": "tcp", "src_port": 50349, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9517653518955267, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50451, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9935841069204537, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.18", "protocol": "tcp", "src_port": 50526, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50154, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.9", "protocol": "tcp", "src_port": 50355, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9178209457268623, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50246, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.166.151", "protocol": "tcp", "src_port": 50297, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.99961990187526, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.114.80", "protocol": "tcp", "src_port": 50380, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50635, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.18", "protocol": "tcp", "src_port": 50607, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50511, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50660, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.5160756214892233, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.2.16.16", "protocol": "tcp", "src_port": 49977, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9997183616258911, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.2.16.16", "protocol": "tcp", "src_port": 49978, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9999741330258014, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.9", "protocol": "tcp", "src_port": 50352, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9822856114799795, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 09:30:15.936] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 22|max_alert: 1000 [2025-12-11 09:30:15.936] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 09:30:15.936] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 09:30:15.936] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 09:30:18.942] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[1] at offset 24762 key: NULL payload: {"bucket":"2025-12-11","object":"09/output/gbm/alert.pcap.12.17610986930930.jsonl","url":"http://111.32.12.11:9000/2025-12-11/09/output/gbm/alert.pcap.12.17610986930930.jsonl?X-Amz-SignedHeaders=host&X-Amz-Signature=5b2dea036455a32575336571ff0f31e8d2e372b7a6c2ce3d595ad033ff9827cf&X-Amz-Expires=604800&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Date=20251211T013018Z&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request"} [2025-12-11 09:30:18.942] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 09:30:18.942] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 09:30:18.942] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 09:30:18.942] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 09:30:18.942] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 09:30:18.943] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 09:30:19.200] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:09/output/gbm/alert.pcap.12.17610986930930.jsonl|result:{"code": 1, "total_count": 23, "alert_count": 23, "abnormal_count": 23, "normal_count": 0, "timestamp": 1765416618943, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "36.156.39.91", "protocol": "tcp", "src_port": 50325, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9723471895815434, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50563, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 10, "2_sum": 10, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50289, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 10, "2_sum": 10, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.253", "protocol": "tcp", "src_port": 50374, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9124107711631884, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50063, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 10, "2_sum": 10, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.88.223", "protocol": "tcp", "src_port": 50135, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9151737736531406, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.46.51.20", "protocol": "tcp", "src_port": 50273, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8949209220998952, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50327, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 10, "2_sum": 10, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.91", "protocol": "tcp", "src_port": 50312, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8775283158754487, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.88.223", "protocol": "tcp", "src_port": 50256, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9952297098413537, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 49801, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "43.132.242.154", "protocol": "tcp", "src_port": 49882, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9890063873624129, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.232.40.133", "protocol": "tcp", "src_port": 49918, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9434178651974208, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50048, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 10, "2_sum": 10, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50036, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 10, "2_sum": 10, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50290, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 10, "2_sum": 10, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "150.171.28.10", "protocol": "tcp", "src_port": 50098, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.979476406385797, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 50446, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50517, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 10, "2_sum": 10, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.32.132.48", "protocol": "tcp", "src_port": 50596, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8736367684939467, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50524, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 10, "2_sum": 10, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50043, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 10, "2_sum": 10, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.162.10.192", "protocol": "tcp", "src_port": 50115, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9982562146170709, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 09:30:19.200] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 23|max_alert: 1000 [2025-12-11 09:30:19.200] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 09:30:19.200] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 09:30:19.200] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 09:30:22.098] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[1] at offset 24763 key: NULL payload: {"bucket":"2025-12-11","object":"09/output/gbm/alert.pcap.13.17610986930930.jsonl","url":"http://111.32.12.11:9000/2025-12-11/09/output/gbm/alert.pcap.13.17610986930930.jsonl?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Signature=7575145df16c3178e4db6a1dd04952a9f3793e51160f25f5717731c0bdc6aed3&X-Amz-Date=20251211T013021Z&X-Amz-SignedHeaders=host&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Expires=604800"} [2025-12-11 09:30:22.098] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 09:30:22.098] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 09:30:22.098] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 09:30:22.098] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 09:30:22.098] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 09:30:22.099] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 09:30:22.341] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:09/output/gbm/alert.pcap.13.17610986930930.jsonl|result:{"code": 1, "total_count": 25, "alert_count": 25, "abnormal_count": 25, "normal_count": 0, "timestamp": 1765416622099, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "120.233.38.119", "protocol": "tcp", "src_port": 50493, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9895604510076603, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50074, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.38.119", "protocol": "tcp", "src_port": 50507, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.992095265861976, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50602, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "150.171.29.11", "protocol": "tcp", "src_port": 50366, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9811379852086798, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "150.171.30.11", "protocol": "tcp", "src_port": 50629, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9221505003231499, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50167, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.114.80", "protocol": "tcp", "src_port": 50364, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50276, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50280, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50035, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50150, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.185.134", "protocol": "tcp", "src_port": 50405, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9906477192719227, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "202.89.233.96", "protocol": "tcp", "src_port": 49842, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.163.59.175", "protocol": "tcp", "src_port": 50009, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9898052087615025, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.4.224.113", "protocol": "tcp", "src_port": 49856, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.6505383816340582, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50206, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50483, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 50550, "dest_port": 37527, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.22.3", "protocol": "tcp", "src_port": 49941, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9027507773608666, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50657, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9858390475712154, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50153, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "142.250.66.78", "protocol": "tcp", "src_port": 49939, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50029, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50283, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 09:30:22.341] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 25|max_alert: 1000 [2025-12-11 09:30:22.341] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 09:30:22.341] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 09:30:22.341] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 09:30:25.474] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[1] at offset 24764 key: NULL payload: {"bucket":"2025-12-11","object":"09/output/gbm/alert.pcap.14.17610986930930.jsonl","url":"http://111.32.12.11:9000/2025-12-11/09/output/gbm/alert.pcap.14.17610986930930.jsonl?X-Amz-Expires=604800&X-Amz-SignedHeaders=host&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20251211T013025Z&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Signature=535e89822547cf6338805d71bf298c932a0c26dedb42c893b10bbdae9b867ed8"} [2025-12-11 09:30:25.474] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 09:30:25.474] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 09:30:25.474] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 09:30:25.474] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 09:30:25.474] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 09:30:25.475] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 09:30:25.661] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:09/output/gbm/alert.pcap.14.17610986930930.jsonl|result:{"code": 1, "total_count": 22, "alert_count": 22, "abnormal_count": 22, "normal_count": 0, "timestamp": 1765416625475, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "36.131.128.241", "protocol": "tcp", "src_port": 50628, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.6327220629300937, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50277, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.4.224.113", "protocol": "tcp", "src_port": 49858, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.948833755868132, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50087, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50075, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "150.171.28.10", "protocol": "tcp", "src_port": 50547, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9810893334081382, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.45", "protocol": "tcp", "src_port": 50232, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8427978520815071, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50509, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50282, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50481, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50045, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.92", "protocol": "tcp", "src_port": 50350, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9581254078848882, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50148, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50488, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50299, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 50008, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7325211921496005, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50151, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.201.232.63", "protocol": "tcp", "src_port": 50185, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8623842237021218, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50431, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.201.232.61", "protocol": "tcp", "src_port": 50406, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8074537105643911, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.114.80", "protocol": "tcp", "src_port": 50462, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50464, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 09:30:25.661] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 22|max_alert: 1000 [2025-12-11 09:30:25.661] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 09:30:25.661] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 09:30:25.661] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 09:30:28.601] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 25891 key: NULL payload: {"bucket":"2025-12-11","object":"09/output/gbm/alert.pcap.15.17610986930930.jsonl","url":"http://111.32.12.11:9000/2025-12-11/09/output/gbm/alert.pcap.15.17610986930930.jsonl?X-Amz-SignedHeaders=host&X-Amz-Date=20251211T013028Z&X-Amz-Expires=604800&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Signature=6b6e9446fa3d304679bdb54fc4d3536deb3c8398c27de7485452c7a079f3af00"} [2025-12-11 09:30:28.601] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 09:30:28.601] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 09:30:28.602] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 09:30:28.602] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 09:30:28.602] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 09:30:28.602] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 09:30:28.840] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:09/output/gbm/alert.pcap.15.17610986930930.jsonl|result:{"code": 1, "total_count": 21, "alert_count": 21, "abnormal_count": 21, "normal_count": 0, "timestamp": 1765416628602, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50516, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50298, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.175.38.6", "protocol": "tcp", "src_port": 50508, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9251013815505887, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.114.80", "protocol": "tcp", "src_port": 50358, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.194.189.11", "protocol": "tcp", "src_port": 50426, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9895428159947536, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "13.89.179.10", "protocol": "tcp", "src_port": 49878, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9974829953380221, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50061, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "142.250.66.78", "protocol": "tcp", "src_port": 50474, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.13.29.202", "protocol": "tcp", "src_port": 49899, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9319984670207415, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50452, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "13.107.213.50", "protocol": "tcp", "src_port": 50090, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9195643673584233, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.51.80", "protocol": "tcp", "src_port": 49914, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.165.120", "protocol": "tcp", "src_port": 50418, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9596977275034663, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.165.120", "protocol": "tcp", "src_port": 50427, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9451570018511891, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.194.233", "protocol": "tcp", "src_port": 50442, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9870391528574759, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50489, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.46.216.189", "protocol": "tcp", "src_port": 50192, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9854409930237161, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50542, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "124.70.37.167", "protocol": "tcp", "src_port": 50505, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8862503171336631, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.166.151", "protocol": "tcp", "src_port": 50300, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9931981638327161, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.241.198", "protocol": "tcp", "src_port": 49881, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9908791961625715, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 09:30:28.840] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 21|max_alert: 1000 [2025-12-11 09:30:28.840] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 09:30:28.840] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 09:30:28.840] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 09:30:31.952] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[2] at offset 25537 key: NULL payload: {"bucket":"2025-12-11","object":"09/output/gbm/alert.pcap.16.17610986930930.jsonl","url":"http://111.32.12.11:9000/2025-12-11/09/output/gbm/alert.pcap.16.17610986930930.jsonl?X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Expires=604800&X-Amz-SignedHeaders=host&X-Amz-Signature=3bc5c00936da9a498b71d8cc9b0002602173b43b1895b63c150fc064d4cb680d&X-Amz-Date=20251211T013031Z&X-Amz-Algorithm=AWS4-HMAC-SHA256"} [2025-12-11 09:30:31.952] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 09:30:31.952] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 09:30:31.952] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 09:30:31.952] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 09:30:31.952] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 09:30:31.952] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 09:30:32.179] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:09/output/gbm/alert.pcap.16.17610986930930.jsonl|result:{"code": 1, "total_count": 26, "alert_count": 26, "abnormal_count": 26, "normal_count": 0, "timestamp": 1765416631953, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "111.29.14.183", "protocol": "tcp", "src_port": 50404, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9858144175177987, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.32.132.48", "protocol": "tcp", "src_port": 50416, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.872489769645985, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.185.134", "protocol": "tcp", "src_port": 50557, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9312191603697401, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.4.224.113", "protocol": "tcp", "src_port": 49857, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.873642452450752, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.13.25.27", "protocol": "tcp", "src_port": 49953, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9999659947187012, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "13.89.179.10", "protocol": "tcp", "src_port": 49873, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9740054173010114, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50331, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50500, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.26", "protocol": "tcp", "src_port": 50053, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9859420979243508, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50367, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.220.77.56", "protocol": "tcp", "src_port": 50313, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9756469161092314, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50496, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7047630891986135, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.219.73.130", "protocol": "tcp", "src_port": 49887, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.253", "protocol": "tcp", "src_port": 50377, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9228634096625739, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.2", "protocol": "tcp", "src_port": 49916, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50177, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "211.151.19.148", "protocol": "tcp", "src_port": 50239, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9867736940219898, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.165.120", "protocol": "tcp", "src_port": 50304, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9425584919270099, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50522, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50051, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.29.14.183", "protocol": "tcp", "src_port": 49861, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9202885873733923, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.1", "protocol": "tcp", "src_port": 49927, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.46.216.189", "protocol": "tcp", "src_port": 50095, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8005313339363406, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.88.223", "protocol": "tcp", "src_port": 50262, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9920454156536166, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50207, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.92", "protocol": "tcp", "src_port": 50344, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.4285159353571787, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 09:30:32.179] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 26|max_alert: 1000 [2025-12-11 09:30:32.179] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 09:30:32.179] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 09:30:32.179] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 09:30:35.413] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[2] at offset 25538 key: NULL payload: {"bucket":"2025-12-11","object":"09/output/gbm/alert.pcap.17.17610986930930.jsonl","url":"http://111.32.12.11:9000/2025-12-11/09/output/gbm/alert.pcap.17.17610986930930.jsonl?X-Amz-Signature=1e7ca54e5f3ea618154d5c2d8ff27a94426ebcf191c07fa261eda6152b4ec1dc&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Expires=604800&X-Amz-Date=20251211T013034Z&X-Amz-SignedHeaders=host"} [2025-12-11 09:30:35.413] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 09:30:35.413] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 09:30:35.413] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 09:30:35.413] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 09:30:35.413] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 09:30:35.413] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 09:30:35.657] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:09/output/gbm/alert.pcap.17.17610986930930.jsonl|result:{"code": 1, "total_count": 18, "alert_count": 18, "abnormal_count": 18, "normal_count": 0, "timestamp": 1765416635413, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "111.31.114.80", "protocol": "tcp", "src_port": 50476, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.194.233", "protocol": "tcp", "src_port": 50435, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9837705668750215, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "124.70.62.170", "protocol": "tcp", "src_port": 50094, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9999212365720671, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.27", "protocol": "tcp", "src_port": 49990, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9979995189937263, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "124.70.62.170", "protocol": "tcp", "src_port": 50395, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.999908459646488, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.2.16.16", "protocol": "tcp", "src_port": 49973, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9993460937257912, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.38.151", "protocol": "tcp", "src_port": 49788, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 50225, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9087545563693218, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.122.55", "protocol": "tcp", "src_port": 50448, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.5769980707430126, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.9", "protocol": "tcp", "src_port": 50012, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9956502822261911, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.234.97.89", "protocol": "tcp", "src_port": 50409, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.733240780563495, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50499, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.27", "protocol": "tcp", "src_port": 49989, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8500557914131911, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.122.55", "protocol": "tcp", "src_port": 50101, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9697454177805649, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50606, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9790099228201751, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.162.10.192", "protocol": "tcp", "src_port": 50103, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.5419285978798709, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.162.10.192", "protocol": "tcp", "src_port": 50114, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.976863610352734, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.88.223", "protocol": "tcp", "src_port": 50257, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9990492370434219, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 09:30:35.657] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 18|max_alert: 1000 [2025-12-11 09:30:35.657] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 09:30:35.657] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 09:30:35.657] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 09:30:38.548] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[1] at offset 24765 key: NULL payload: {"bucket":"2025-12-11","object":"09/output/gbm/alert.pcap.18.17610986930930.jsonl","url":"http://111.32.12.11:9000/2025-12-11/09/output/gbm/alert.pcap.18.17610986930930.jsonl?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-SignedHeaders=host&X-Amz-Signature=23735862772356003ab096566204c2b0b9d16062e48c6fb81c20fe788f3ea710&X-Amz-Expires=604800&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20251211T013038Z"} [2025-12-11 09:30:38.549] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 09:30:38.549] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 09:30:38.549] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 09:30:38.549] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 09:30:38.549] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 09:30:38.550] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 09:30:38.806] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:09/output/gbm/alert.pcap.18.17610986930930.jsonl|result:{"code": 1, "total_count": 19, "alert_count": 18, "abnormal_count": 18, "normal_count": 1, "timestamp": 1765416638550, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50220, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50046, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.92", "protocol": "tcp", "src_port": 50383, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7481021796885889, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50132, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50088, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.232.40.133", "protocol": "tcp", "src_port": 49929, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9272505117395095, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.113.130.85", "protocol": "tcp", "src_port": 50373, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.166.151", "protocol": "tcp", "src_port": 50371, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9989794701501156, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50475, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9477100345633777, "2_count": 4.0, "2_sum": 4, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50553, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9263918774338468, "2_count": 4.0, "2_sum": 4, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50554, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9489417371813754, "2_count": 4.0, "2_sum": 4, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 50169, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.232.40.133", "protocol": "tcp", "src_port": 49935, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8955605067471277, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50386, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.253.255.38", "protocol": "tcp", "src_port": 50449, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9496389457889445, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.219.73.130", "protocol": "tcp", "src_port": 49893, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50141, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50650, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9941374340185456, "2_count": 4.0, "2_sum": 4, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 09:30:38.806] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 18|max_alert: 1000 [2025-12-11 09:30:38.806] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 09:30:38.806] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 09:30:38.806] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 09:30:41.694] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 25892 key: NULL payload: {"bucket":"2025-12-11","object":"09/output/gbm/alert.pcap.19.17610986930930.jsonl","url":"http://111.32.12.11:9000/2025-12-11/09/output/gbm/alert.pcap.19.17610986930930.jsonl?X-Amz-Signature=10c0da15c673909a7e31eeb30354bd5e9b82f646c809506a0813a85d4acb8bf0&X-Amz-Date=20251211T013041Z&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Expires=604800&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-SignedHeaders=host"} [2025-12-11 09:30:41.694] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 09:30:41.694] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 09:30:41.694] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 09:30:41.694] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 09:30:41.694] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 09:30:41.695] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 09:30:41.936] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:09/output/gbm/alert.pcap.19.17610986930930.jsonl|result:{"code": 1, "total_count": 17, "alert_count": 17, "abnormal_count": 17, "normal_count": 0, "timestamp": 1765416641695, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "120.233.3.25", "protocol": "tcp", "src_port": 50345, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9053165640648995, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.158.247.186", "protocol": "tcp", "src_port": 50254, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9923373572362969, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "124.70.62.170", "protocol": "tcp", "src_port": 50385, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9998863446143573, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50432, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 5, "2_sum": 5, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50267, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 5, "2_sum": 5, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.26", "protocol": "tcp", "src_port": 49999, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9723690262017185, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50221, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 5, "2_sum": 5, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "150.171.30.11", "protocol": "tcp", "src_port": 50623, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9724127917525347, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50222, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 5, "2_sum": 5, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.131.128.241", "protocol": "tcp", "src_port": 50589, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9358989909907683, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50651, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9127998696423738, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "13.89.179.10", "protocol": "tcp", "src_port": 49870, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9985463831905574, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 50183, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9671683755020176, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "106.13.244.95", "protocol": "tcp", "src_port": 50626, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.991571871695044, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "211.151.19.148", "protocol": "tcp", "src_port": 50321, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9840336453751718, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50140, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 5, "2_sum": 5, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.61.248", "protocol": "tcp", "src_port": 50006, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9986048917384169, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 09:30:41.936] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 17|max_alert: 1000 [2025-12-11 09:30:41.936] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 09:30:41.936] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 09:30:41.936] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 09:30:44.868] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[2] at offset 25539 key: NULL payload: {"bucket":"2025-12-11","object":"09/output/gbm/alert.pcap.20.17610986930930.jsonl","url":"http://111.32.12.11:9000/2025-12-11/09/output/gbm/alert.pcap.20.17610986930930.jsonl?X-Amz-Signature=e072fa3e7c39ab3cb5938c169d2a719a17dce27f993589e3c1ee5e4a90720386&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Date=20251211T013044Z&X-Amz-SignedHeaders=host&X-Amz-Expires=604800"} [2025-12-11 09:30:44.868] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 09:30:44.868] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 09:30:44.868] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 09:30:44.868] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 09:30:44.868] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 09:30:44.868] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 09:30:45.105] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:09/output/gbm/alert.pcap.20.17610986930930.jsonl|result:{"code": 1, "total_count": 17, "alert_count": 17, "abnormal_count": 17, "normal_count": 0, "timestamp": 1765416644868, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "111.48.172.241", "protocol": "tcp", "src_port": 50129, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9417868802887015, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "124.71.234.74", "protocol": "tcp", "src_port": 50189, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8094812727311573, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50622, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9949329167991451, "2_count": 3, "2_sum": 3, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.2.16.16", "protocol": "tcp", "src_port": 49970, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9999655776123294, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "124.71.236.98", "protocol": "tcp", "src_port": 50400, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9777942042208041, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.253.253.233", "protocol": "tcp", "src_port": 50317, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.4786736570096651, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.46.68.203", "protocol": "tcp", "src_port": 50096, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9610043927222635, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "142.250.66.78", "protocol": "tcp", "src_port": 49773, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50082, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50453, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50616, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.981431987646444, "2_count": 3, "2_sum": 3, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.219.73.130", "protocol": "tcp", "src_port": 49894, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.220.151.49", "protocol": "tcp", "src_port": 49991, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9681277345350449, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.9", "protocol": "tcp", "src_port": 50356, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9753376675463165, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.166.151", "protocol": "tcp", "src_port": 50378, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.996645095315891, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.62.174.243", "protocol": "tcp", "src_port": 50555, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9719451686850884, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50598, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.972751885055052, "2_count": 3, "2_sum": 3, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 09:30:45.105] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 17|max_alert: 1000 [2025-12-11 09:30:45.105] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 09:30:45.105] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 09:30:45.105] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 09:30:48.001] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[2] at offset 25540 key: NULL payload: {"bucket":"2025-12-11","object":"09/output/gbm/alert.pcap.21.17610986930930.jsonl","url":"http://111.32.12.11:9000/2025-12-11/09/output/gbm/alert.pcap.21.17610986930930.jsonl?X-Amz-SignedHeaders=host&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Signature=e41a5f92812bfc2bb60929d4cb114f19dac82e441f36bb0d628b36af43231ae3&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Date=20251211T013047Z&X-Amz-Expires=604800"} [2025-12-11 09:30:48.001] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 09:30:48.001] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 09:30:48.001] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 09:30:48.001] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 09:30:48.002] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 09:30:48.002] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 09:30:48.239] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:09/output/gbm/alert.pcap.21.17610986930930.jsonl|result:{"code": 1, "total_count": 20, "alert_count": 20, "abnormal_count": 20, "normal_count": 0, "timestamp": 1765416648002, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "120.232.40.133", "protocol": "tcp", "src_port": 49921, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9758065422065172, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 49933, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.983522767485445, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.234.97.89", "protocol": "tcp", "src_port": 50477, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7967743601421772, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 50211, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9942232611378077, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "150.171.27.10", "protocol": "tcp", "src_port": 49871, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9792783921980416, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.27", "protocol": "tcp", "src_port": 50014, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7728545617685111, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.194.233", "protocol": "tcp", "src_port": 50315, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9974657537062649, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50076, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50233, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.254", "protocol": "tcp", "src_port": 50018, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9989742169573105, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50407, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9700577356238725, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.18", "protocol": "tcp", "src_port": 50191, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50330, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.25", "protocol": "tcp", "src_port": 50346, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7253580536479742, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50574, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.253", "protocol": "tcp", "src_port": 50348, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9663875797170431, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.26", "protocol": "tcp", "src_port": 50027, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8630319401034162, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50086, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50389, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50633, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9961574170482782, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 09:30:48.239] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 20|max_alert: 1000 [2025-12-11 09:30:48.239] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 09:30:48.239] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 09:30:48.239] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 09:30:51.221] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[1] at offset 24766 key: NULL payload: {"bucket":"2025-12-11","object":"09/output/gbm/alert.pcap.2.17610986930930.jsonl","url":"http://111.32.12.11:9000/2025-12-11/09/output/gbm/alert.pcap.2.17610986930930.jsonl?X-Amz-Signature=01107795207373faa9358bc2668216591814a36eb3f6711b8c0a250d2b8b8c73&X-Amz-SignedHeaders=host&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20251211T013050Z&X-Amz-Expires=604800"} [2025-12-11 09:30:51.221] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 09:30:51.221] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 09:30:51.221] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 09:30:51.221] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 09:30:51.221] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 09:30:51.221] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 09:30:51.467] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:09/output/gbm/alert.pcap.2.17610986930930.jsonl|result:{"code": 1, "total_count": 27, "alert_count": 26, "abnormal_count": 26, "normal_count": 1, "timestamp": 1765416651222, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50528, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50580, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.240.99.58", "protocol": "tcp", "src_port": 50480, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9758749087809037, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50287, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50570, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50278, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.165.120", "protocol": "tcp", "src_port": 50414, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9781294486115352, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "118.89.204.198", "protocol": "tcp", "src_port": 50648, "dest_port": 443, "y_pred": 2, "y_pred_proba_max": 0.539671673599211, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "Behinder"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.254", "protocol": "tcp", "src_port": 50237, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8347470129747349, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.232.40.133", "protocol": "tcp", "src_port": 50004, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9448851526818528, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.166.151", "protocol": "tcp", "src_port": 50296, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9998741851816862, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.26", "protocol": "tcp", "src_port": 49995, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9973271032011077, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50634, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.29.14.183", "protocol": "tcp", "src_port": 50402, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9766503916105866, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.105", "protocol": "tcp", "src_port": 50625, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9825246278129468, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.2", "protocol": "tcp", "src_port": 49821, "dest_port": 8080, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.63.215.47", "protocol": "tcp", "src_port": 49943, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9542007136130981, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.222.152.64", "protocol": "tcp", "src_port": 50658, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7337989747885654, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.29.14.183", "protocol": "tcp", "src_port": 50401, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9944651374268547, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50328, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.185.134", "protocol": "tcp", "src_port": 50337, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9998485770667981, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.114.80", "protocol": "tcp", "src_port": 50381, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50459, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8818531237715439, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.92", "protocol": "tcp", "src_port": 50398, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9866180027435798, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50484, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50471, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9971823306211751, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 09:30:51.467] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 26|max_alert: 1000 [2025-12-11 09:30:51.467] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 09:30:51.467] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 09:30:51.467] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 09:30:54.718] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[2] at offset 25541 key: NULL payload: {"bucket":"2025-12-11","object":"09/output/gbm/alert.pcap.22.17610986930930.jsonl","url":"http://111.32.12.11:9000/2025-12-11/09/output/gbm/alert.pcap.22.17610986930930.jsonl?X-Amz-Expires=604800&X-Amz-SignedHeaders=host&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20251211T013054Z&X-Amz-Signature=1376e38670225ae7db04c88563c6c2aebd032852f8447ed7bd2f721c71ed5bc1"} [2025-12-11 09:30:54.719] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 09:30:54.719] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 09:30:54.719] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 09:30:54.719] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 09:30:54.719] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 09:30:54.719] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 09:30:54.968] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:09/output/gbm/alert.pcap.22.17610986930930.jsonl|result:{"code": 1, "total_count": 18, "alert_count": 17, "abnormal_count": 17, "normal_count": 1, "timestamp": 1765416654719, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50612, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.965275103129727, "2_count": 3.0, "2_sum": 3, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.51.161.66", "protocol": "tcp", "src_port": 50123, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7731938946060795, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.62.174.243", "protocol": "tcp", "src_port": 50545, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9624252679015631, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.114.80", "protocol": "tcp", "src_port": 50365, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.4.224.113", "protocol": "tcp", "src_port": 49854, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.5786036795604459, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.194.233", "protocol": "tcp", "src_port": 50440, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9902328849146982, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50530, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9024018957960891, "2_count": 3.0, "2_sum": 3, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.29.14.183", "protocol": "tcp", "src_port": 50026, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9986473928200259, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.165.120", "protocol": "tcp", "src_port": 50357, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9389862274330749, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 49925, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.5747671805046822, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.63.215.47", "protocol": "tcp", "src_port": 49944, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9869387818080411, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50368, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 3.0, "2_sum": 3, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50118, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 3.0, "2_sum": 3, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.131.128.241", "protocol": "tcp", "src_port": 50585, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8249611815657307, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50028, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 3.0, "2_sum": 3, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50662, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8871346318388157, "2_count": 3.0, "2_sum": 3, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.92", "protocol": "tcp", "src_port": 50397, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9107999416750001, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 09:30:54.968] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 17|max_alert: 1000 [2025-12-11 09:30:54.968] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 09:30:54.968] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 09:30:54.968] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 09:30:58.594] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[2] at offset 25542 key: NULL payload: {"bucket":"2025-12-11","object":"09/output/gbm/alert.pcap.23.17610986930930.jsonl","url":"http://111.32.12.11:9000/2025-12-11/09/output/gbm/alert.pcap.23.17610986930930.jsonl?X-Amz-Signature=64c16fd3537830ea47fcde06711edb028cf00b1a349f4659e50dd6a9d27c4028&X-Amz-Date=20251211T013058Z&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Expires=604800&X-Amz-SignedHeaders=host"} [2025-12-11 09:30:58.594] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 09:30:58.594] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 09:30:58.594] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 09:30:58.594] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 09:30:58.594] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 09:30:58.595] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 09:30:58.860] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:09/output/gbm/alert.pcap.23.17610986930930.jsonl|result:{"code": 1, "total_count": 21, "alert_count": 21, "abnormal_count": 21, "normal_count": 0, "timestamp": 1765416658595, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50064, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "13.107.246.74", "protocol": "tcp", "src_port": 50506, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9605298901417075, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50085, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50562, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.25", "protocol": "tcp", "src_port": 50073, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9992385224413204, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.13.104.59", "protocol": "tcp", "src_port": 50627, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9944505609423887, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50168, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50044, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.25", "protocol": "tcp", "src_port": 50382, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7011351746711142, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.222.152.64", "protocol": "tcp", "src_port": 50638, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9779043168436835, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50149, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50640, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50429, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.194.233", "protocol": "tcp", "src_port": 50126, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9961544144455967, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.150.160.206", "protocol": "tcp", "src_port": 50124, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9747845243097288, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50514, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.158.247.186", "protocol": "tcp", "src_port": 50309, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.994290448467571, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.122.55", "protocol": "tcp", "src_port": 50498, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9793698927690696, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50042, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50260, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50037, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 09:30:58.860] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 21|max_alert: 1000 [2025-12-11 09:30:58.860] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 09:30:58.860] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 09:30:58.860] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 09:31:01.869] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 25893 key: NULL payload: {"bucket":"2025-12-11","object":"09/output/gbm/alert.pcap.24.17610986930930.jsonl","url":"http://111.32.12.11:9000/2025-12-11/09/output/gbm/alert.pcap.24.17610986930930.jsonl?X-Amz-Signature=44a280a1c0bf8d83bd9bf247fdf635cf9ea4b5d9581bb91686b4af298aa3cafb&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-SignedHeaders=host&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Expires=604800&X-Amz-Date=20251211T013101Z"} [2025-12-11 09:31:01.870] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 09:31:01.870] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 09:31:01.870] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 09:31:01.870] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 09:31:01.870] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 09:31:01.870] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 09:31:02.150] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:09/output/gbm/alert.pcap.24.17610986930930.jsonl|result:{"code": 1, "total_count": 18, "alert_count": 17, "abnormal_count": 17, "normal_count": 1, "timestamp": 1765416661870, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "120.233.3.27", "protocol": "tcp", "src_port": 49985, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8652710729389349, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.46.68.203", "protocol": "tcp", "src_port": 50195, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9897633686170296, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50482, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50033, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 50229, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7784157580153467, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50603, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.13.104.59", "protocol": "tcp", "src_port": 50631, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9853386683896556, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.163.59.175", "protocol": "tcp", "src_port": 50478, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.990150959540726, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.13.28.21", "protocol": "tcp", "src_port": 49947, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9999415747476534, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50031, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50594, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50034, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50281, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.163.59.175", "protocol": "tcp", "src_port": 50011, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9883959426357691, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50259, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.38.119", "protocol": "tcp", "src_port": 50495, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9911306060967026, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.4.74", "protocol": "tcp", "src_port": 50319, "dest_port": 9000, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 09:31:02.150] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 17|max_alert: 1000 [2025-12-11 09:31:02.150] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 09:31:02.150] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 09:31:02.150] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 09:31:05.283] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 25894 key: NULL payload: {"bucket":"2025-12-11","object":"09/output/gbm/alert.pcap.25.17610986930930.jsonl","url":"http://111.32.12.11:9000/2025-12-11/09/output/gbm/alert.pcap.25.17610986930930.jsonl?X-Amz-Date=20251211T013104Z&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Expires=604800&X-Amz-Signature=38d41864a7fd1c14249def9b5b5f3051ff38ac0505828ba5b603847e54528b6a&X-Amz-SignedHeaders=host"} [2025-12-11 09:31:05.283] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 09:31:05.283] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 09:31:05.283] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 09:31:05.283] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 09:31:05.283] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 09:31:05.284] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 09:31:05.551] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:09/output/gbm/alert.pcap.25.17610986930930.jsonl|result:{"code": 1, "total_count": 18, "alert_count": 17, "abnormal_count": 17, "normal_count": 1, "timestamp": 1765416665284, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "142.250.66.78", "protocol": "tcp", "src_port": 49742, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50551, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8059095115195145, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.88.223", "protocol": "tcp", "src_port": 50258, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9955188316394289, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.201.232.63", "protocol": "tcp", "src_port": 50419, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.5238760318986195, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50288, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4.0, "2_sum": 4, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.91", "protocol": "tcp", "src_port": 50334, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9530506499197517, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "202.89.233.96", "dest_ip": "10.1.131.158", "protocol": "tcp", "src_port": 443, "dest_port": 49847, "y_pred": 1, "y_pred_proba_max": 0.9988023204669473, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.232.40.133", "protocol": "tcp", "src_port": 50005, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8427110539814073, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.2", "protocol": "tcp", "src_port": 50125, "dest_port": 8080, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.155.160.140", "protocol": "tcp", "src_port": 49790, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.240.99.58", "protocol": "tcp", "src_port": 50641, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9750652642107684, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 50013, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50038, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4.0, "2_sum": 4, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.232.40.133", "protocol": "tcp", "src_port": 49919, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9172603475203133, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50062, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4.0, "2_sum": 4, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50652, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4.0, "2_sum": 4, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.88.223", "protocol": "tcp", "src_port": 50134, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9851867603065232, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 09:31:05.551] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 17|max_alert: 1000 [2025-12-11 09:31:05.551] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 09:31:05.551] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 09:31:05.551] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 09:31:08.523] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 25895 key: NULL payload: {"bucket":"2025-12-11","object":"09/output/gbm/alert.pcap.26.17610986930930.jsonl","url":"http://111.32.12.11:9000/2025-12-11/09/output/gbm/alert.pcap.26.17610986930930.jsonl?X-Amz-Signature=0d6ce6540328a7a6f653ee70b10a75c7c9a29c3cd38363d86ff67657e046f00a&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20251211T013108Z&X-Amz-Expires=604800&X-Amz-SignedHeaders=host"} [2025-12-11 09:31:08.523] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 09:31:08.523] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 09:31:08.523] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 09:31:08.523] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 09:31:08.523] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 09:31:08.523] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 09:31:08.769] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:09/output/gbm/alert.pcap.26.17610986930930.jsonl|result:{"code": 1, "total_count": 23, "alert_count": 22, "abnormal_count": 22, "normal_count": 1, "timestamp": 1765416668523, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50512, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7.0, "2_sum": 7, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50521, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7.0, "2_sum": 7, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.13.29.134", "protocol": "tcp", "src_port": 49954, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9940003495439546, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50463, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7.0, "2_sum": 7, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "151.101.1.229", "protocol": "tcp", "src_port": 50316, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.5882853156839113, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.114.80", "protocol": "tcp", "src_port": 50375, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.45", "protocol": "tcp", "src_port": 50445, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9894949279716366, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.165.120", "protocol": "tcp", "src_port": 50314, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.998447736613844, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.253", "protocol": "tcp", "src_port": 50347, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9363461552085169, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50322, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7.0, "2_sum": 7, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.163.59.175", "protocol": "tcp", "src_port": 49930, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9813722275948225, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50593, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7.0, "2_sum": 7, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.9", "protocol": "tcp", "src_port": 50353, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9248568229582469, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50467, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7.0, "2_sum": 7, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.92", "protocol": "tcp", "src_port": 50362, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9737436655985068, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.27", "protocol": "tcp", "src_port": 49986, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9907578643456904, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.194.233", "protocol": "tcp", "src_port": 50439, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9853373018252618, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.13.29.202", "protocol": "tcp", "src_port": 49897, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.99989131645703, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50040, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7.0, "2_sum": 7, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 50230, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9601621867432435, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.253", "protocol": "tcp", "src_port": 50117, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9786811180845782, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "43.140.12.43", "protocol": "tcp", "src_port": 50318, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9759535265977303, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 09:31:08.769] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 22|max_alert: 1000 [2025-12-11 09:31:08.769] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 09:31:08.769] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 09:31:08.769] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 09:31:11.743] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[1] at offset 24767 key: NULL payload: {"bucket":"2025-12-11","object":"09/output/gbm/alert.pcap.3.17610986930930.jsonl","url":"http://111.32.12.11:9000/2025-12-11/09/output/gbm/alert.pcap.3.17610986930930.jsonl?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20251211T013111Z&X-Amz-Expires=604800&X-Amz-SignedHeaders=host&X-Amz-Signature=efa62c32459b99918aaad87c86fea92674b78ec21859cee99d4a7340265da5bb"} [2025-12-11 09:31:11.743] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 09:31:11.743] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 09:31:11.743] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 09:31:11.743] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 09:31:11.743] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 09:31:11.743] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 09:31:11.996] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:09/output/gbm/alert.pcap.3.17610986930930.jsonl|result:{"code": 1, "total_count": 31, "alert_count": 30, "abnormal_count": 30, "normal_count": 1, "timestamp": 1765416671743, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50560, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9372883613254258, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50390, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50128, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "142.250.66.68", "protocol": "tcp", "src_port": 50437, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50041, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.114.80", "protocol": "tcp", "src_port": 50473, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "124.70.62.170", "protocol": "tcp", "src_port": 50093, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9302011994091218, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50131, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.232.40.133", "protocol": "tcp", "src_port": 49922, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7619577796081339, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.27", "protocol": "tcp", "src_port": 49983, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9683054451954104, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50573, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.194.189.11", "protocol": "tcp", "src_port": 50307, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9974631042458713, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.253.253.233", "protocol": "tcp", "src_port": 50436, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8619378326923961, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.63.215.47", "protocol": "tcp", "src_port": 49982, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9977918468988228, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.165.120", "protocol": "tcp", "src_port": 50423, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9079618105919538, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.219.73.130", "protocol": "tcp", "src_port": 49889, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50579, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.92", "protocol": "tcp", "src_port": 49915, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8858063837145578, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.13.104.59", "protocol": "tcp", "src_port": 50630, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9949141468870227, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50032, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.219.73.130", "protocol": "tcp", "src_port": 49890, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.27", "protocol": "tcp", "src_port": 49987, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9439550958667982, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.29.14.183", "protocol": "tcp", "src_port": 50020, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9995274668813986, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.2", "protocol": "tcp", "src_port": 50143, "dest_port": 8080, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 50231, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9912641259791639, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.166.151", "protocol": "tcp", "src_port": 50286, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9998887397093179, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 50399, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.13.104.59", "protocol": "tcp", "src_port": 50639, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.5747755261992421, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50468, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 49824, "dest_port": 37527, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 09:31:11.996] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 30|max_alert: 1000 [2025-12-11 09:31:11.996] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 09:31:11.996] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 09:31:11.996] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 09:31:14.881] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[1] at offset 24768 key: NULL payload: {"bucket":"2025-12-11","object":"09/output/gbm/alert.pcap.4.17610986930930.jsonl","url":"http://111.32.12.11:9000/2025-12-11/09/output/gbm/alert.pcap.4.17610986930930.jsonl?X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Signature=43c7d80c051fc99c1b7ea6af800347222ac3abd8b4af500cc4c19c53cca10e6c&X-Amz-Date=20251211T013114Z&X-Amz-Expires=604800&X-Amz-SignedHeaders=host&X-Amz-Algorithm=AWS4-HMAC-SHA256"} [2025-12-11 09:31:14.881] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 09:31:14.881] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 09:31:14.881] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 09:31:14.881] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 09:31:14.881] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 09:31:14.881] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 09:31:15.095] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:09/output/gbm/alert.pcap.4.17610986930930.jsonl|result:{"code": 1, "total_count": 16, "alert_count": 16, "abnormal_count": 16, "normal_count": 0, "timestamp": 1765416674881, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50039, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 9, "2_sum": 9, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50428, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 9, "2_sum": 9, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "150.171.30.11", "protocol": "tcp", "src_port": 50007, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8576461187690411, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50664, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 9, "2_sum": 9, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.2", "protocol": "tcp", "src_port": 49815, "dest_port": 8080, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "104.18.38.233", "protocol": "tcp", "src_port": 49696, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.4.224.113", "protocol": "tcp", "src_port": 49860, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8325953986089363, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50170, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 9, "2_sum": 9, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50599, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 9, "2_sum": 9, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50653, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 9, "2_sum": 9, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50268, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 9, "2_sum": 9, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50642, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 9, "2_sum": 9, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.25", "protocol": "tcp", "src_port": 50340, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9557360906725153, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "142.250.66.78", "protocol": "tcp", "src_port": 49761, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50271, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 9, "2_sum": 9, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.131.128.241", "protocol": "tcp", "src_port": 50461, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9531336479755481, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 09:31:15.095] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 16|max_alert: 1000 [2025-12-11 09:31:15.095] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 09:31:15.095] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 09:31:15.095] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 09:31:18.413] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[1] at offset 24769 key: NULL payload: {"bucket":"2025-12-11","object":"09/output/gbm/alert.pcap.5.17610986930930.jsonl","url":"http://111.32.12.11:9000/2025-12-11/09/output/gbm/alert.pcap.5.17610986930930.jsonl?X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Expires=604800&X-Amz-Signature=557feaf560ee03e734aadaf7a8f925e5c404574444190bfad59bf98c6cd1ee31&X-Amz-Date=20251211T013117Z&X-Amz-SignedHeaders=host"} [2025-12-11 09:31:18.413] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 09:31:18.413] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 09:31:18.413] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 09:31:18.413] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 09:31:18.413] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 09:31:18.414] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 09:31:18.668] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:09/output/gbm/alert.pcap.5.17610986930930.jsonl|result:{"code": 1, "total_count": 19, "alert_count": 18, "abnormal_count": 18, "normal_count": 1, "timestamp": 1765416678414, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "120.240.51.80", "protocol": "tcp", "src_port": 49902, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50171, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 5.0, "2_sum": 5, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.91", "protocol": "tcp", "src_port": 50242, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9588125203903446, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.91", "protocol": "tcp", "src_port": 50333, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9577733114926612, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50624, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9747306537408316, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50030, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 5.0, "2_sum": 5, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 49924, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8509806284431485, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.46.72.204", "protocol": "tcp", "src_port": 50136, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.956663066769366, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "112.34.111.235", "protocol": "tcp", "src_port": 50587, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9795590475790195, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "13.89.179.10", "protocol": "tcp", "src_port": 49867, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8945460691510866, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50119, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 5.0, "2_sum": 5, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50564, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 5.0, "2_sum": 5, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.163.59.175", "protocol": "tcp", "src_port": 50422, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9849394001481901, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50541, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 5.0, "2_sum": 5, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50654, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9423199405388736, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.158.247.186", "protocol": "tcp", "src_port": 50121, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9753820447058325, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.4.74", "protocol": "tcp", "src_port": 50320, "dest_port": 9000, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 50549, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 09:31:18.668] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 18|max_alert: 1000 [2025-12-11 09:31:18.668] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 09:31:18.668] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 09:31:18.668] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 09:31:21.567] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 25896 key: NULL payload: {"bucket":"2025-12-11","object":"09/output/gbm/alert.pcap.6.17610986930930.jsonl","url":"http://111.32.12.11:9000/2025-12-11/09/output/gbm/alert.pcap.6.17610986930930.jsonl?X-Amz-Expires=604800&X-Amz-Date=20251211T013121Z&X-Amz-Signature=2df70d0f6dcec69ef77c1bb52e6bf67a2ba68e244bbd04096f8cc9c8972eff31&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-SignedHeaders=host"} [2025-12-11 09:31:21.568] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 09:31:21.568] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 09:31:21.568] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 09:31:21.568] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 09:31:21.568] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 09:31:21.568] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 09:31:21.811] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:09/output/gbm/alert.pcap.6.17610986930930.jsonl|result:{"code": 1, "total_count": 13, "alert_count": 13, "abnormal_count": 13, "normal_count": 0, "timestamp": 1765416681568, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "139.9.117.192", "protocol": "tcp", "src_port": 50450, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9837263446909994, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50465, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.5306824619789472, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50515, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.91", "protocol": "tcp", "src_port": 50339, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.986405059765616, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50391, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.2.16.16", "protocol": "tcp", "src_port": 49975, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9999376387945121, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "139.9.117.192", "protocol": "tcp", "src_port": 50372, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8894850327223105, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "13.89.179.10", "protocol": "tcp", "src_port": 49883, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9941602682227848, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "121.36.68.44", "protocol": "tcp", "src_port": 50504, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9358189956292381, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.57.94.38", "protocol": "tcp", "src_port": 49892, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9998694918181811, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.13.28.239", "protocol": "tcp", "src_port": 49901, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.938456651589145, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.26", "protocol": "tcp", "src_port": 50003, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8694093805364917, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.102.211", "protocol": "tcp", "src_port": 50413, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9734791177969814, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 09:31:21.811] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 13|max_alert: 1000 [2025-12-11 09:31:21.811] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 09:31:21.811] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 09:31:21.811] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 09:31:24.784] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[1] at offset 24770 key: NULL payload: {"bucket":"2025-12-11","object":"09/output/gbm/alert.pcap.7.17610986930930.jsonl","url":"http://111.32.12.11:9000/2025-12-11/09/output/gbm/alert.pcap.7.17610986930930.jsonl?X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20251211T013124Z&X-Amz-SignedHeaders=host&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Expires=604800&X-Amz-Signature=850143c2e3bcbc19ae8a972903fb6b441e2994146c1038c912c49dafefb89ffd"} [2025-12-11 09:31:24.784] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 09:31:24.784] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 09:31:24.784] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 09:31:24.784] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 09:31:24.784] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 09:31:24.785] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 09:31:25.015] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:09/output/gbm/alert.pcap.7.17610986930930.jsonl|result:{"code": 1, "total_count": 18, "alert_count": 18, "abnormal_count": 18, "normal_count": 0, "timestamp": 1765416684785, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50581, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4, "2_sum": 4, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50156, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4, "2_sum": 4, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.4.224.113", "protocol": "tcp", "src_port": 49849, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9532634905214581, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.194.233", "protocol": "tcp", "src_port": 50255, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9107155218087142, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50083, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4, "2_sum": 4, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.254", "protocol": "tcp", "src_port": 50199, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9600487826290192, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.27", "protocol": "tcp", "src_port": 50100, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8412893359572905, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.194.233", "protocol": "tcp", "src_port": 50441, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9878625671600126, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.51.80", "protocol": "tcp", "src_port": 50010, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "112.34.111.235", "protocol": "tcp", "src_port": 50411, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.998549290571419, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 50116, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 50172, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9400817611226765, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.185.125.188", "protocol": "tcp", "src_port": 49872, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9978759357079158, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.219.73.130", "protocol": "tcp", "src_port": 49885, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.26", "protocol": "tcp", "src_port": 49994, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9896285535627298, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50663, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.719260591950917, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50270, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4, "2_sum": 4, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.240.8.132", "protocol": "tcp", "src_port": 50227, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8897661563929269, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 09:31:25.015] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 18|max_alert: 1000 [2025-12-11 09:31:25.015] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 09:31:25.015] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 09:31:25.015] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 09:31:27.972] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 25897 key: NULL payload: {"bucket":"2025-12-11","object":"09/output/gbm/alert.pcap.8.17610986930930.jsonl","url":"http://111.32.12.11:9000/2025-12-11/09/output/gbm/alert.pcap.8.17610986930930.jsonl?X-Amz-Signature=32b73401f97ae4a179f765a2383f997be8fb8542c0a3b489792fc55d5eb0ea93&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Date=20251211T013127Z&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Expires=604800&X-Amz-SignedHeaders=host"} [2025-12-11 09:31:27.972] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 09:31:27.972] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 09:31:27.972] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 09:31:27.972] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 09:31:27.972] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 09:31:27.973] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 09:31:28.216] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:09/output/gbm/alert.pcap.8.17610986930930.jsonl|result:{"code": 1, "total_count": 19, "alert_count": 19, "abnormal_count": 19, "normal_count": 0, "timestamp": 1765416687973, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "36.131.139.241", "protocol": "tcp", "src_port": 50556, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9803786101644398, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "202.89.233.96", "protocol": "tcp", "src_port": 49865, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9973910874567038, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50223, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4, "2_sum": 4, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50388, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4, "2_sum": 4, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50077, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4, "2_sum": 4, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50127, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4, "2_sum": 4, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50649, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9766422035502361, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.45", "protocol": "tcp", "src_port": 50408, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9967591338452444, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.131.128.241", "protocol": "tcp", "src_port": 50591, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9050869489117033, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.63.215.47", "protocol": "tcp", "src_port": 49980, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9999657034539758, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "121.36.47.3", "protocol": "tcp", "src_port": 50015, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9995715118177109, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.26", "protocol": "tcp", "src_port": 49997, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.984269050955257, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 50184, "dest_port": 37527, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.219.73.130", "protocol": "tcp", "src_port": 49891, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 49923, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.777270406334166, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50661, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.647571366572099, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "40.74.78.229", "protocol": "tcp", "src_port": 50370, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9939770881097445, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.201.232.63", "protocol": "tcp", "src_port": 50420, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9757408487177269, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.232.40.133", "protocol": "tcp", "src_port": 49920, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9117178716777372, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 09:31:28.216] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 19|max_alert: 1000 [2025-12-11 09:31:28.216] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 09:31:28.216] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 09:31:28.216] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 09:31:31.173] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 25898 key: NULL payload: {"bucket":"2025-12-11","object":"09/output/gbm/alert.pcap.9.17610986930930.jsonl","url":"http://111.32.12.11:9000/2025-12-11/09/output/gbm/alert.pcap.9.17610986930930.jsonl?X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Expires=604800&X-Amz-SignedHeaders=host&X-Amz-Signature=d4fa8ed05c5642b63c59ea13019aa7922548ba00277bb3cc56cc5446aa0399d7&X-Amz-Date=20251211T013130Z"} [2025-12-11 09:31:31.174] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 09:31:31.174] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 09:31:31.174] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 09:31:31.174] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 09:31:31.174] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 09:31:31.174] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 09:31:31.410] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:09/output/gbm/alert.pcap.9.17610986930930.jsonl|result:{"code": 1, "total_count": 19, "alert_count": 19, "abnormal_count": 19, "normal_count": 0, "timestamp": 1765416691174, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50577, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8828376373447289, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.219.73.130", "protocol": "tcp", "src_port": 49895, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.29.14.183", "protocol": "tcp", "src_port": 50403, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9756646950440937, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "112.2.102.140", "protocol": "tcp", "src_port": 49880, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8833391308810551, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50279, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50582, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50571, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "150.171.30.11", "protocol": "tcp", "src_port": 50434, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.975176941910785, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.26", "protocol": "tcp", "src_port": 49993, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.987471741326815, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "157.148.32.174", "protocol": "tcp", "src_port": 50216, "dest_port": 8106, "y_pred": 1, "y_pred_proba_max": 0.7815374741509655, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "124.71.234.74", "protocol": "tcp", "src_port": 50079, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8967653329082704, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50047, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50552, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9460026832017429, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50323, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50234, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50387, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.163.59.175", "protocol": "tcp", "src_port": 50443, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9947042004868148, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 49928, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9931314740190077, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.45", "protocol": "tcp", "src_port": 50444, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9975171238915119, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 09:31:31.410] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 19|max_alert: 1000 [2025-12-11 09:31:31.410] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 09:31:31.410] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 09:31:31.410] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 09:36:56.655] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[2] at offset 25543 key: NULL payload: {"bucket":"2025-12-11","object":"09/output/gbm/alert.pcap.9.1765417009.jsonl","url":"http://111.32.12.11:9000/2025-12-11/09/output/gbm/alert.pcap.9.1765417009.jsonl?X-Amz-Signature=a516a3af0e96941289f7f6e38e8e034bbd590d0083469f0110eb84f4a44f741f&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Expires=604800&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-SignedHeaders=host&X-Amz-Date=20251211T013656Z"} [2025-12-11 09:36:56.655] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 09:36:56.655] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 09:36:56.655] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 09:36:56.655] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 09:36:56.655] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 09:36:56.656] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 09:36:56.667] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:09/output/gbm/alert.pcap.9.1765417009.jsonl|result:{"code": 0, "total_count": 0, "alert_count": 0, "abnormal_count": 0, "normal_count": 0, "timestamp": 1765417016656, "module": "anquanchu", "alerted": false, "details": []} [2025-12-11 09:36:56.667] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 0|max_alert: 1000 [2025-12-11 09:36:56.667] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 09:40:40.491] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[1] at offset 24771 key: NULL payload: {"bucket":"2025-12-11","object":"09/output/gbm/alert.pcap.9.1765417232.jsonl","url":"http://111.32.12.11:9000/2025-12-11/09/output/gbm/alert.pcap.9.1765417232.jsonl?X-Amz-Date=20251211T014040Z&X-Amz-SignedHeaders=host&X-Amz-Expires=604800&X-Amz-Signature=08c2943bace9b069b35142fe26d5ff49cbb8308aabf490d38c00b0f1a15b5f2a&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Algorithm=AWS4-HMAC-SHA256"} [2025-12-11 09:40:40.491] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 09:40:40.491] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 09:40:40.492] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 09:40:40.492] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 09:40:40.492] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 09:40:40.493] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 09:40:40.504] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:09/output/gbm/alert.pcap.9.1765417232.jsonl|result:{"code": 0, "total_count": 0, "alert_count": 0, "abnormal_count": 0, "normal_count": 0, "timestamp": 1765417240493, "module": "anquanchu", "alerted": false, "details": []} [2025-12-11 09:40:40.504] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 0|max_alert: 1000 [2025-12-11 09:40:40.504] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 09:40:43.595] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 25899 key: NULL payload: {"bucket":"2025-12-11","object":"09/output/gbm/alert.pcap.1.1765417232.jsonl","url":"http://111.32.12.11:9000/2025-12-11/09/output/gbm/alert.pcap.1.1765417232.jsonl?X-Amz-Date=20251211T014043Z&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Expires=604800&X-Amz-Signature=020e386df07712ee1ed7320f099270d17730411504837d62501057f8b690bc9b&X-Amz-SignedHeaders=host"} [2025-12-11 09:40:43.595] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 09:40:43.595] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 09:40:43.595] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 09:40:43.595] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 09:40:43.595] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 09:40:43.596] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 09:40:43.607] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:09/output/gbm/alert.pcap.1.1765417232.jsonl|result:{"code": 0, "total_count": 0, "alert_count": 0, "abnormal_count": 0, "normal_count": 0, "timestamp": 1765417243596, "module": "anquanchu", "alerted": false, "details": []} [2025-12-11 09:40:43.607] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 0|max_alert: 1000 [2025-12-11 09:40:43.607] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 09:55:40.553] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[2] at offset 25544 key: NULL payload: {"bucket":"2025-12-11","object":"09/output/gbm/alert.pcap.9.1765418133.jsonl","url":"http://111.32.12.11:9000/2025-12-11/09/output/gbm/alert.pcap.9.1765418133.jsonl?X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-SignedHeaders=host&X-Amz-Signature=2de2be839c9aa4331a84bc54996fb6f49834fe59d7a9c87e028023addb7f42f8&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Date=20251211T015540Z&X-Amz-Expires=604800"} [2025-12-11 09:55:40.554] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 09:55:40.554] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 09:55:40.554] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 09:55:40.554] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 09:55:40.554] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 09:55:40.554] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 09:55:40.559] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:09/output/gbm/alert.pcap.9.1765418133.jsonl|result:{"code": 0, "total_count": 0, "alert_count": 0, "abnormal_count": 0, "normal_count": 0, "timestamp": 1765418140554, "module": "anquanchu", "alerted": false, "details": []} [2025-12-11 09:55:40.559] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 0|max_alert: 1000 [2025-12-11 09:55:40.559] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 10:10:41.903] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 25900 key: NULL payload: {"bucket":"2025-12-11","object":"10/output/gbm/alert.pcap.9.1765419034.jsonl","url":"http://111.32.12.11:9000/2025-12-11/10/output/gbm/alert.pcap.9.1765419034.jsonl?X-Amz-Signature=cfa9a3e6864efe8e34483ec2ab236fb0e5222b18e84d89157fd3ba7a1c31a6fc&X-Amz-SignedHeaders=host&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20251211T021041Z&X-Amz-Expires=604800"} [2025-12-11 10:10:41.903] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 10:10:41.903] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 10:10:41.904] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 10:10:41.904] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 10:10:41.904] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 10:10:41.904] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 10:10:41.913] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:10/output/gbm/alert.pcap.9.1765419034.jsonl|result:{"code": 0, "total_count": 0, "alert_count": 0, "abnormal_count": 0, "normal_count": 0, "timestamp": 1765419041904, "module": "anquanchu", "alerted": false, "details": []} [2025-12-11 10:10:41.913] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 0|max_alert: 1000 [2025-12-11 10:10:41.913] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 10:24:11.528] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 25901 key: NULL payload: {"bucket":"2025-12-11","object":"10/output/gbm/alert.pcap.9.1765360664.jsonl","url":"http://111.32.12.11:9000/2025-12-11/10/output/gbm/alert.pcap.9.1765360664.jsonl?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-SignedHeaders=host&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20251211T022411Z&X-Amz-Expires=604800&X-Amz-Signature=6b79da0015d9fb1021cb366c6fb12e94fab330b0b5ba4e876e6262b60af309b2"} [2025-12-11 10:24:11.528] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 10:24:11.528] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 10:24:11.528] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 10:24:11.528] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 10:24:11.528] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 10:24:11.529] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 10:24:11.560] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:10/output/gbm/alert.pcap.9.1765360664.jsonl|result:{"code": 0, "total_count": 0, "alert_count": 0, "abnormal_count": 0, "normal_count": 0, "timestamp": 1765419851529, "module": "anquanchu", "alerted": false, "details": []} [2025-12-11 10:24:11.560] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 0|max_alert: 1000 [2025-12-11 10:24:11.560] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 10:25:01.034] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[1] at offset 24772 key: NULL payload: {"bucket":"2025-12-11","object":"10/output/gbm/alert.pcap.9.1765360664.jsonl","url":"http://111.32.12.11:9000/2025-12-11/10/output/gbm/alert.pcap.9.1765360664.jsonl?X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Expires=604800&X-Amz-SignedHeaders=host&X-Amz-Date=20251211T022500Z&X-Amz-Signature=befbb0537ac12a090c267dffb6e0ab08d8750248626d2678eaad96603c42ae7a&X-Amz-Algorithm=AWS4-HMAC-SHA256"} [2025-12-11 10:25:01.034] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 10:25:01.034] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 10:25:01.034] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 10:25:01.034] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 10:25:01.034] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 10:25:01.036] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 10:25:01.051] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:10/output/gbm/alert.pcap.9.1765360664.jsonl|result:{"code": 0, "total_count": 0, "alert_count": 0, "abnormal_count": 0, "normal_count": 0, "timestamp": 1765419901036, "module": "anquanchu", "alerted": false, "details": []} [2025-12-11 10:25:01.051] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 0|max_alert: 1000 [2025-12-11 10:25:01.051] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 10:25:01.653] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 25902 key: NULL payload: {"bucket":"2025-12-11","object":"10/output/gbm/alert.pcap.9.1765417232.jsonl","url":"http://111.32.12.11:9000/2025-12-11/10/output/gbm/alert.pcap.9.1765417232.jsonl?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20251211T022501Z&X-Amz-Signature=9d24399058e6102c10f24c94f4b1306a2b260435917eace5613c3bbed0078729&X-Amz-SignedHeaders=host&X-Amz-Expires=604800"} [2025-12-11 10:25:01.653] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 10:25:01.653] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 10:25:01.653] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 10:25:01.653] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 10:25:01.653] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 10:25:01.653] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 10:25:01.658] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:10/output/gbm/alert.pcap.9.1765417232.jsonl|result:{"code": 0, "total_count": 0, "alert_count": 0, "abnormal_count": 0, "normal_count": 0, "timestamp": 1765419901653, "module": "anquanchu", "alerted": false, "details": []} [2025-12-11 10:25:01.658] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 0|max_alert: 1000 [2025-12-11 10:25:01.658] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 10:25:02.200] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 25903 key: NULL payload: {"bucket":"2025-12-11","object":"10/output/gbm/alert.pcap.9.1765347149.jsonl","url":"http://111.32.12.11:9000/2025-12-11/10/output/gbm/alert.pcap.9.1765347149.jsonl?X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Expires=604800&X-Amz-Signature=8c2f3bf0b6df8696b95d8a8fb5691c4a1aa92d3c72386187831c873ccd552d81&X-Amz-SignedHeaders=host&X-Amz-Date=20251211T022502Z"} [2025-12-11 10:25:02.200] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 10:25:02.200] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 10:25:02.200] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 10:25:02.201] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 10:25:02.201] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 10:25:02.201] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 10:25:02.211] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:10/output/gbm/alert.pcap.9.1765347149.jsonl|result:{"code": 0, "total_count": 0, "alert_count": 0, "abnormal_count": 0, "normal_count": 0, "timestamp": 1765419902201, "module": "anquanchu", "alerted": false, "details": []} [2025-12-11 10:25:02.211] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 0|max_alert: 1000 [2025-12-11 10:25:02.211] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 10:25:02.763] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[2] at offset 25545 key: NULL payload: {"bucket":"2025-12-11","object":"10/output/gbm/alert.pcap.9.1765357961.jsonl","url":"http://111.32.12.11:9000/2025-12-11/10/output/gbm/alert.pcap.9.1765357961.jsonl?X-Amz-Expires=604800&X-Amz-Signature=04bb56596ec87a431772eee9a0d42183d9f2b18243c3f6d2007425dc8df03d20&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20251211T022502Z&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-SignedHeaders=host"} [2025-12-11 10:25:02.763] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 10:25:02.763] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 10:25:02.763] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 10:25:02.763] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 10:25:02.763] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 10:25:02.763] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 10:25:02.768] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:10/output/gbm/alert.pcap.9.1765357961.jsonl|result:{"code": 0, "total_count": 0, "alert_count": 0, "abnormal_count": 0, "normal_count": 0, "timestamp": 1765419902763, "module": "anquanchu", "alerted": false, "details": []} [2025-12-11 10:25:02.768] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 0|max_alert: 1000 [2025-12-11 10:25:02.768] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 10:25:03.343] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[1] at offset 24773 key: NULL payload: {"bucket":"2025-12-11","object":"10/output/gbm/alert.pcap.9.1765348050.jsonl","url":"http://111.32.12.11:9000/2025-12-11/10/output/gbm/alert.pcap.9.1765348050.jsonl?X-Amz-SignedHeaders=host&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Date=20251211T022503Z&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Signature=8a0a12071057cbb77cbdb274aec1c61299186c9abea802f6592e6920062a0f49&X-Amz-Expires=604800"} [2025-12-11 10:25:03.343] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 10:25:03.343] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 10:25:03.343] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 10:25:03.343] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 10:25:03.343] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 10:25:03.343] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 10:25:03.347] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:10/output/gbm/alert.pcap.9.1765348050.jsonl|result:{"code": 0, "total_count": 0, "alert_count": 0, "abnormal_count": 0, "normal_count": 0, "timestamp": 1765419903344, "module": "anquanchu", "alerted": false, "details": []} [2025-12-11 10:25:03.347] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 0|max_alert: 1000 [2025-12-11 10:25:03.347] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 10:25:03.903] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[1] at offset 24774 key: NULL payload: {"bucket":"2025-12-11","object":"10/output/gbm/alert.pcap.9.1765346248.jsonl","url":"http://111.32.12.11:9000/2025-12-11/10/output/gbm/alert.pcap.9.1765346248.jsonl?X-Amz-SignedHeaders=host&X-Amz-Date=20251211T022503Z&X-Amz-Signature=38d05f571a54abad62cc239e323514b7235543d7d3f6c6d3095da065c2392a94&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Expires=604800"} [2025-12-11 10:25:03.903] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 10:25:03.903] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 10:25:03.904] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 10:25:03.904] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 10:25:03.904] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 10:25:03.904] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 10:25:03.908] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:10/output/gbm/alert.pcap.9.1765346248.jsonl|result:{"code": 0, "total_count": 0, "alert_count": 0, "abnormal_count": 0, "normal_count": 0, "timestamp": 1765419903904, "module": "anquanchu", "alerted": false, "details": []} [2025-12-11 10:25:03.908] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 0|max_alert: 1000 [2025-12-11 10:25:03.908] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 10:25:04.484] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[2] at offset 25546 key: NULL payload: {"bucket":"2025-12-11","object":"10/output/gbm/alert.pcap.9.1765355258.jsonl","url":"http://111.32.12.11:9000/2025-12-11/10/output/gbm/alert.pcap.9.1765355258.jsonl?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Date=20251211T022504Z&X-Amz-Signature=3525502f9269393960fd4a46f3a7bc959ad195e5d0670a59e299d35d020f9992&X-Amz-Expires=604800&X-Amz-SignedHeaders=host&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request"} [2025-12-11 10:25:04.484] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 10:25:04.484] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 10:25:04.484] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 10:25:04.484] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 10:25:04.484] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 10:25:04.485] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 10:25:04.490] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:10/output/gbm/alert.pcap.9.1765355258.jsonl|result:{"code": 0, "total_count": 0, "alert_count": 0, "abnormal_count": 0, "normal_count": 0, "timestamp": 1765419904485, "module": "anquanchu", "alerted": false, "details": []} [2025-12-11 10:25:04.490] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 0|max_alert: 1000 [2025-12-11 10:25:04.490] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 10:25:04.986] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 25904 key: NULL payload: {"bucket":"2025-12-11","object":"10/output/gbm/alert.pcap.9.1765416108.jsonl","url":"http://111.32.12.11:9000/2025-12-11/10/output/gbm/alert.pcap.9.1765416108.jsonl?X-Amz-Signature=2093bcb741e012a8fd887a3f31d0c8b8070b5ae24db64f7c7ca1669a25f0180f&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Expires=604800&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20251211T022504Z&X-Amz-SignedHeaders=host"} [2025-12-11 10:25:04.986] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 10:25:04.986] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 10:25:04.986] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 10:25:04.986] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 10:25:04.986] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 10:25:04.986] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 10:25:04.990] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:10/output/gbm/alert.pcap.9.1765416108.jsonl|result:{"code": 0, "total_count": 0, "alert_count": 0, "abnormal_count": 0, "normal_count": 0, "timestamp": 1765419904986, "module": "anquanchu", "alerted": false, "details": []} [2025-12-11 10:25:04.990] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 0|max_alert: 1000 [2025-12-11 10:25:04.990] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 10:25:05.509] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 25905 key: NULL payload: {"bucket":"2025-12-11","object":"10/output/gbm/alert.pcap.9.1765351654.jsonl","url":"http://111.32.12.11:9000/2025-12-11/10/output/gbm/alert.pcap.9.1765351654.jsonl?X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Expires=604800&X-Amz-SignedHeaders=host&X-Amz-Date=20251211T022505Z&X-Amz-Signature=59f570465e8fd97923498e85d99edfce41649d106902353947d25bf87f591511"} [2025-12-11 10:25:05.509] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 10:25:05.509] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 10:25:05.509] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 10:25:05.509] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 10:25:05.509] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 10:25:05.510] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 10:25:05.520] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:10/output/gbm/alert.pcap.9.1765351654.jsonl|result:{"code": 0, "total_count": 0, "alert_count": 0, "abnormal_count": 0, "normal_count": 0, "timestamp": 1765419905510, "module": "anquanchu", "alerted": false, "details": []} [2025-12-11 10:25:05.520] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 0|max_alert: 1000 [2025-12-11 10:25:05.520] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 10:25:06.131] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[2] at offset 25547 key: NULL payload: {"bucket":"2025-12-11","object":"10/output/gbm/alert.pcap.9.1765350753.jsonl","url":"http://111.32.12.11:9000/2025-12-11/10/output/gbm/alert.pcap.9.1765350753.jsonl?X-Amz-Expires=604800&X-Amz-Signature=38683ccb0bfe80edf42794519f8e95609a8b5d29c85b894b9a0b1917e9b5b7c4&X-Amz-SignedHeaders=host&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Date=20251211T022506Z"} [2025-12-11 10:25:06.131] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 10:25:06.131] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 10:25:06.131] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 10:25:06.131] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 10:25:06.131] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 10:25:06.131] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 10:25:06.135] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:10/output/gbm/alert.pcap.9.1765350753.jsonl|result:{"code": 0, "total_count": 0, "alert_count": 0, "abnormal_count": 0, "normal_count": 0, "timestamp": 1765419906131, "module": "anquanchu", "alerted": false, "details": []} [2025-12-11 10:25:06.135] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 0|max_alert: 1000 [2025-12-11 10:25:06.135] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 10:25:06.702] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[2] at offset 25548 key: NULL payload: {"bucket":"2025-12-11","object":"10/output/gbm/alert.pcap.9.1765348951.jsonl","url":"http://111.32.12.11:9000/2025-12-11/10/output/gbm/alert.pcap.9.1765348951.jsonl?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Expires=604800&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Signature=96715ec5278fd9de0a2e5f567655359e5a602c3187991feff15818abe15fe669&X-Amz-Date=20251211T022506Z&X-Amz-SignedHeaders=host"} [2025-12-11 10:25:06.702] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 10:25:06.702] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 10:25:06.702] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 10:25:06.702] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 10:25:06.702] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 10:25:06.702] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 10:25:06.706] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:10/output/gbm/alert.pcap.9.1765348951.jsonl|result:{"code": 0, "total_count": 0, "alert_count": 0, "abnormal_count": 0, "normal_count": 0, "timestamp": 1765419906702, "module": "anquanchu", "alerted": false, "details": []} [2025-12-11 10:25:06.706] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 0|max_alert: 1000 [2025-12-11 10:25:06.706] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 10:25:07.265] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[1] at offset 24775 key: NULL payload: {"bucket":"2025-12-11","object":"10/output/gbm/alert.pcap.9.1765418133.jsonl","url":"http://111.32.12.11:9000/2025-12-11/10/output/gbm/alert.pcap.9.1765418133.jsonl?X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20251211T022507Z&X-Amz-SignedHeaders=host&X-Amz-Signature=39d0e8c11711e80ced0bd3ccc0e18e79f5361d05a2d3657ddb7e224d6bf4315f&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Expires=604800"} [2025-12-11 10:25:07.265] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 10:25:07.265] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 10:25:07.265] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 10:25:07.265] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 10:25:07.265] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 10:25:07.266] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 10:25:07.270] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:10/output/gbm/alert.pcap.9.1765418133.jsonl|result:{"code": 0, "total_count": 0, "alert_count": 0, "abnormal_count": 0, "normal_count": 0, "timestamp": 1765419907266, "module": "anquanchu", "alerted": false, "details": []} [2025-12-11 10:25:07.270] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 0|max_alert: 1000 [2025-12-11 10:25:07.270] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 10:25:07.825] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[1] at offset 24776 key: NULL payload: {"bucket":"2025-12-11","object":"10/output/gbm/alert.pcap.9.1765354357.jsonl","url":"http://111.32.12.11:9000/2025-12-11/10/output/gbm/alert.pcap.9.1765354357.jsonl?X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-SignedHeaders=host&X-Amz-Signature=fb012646eb3b5612496deca4409f9f7417496b2fd8a5b3e992d1f602e32ef58d&X-Amz-Expires=604800&X-Amz-Date=20251211T022507Z"} [2025-12-11 10:25:07.825] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 10:25:07.825] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 10:25:07.825] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 10:25:07.825] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 10:25:07.825] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 10:25:07.826] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 10:25:07.830] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:10/output/gbm/alert.pcap.9.1765354357.jsonl|result:{"code": 0, "total_count": 0, "alert_count": 0, "abnormal_count": 0, "normal_count": 0, "timestamp": 1765419907826, "module": "anquanchu", "alerted": false, "details": []} [2025-12-11 10:25:07.830] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 0|max_alert: 1000 [2025-12-11 10:25:07.830] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 10:25:08.393] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 25906 key: NULL payload: {"bucket":"2025-12-11","object":"10/output/gbm/alert.pcap.9.1765352555.jsonl","url":"http://111.32.12.11:9000/2025-12-11/10/output/gbm/alert.pcap.9.1765352555.jsonl?X-Amz-Date=20251211T022508Z&X-Amz-Expires=604800&X-Amz-Signature=22db7525e30794482c38e231ea93826f2fe8fe1cc27e4934c275990ce37cc2e4&X-Amz-SignedHeaders=host&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request"} [2025-12-11 10:25:08.393] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 10:25:08.393] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 10:25:08.393] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 10:25:08.393] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 10:25:08.393] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 10:25:08.393] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 10:25:08.397] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:10/output/gbm/alert.pcap.9.1765352555.jsonl|result:{"code": 0, "total_count": 0, "alert_count": 0, "abnormal_count": 0, "normal_count": 0, "timestamp": 1765419908394, "module": "anquanchu", "alerted": false, "details": []} [2025-12-11 10:25:08.397] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 0|max_alert: 1000 [2025-12-11 10:25:08.397] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 10:25:08.931] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[1] at offset 24777 key: NULL payload: {"bucket":"2025-12-11","object":"10/output/gbm/alert.pcap.9.1765349852.jsonl","url":"http://111.32.12.11:9000/2025-12-11/10/output/gbm/alert.pcap.9.1765349852.jsonl?X-Amz-Date=20251211T022508Z&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Signature=0caa89349fc2cf00206fabe33246272bb24ecf857d2d226c3bfcd8a2f8dab09a&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Expires=604800&X-Amz-SignedHeaders=host"} [2025-12-11 10:25:08.931] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 10:25:08.931] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 10:25:08.931] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 10:25:08.931] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 10:25:08.931] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 10:25:08.932] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 10:25:08.936] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:10/output/gbm/alert.pcap.9.1765349852.jsonl|result:{"code": 0, "total_count": 0, "alert_count": 0, "abnormal_count": 0, "normal_count": 0, "timestamp": 1765419908932, "module": "anquanchu", "alerted": false, "details": []} [2025-12-11 10:25:08.936] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 0|max_alert: 1000 [2025-12-11 10:25:08.936] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 10:25:09.466] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[2] at offset 25549 key: NULL payload: {"bucket":"2025-12-11","object":"10/output/gbm/alert.pcap.9.1765353456.jsonl","url":"http://111.32.12.11:9000/2025-12-11/10/output/gbm/alert.pcap.9.1765353456.jsonl?X-Amz-Expires=604800&X-Amz-Signature=de8dd7ad598253dfb5a6df85bed153cae6b93768caa3ccd6817ce5501336306d&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-SignedHeaders=host&X-Amz-Date=20251211T022509Z"} [2025-12-11 10:25:09.467] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 10:25:09.467] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 10:25:09.467] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 10:25:09.467] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 10:25:09.467] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 10:25:09.467] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 10:25:09.471] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:10/output/gbm/alert.pcap.9.1765353456.jsonl|result:{"code": 0, "total_count": 0, "alert_count": 0, "abnormal_count": 0, "normal_count": 0, "timestamp": 1765419909467, "module": "anquanchu", "alerted": false, "details": []} [2025-12-11 10:25:09.471] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 0|max_alert: 1000 [2025-12-11 10:25:09.471] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 10:25:10.028] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 25907 key: NULL payload: {"bucket":"2025-12-11","object":"10/output/gbm/alert.pcap.9.1765359763.jsonl","url":"http://111.32.12.11:9000/2025-12-11/10/output/gbm/alert.pcap.9.1765359763.jsonl?X-Amz-Expires=604800&X-Amz-Date=20251211T022510Z&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-SignedHeaders=host&X-Amz-Signature=eff9097b1378d4c31af4d0d0385e1f10ddf3a388e9fa93b6c4f1bcf25e0ced58"} [2025-12-11 10:25:10.028] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 10:25:10.028] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 10:25:10.029] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 10:25:10.029] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 10:25:10.029] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 10:25:10.029] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 10:25:10.033] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:10/output/gbm/alert.pcap.9.1765359763.jsonl|result:{"code": 0, "total_count": 0, "alert_count": 0, "abnormal_count": 0, "normal_count": 0, "timestamp": 1765419910029, "module": "anquanchu", "alerted": false, "details": []} [2025-12-11 10:25:10.033] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 0|max_alert: 1000 [2025-12-11 10:25:10.033] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 10:25:10.540] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[1] at offset 24778 key: NULL payload: {"bucket":"2025-12-11","object":"10/output/gbm/alert.pcap.9.1765358862.jsonl","url":"http://111.32.12.11:9000/2025-12-11/10/output/gbm/alert.pcap.9.1765358862.jsonl?X-Amz-Expires=604800&X-Amz-SignedHeaders=host&X-Amz-Signature=3ab3b62b0e98dd038a1e3b75d5ba04678e10bfb621788eb1abfd8a672e6f63ed&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20251211T022510Z"} [2025-12-11 10:25:10.540] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 10:25:10.540] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 10:25:10.540] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 10:25:10.540] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 10:25:10.540] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 10:25:10.540] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 10:25:10.544] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:10/output/gbm/alert.pcap.9.1765358862.jsonl|result:{"code": 0, "total_count": 0, "alert_count": 0, "abnormal_count": 0, "normal_count": 0, "timestamp": 1765419910540, "module": "anquanchu", "alerted": false, "details": []} [2025-12-11 10:25:10.544] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 0|max_alert: 1000 [2025-12-11 10:25:10.544] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 10:25:11.095] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[1] at offset 24779 key: NULL payload: {"bucket":"2025-12-11","object":"10/output/gbm/alert.pcap.9.1765356159.jsonl","url":"http://111.32.12.11:9000/2025-12-11/10/output/gbm/alert.pcap.9.1765356159.jsonl?X-Amz-Date=20251211T022511Z&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Expires=604800&X-Amz-Signature=fb10acbb290b636940801b7cf32137a0a0cd60cbc928e9ce3c37c1d3f0a65d9b&X-Amz-SignedHeaders=host&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request"} [2025-12-11 10:25:11.095] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 10:25:11.095] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 10:25:11.096] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 10:25:11.096] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 10:25:11.096] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 10:25:11.096] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 10:25:11.100] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:10/output/gbm/alert.pcap.9.1765356159.jsonl|result:{"code": 0, "total_count": 0, "alert_count": 0, "abnormal_count": 0, "normal_count": 0, "timestamp": 1765419911096, "module": "anquanchu", "alerted": false, "details": []} [2025-12-11 10:25:11.100] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 0|max_alert: 1000 [2025-12-11 10:25:11.100] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 10:25:11.674] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[2] at offset 25550 key: NULL payload: {"bucket":"2025-12-11","object":"10/output/gbm/alert.pcap.9.1765357060.jsonl","url":"http://111.32.12.11:9000/2025-12-11/10/output/gbm/alert.pcap.9.1765357060.jsonl?X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20251211T022511Z&X-Amz-Expires=604800&X-Amz-SignedHeaders=host&X-Amz-Signature=63f5ae214aa6b4761fc2c0705e562f4cb0ad1c5356c568124b6f3983ba3b2dca&X-Amz-Algorithm=AWS4-HMAC-SHA256"} [2025-12-11 10:25:11.674] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 10:25:11.674] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 10:25:11.674] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 10:25:11.674] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 10:25:11.674] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 10:25:11.674] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 10:25:11.678] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:10/output/gbm/alert.pcap.9.1765357060.jsonl|result:{"code": 0, "total_count": 0, "alert_count": 0, "abnormal_count": 0, "normal_count": 0, "timestamp": 1765419911675, "module": "anquanchu", "alerted": false, "details": []} [2025-12-11 10:25:11.678] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 0|max_alert: 1000 [2025-12-11 10:25:11.678] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 10:25:12.275] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 25908 key: NULL payload: {"bucket":"2025-12-11","object":"10/output/gbm/alert.pcap.9.1765419034.jsonl","url":"http://111.32.12.11:9000/2025-12-11/10/output/gbm/alert.pcap.9.1765419034.jsonl?X-Amz-Date=20251211T022512Z&X-Amz-SignedHeaders=host&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Signature=73494514f9eb4e8293e3e743a2c3eefe2929199df4ef508548ce8c12500d020a&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Expires=604800"} [2025-12-11 10:25:12.275] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 10:25:12.275] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 10:25:12.275] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 10:25:12.275] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 10:25:12.275] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 10:25:12.275] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 10:25:12.280] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:10/output/gbm/alert.pcap.9.1765419034.jsonl|result:{"code": 0, "total_count": 0, "alert_count": 0, "abnormal_count": 0, "normal_count": 0, "timestamp": 1765419912275, "module": "anquanchu", "alerted": false, "details": []} [2025-12-11 10:25:12.280] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 0|max_alert: 1000 [2025-12-11 10:25:12.280] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 10:25:43.707] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[1] at offset 24780 key: NULL payload: {"bucket":"2025-12-11","object":"10/output/gbm/alert.pcap.9.1765419935.jsonl","url":"http://111.32.12.11:9000/2025-12-11/10/output/gbm/alert.pcap.9.1765419935.jsonl?X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Signature=dfbfcf203a1ad255ded4ff4f030e0fabf8f19f2a9158f90d710981ee039f1e13&X-Amz-Expires=604800&X-Amz-SignedHeaders=host&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Date=20251211T022542Z"} [2025-12-11 10:25:43.707] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 10:25:43.707] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 10:25:43.707] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 10:25:43.707] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 10:25:43.707] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 10:25:43.708] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 10:25:43.718] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:10/output/gbm/alert.pcap.9.1765419935.jsonl|result:{"code": 0, "total_count": 0, "alert_count": 0, "abnormal_count": 0, "normal_count": 0, "timestamp": 1765419943708, "module": "anquanchu", "alerted": false, "details": []} [2025-12-11 10:25:43.719] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 0|max_alert: 1000 [2025-12-11 10:25:43.719] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 10:32:14.667] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 25909 key: NULL payload: {"bucket":"2025-12-11","object":"10/output/gbm/alert.pcap.9.1765360664.jsonl","url":"http://111.32.12.11:9000/2025-12-11/10/output/gbm/alert.pcap.9.1765360664.jsonl?X-Amz-Date=20251211T023214Z&X-Amz-SignedHeaders=host&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Signature=70d656e4898c5f6443db701e3c0de289d6a9f4c1b72c73883397cc54f6b12c7a&X-Amz-Expires=604800&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request"} [2025-12-11 10:32:14.667] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 10:32:14.667] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 10:32:14.668] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 10:32:14.668] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 10:32:14.668] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 10:32:14.668] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 10:32:14.673] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:10/output/gbm/alert.pcap.9.1765360664.jsonl|result:{"code": 0, "total_count": 0, "alert_count": 0, "abnormal_count": 0, "normal_count": 0, "timestamp": 1765420334668, "module": "anquanchu", "alerted": false, "details": []} [2025-12-11 10:32:14.673] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 0|max_alert: 1000 [2025-12-11 10:32:14.673] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 10:32:21.767] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 25910 key: NULL payload: {"bucket":"2025-12-11","object":"10/output/gbm/alert.pcap.9.1765419935.jsonl","url":"http://111.32.12.11:9000/2025-12-11/10/output/gbm/alert.pcap.9.1765419935.jsonl?X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Expires=604800&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-SignedHeaders=host&X-Amz-Signature=e3894334028633b6668702c219aa99fa1b546e9a3367e08aa4d520fc39a4c336&X-Amz-Date=20251211T023221Z"} [2025-12-11 10:32:21.767] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 10:32:21.767] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 10:32:21.767] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 10:32:21.767] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 10:32:21.767] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 10:32:21.768] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 10:32:21.773] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:10/output/gbm/alert.pcap.9.1765419935.jsonl|result:{"code": 0, "total_count": 0, "alert_count": 0, "abnormal_count": 0, "normal_count": 0, "timestamp": 1765420341768, "module": "anquanchu", "alerted": false, "details": []} [2025-12-11 10:32:21.773] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 0|max_alert: 1000 [2025-12-11 10:32:21.773] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 10:32:25.516] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[2] at offset 25551 key: NULL payload: {"bucket":"2025-12-11","object":"10/output/gbm/alert.pcap.9.1765417232.jsonl","url":"http://111.32.12.11:9000/2025-12-11/10/output/gbm/alert.pcap.9.1765417232.jsonl?X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Signature=4ebfbeb81013075990d252e6c4331985ea25583b6e21dff1410e81bbce4e81f7&X-Amz-SignedHeaders=host&X-Amz-Expires=604800&X-Amz-Date=20251211T023224Z&X-Amz-Algorithm=AWS4-HMAC-SHA256"} [2025-12-11 10:32:25.516] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 10:32:25.516] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 10:32:25.516] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 10:32:25.516] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 10:32:25.516] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 10:32:25.517] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 10:32:25.528] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:10/output/gbm/alert.pcap.9.1765417232.jsonl|result:{"code": 0, "total_count": 0, "alert_count": 0, "abnormal_count": 0, "normal_count": 0, "timestamp": 1765420345517, "module": "anquanchu", "alerted": false, "details": []} [2025-12-11 10:32:25.528] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 0|max_alert: 1000 [2025-12-11 10:32:25.528] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 10:32:29.821] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[1] at offset 24781 key: NULL payload: {"bucket":"2025-12-11","object":"10/output/gbm/alert.pcap.9.1765347149.jsonl","url":"http://111.32.12.11:9000/2025-12-11/10/output/gbm/alert.pcap.9.1765347149.jsonl?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Expires=604800&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20251211T023229Z&X-Amz-Signature=050d09854f06cda2466fd3423604fa0e76a02e0cf2e1afc162c0ffe22686611f&X-Amz-SignedHeaders=host"} [2025-12-11 10:32:29.821] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 10:32:29.821] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 10:32:29.821] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 10:32:29.821] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 10:32:29.821] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 10:32:29.821] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 10:32:29.825] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:10/output/gbm/alert.pcap.9.1765347149.jsonl|result:{"code": 0, "total_count": 0, "alert_count": 0, "abnormal_count": 0, "normal_count": 0, "timestamp": 1765420349822, "module": "anquanchu", "alerted": false, "details": []} [2025-12-11 10:32:29.825] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 0|max_alert: 1000 [2025-12-11 10:32:29.826] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 10:32:30.608] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 25911 key: NULL payload: {"bucket":"2025-12-11","object":"10/output/gbm/alert.pcap.9.1765357961.jsonl","url":"http://111.32.12.11:9000/2025-12-11/10/output/gbm/alert.pcap.9.1765357961.jsonl?X-Amz-Expires=604800&X-Amz-Signature=43c5532c82d6ff97d1086eb0ac648fddfa8498585b1caf6ffbc33f278ec1b414&X-Amz-SignedHeaders=host&X-Amz-Date=20251211T023230Z&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Algorithm=AWS4-HMAC-SHA256"} [2025-12-11 10:32:30.608] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 10:32:30.608] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 10:32:30.608] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 10:32:30.608] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 10:32:30.608] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 10:32:30.608] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 10:32:30.612] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:10/output/gbm/alert.pcap.9.1765357961.jsonl|result:{"code": 0, "total_count": 0, "alert_count": 0, "abnormal_count": 0, "normal_count": 0, "timestamp": 1765420350608, "module": "anquanchu", "alerted": false, "details": []} [2025-12-11 10:32:30.612] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 0|max_alert: 1000 [2025-12-11 10:32:30.612] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 10:32:31.343] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[2] at offset 25552 key: NULL payload: {"bucket":"2025-12-11","object":"10/output/gbm/alert.pcap.9.1765348050.jsonl","url":"http://111.32.12.11:9000/2025-12-11/10/output/gbm/alert.pcap.9.1765348050.jsonl?X-Amz-Expires=604800&X-Amz-SignedHeaders=host&X-Amz-Date=20251211T023231Z&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Signature=691ce550072c24eb1a433068a9ae57d5721eac9df12c32d1da8dcb6ed9e1f3e8&X-Amz-Algorithm=AWS4-HMAC-SHA256"} [2025-12-11 10:32:31.343] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 10:32:31.343] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 10:32:31.343] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 10:32:31.343] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 10:32:31.343] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 10:32:31.343] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 10:32:31.347] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:10/output/gbm/alert.pcap.9.1765348050.jsonl|result:{"code": 0, "total_count": 0, "alert_count": 0, "abnormal_count": 0, "normal_count": 0, "timestamp": 1765420351343, "module": "anquanchu", "alerted": false, "details": []} [2025-12-11 10:32:31.347] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 0|max_alert: 1000 [2025-12-11 10:32:31.347] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 10:32:32.332] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[1] at offset 24782 key: NULL payload: {"bucket":"2025-12-11","object":"10/output/gbm/alert.pcap.9.1765346248.jsonl","url":"http://111.32.12.11:9000/2025-12-11/10/output/gbm/alert.pcap.9.1765346248.jsonl?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Expires=604800&X-Amz-SignedHeaders=host&X-Amz-Signature=d0d2b4fd3cf7f927e87d337cf682a3d315366f43b36fb97978ecb2a07d86d15f&X-Amz-Date=20251211T023232Z"} [2025-12-11 10:32:32.332] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 10:32:32.332] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 10:32:32.332] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 10:32:32.332] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 10:32:32.332] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 10:32:32.332] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 10:32:32.336] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:10/output/gbm/alert.pcap.9.1765346248.jsonl|result:{"code": 0, "total_count": 0, "alert_count": 0, "abnormal_count": 0, "normal_count": 0, "timestamp": 1765420352332, "module": "anquanchu", "alerted": false, "details": []} [2025-12-11 10:32:32.336] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 0|max_alert: 1000 [2025-12-11 10:32:32.336] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 10:32:33.059] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 25912 key: NULL payload: {"bucket":"2025-12-11","object":"10/output/gbm/alert.pcap.9.1765355258.jsonl","url":"http://111.32.12.11:9000/2025-12-11/10/output/gbm/alert.pcap.9.1765355258.jsonl?X-Amz-Signature=25074827839c8933e74f708cdfe7403e2c2cc5a3284fd9c36bb1687b011c989d&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Expires=604800&X-Amz-SignedHeaders=host&X-Amz-Date=20251211T023233Z"} [2025-12-11 10:32:33.059] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 10:32:33.059] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 10:32:33.059] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 10:32:33.059] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 10:32:33.059] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 10:32:33.060] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 10:32:33.064] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:10/output/gbm/alert.pcap.9.1765355258.jsonl|result:{"code": 0, "total_count": 0, "alert_count": 0, "abnormal_count": 0, "normal_count": 0, "timestamp": 1765420353060, "module": "anquanchu", "alerted": false, "details": []} [2025-12-11 10:32:33.064] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 0|max_alert: 1000 [2025-12-11 10:32:33.064] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 10:32:33.941] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 25913 key: NULL payload: {"bucket":"2025-12-11","object":"10/output/gbm/alert.pcap.9.1765416108.jsonl","url":"http://111.32.12.11:9000/2025-12-11/10/output/gbm/alert.pcap.9.1765416108.jsonl?X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20251211T023233Z&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-SignedHeaders=host&X-Amz-Signature=14897102327aa90e8acd407d8dc13832283fffe0bdb7f0c88cc9c92f26baa820&X-Amz-Expires=604800"} [2025-12-11 10:32:33.941] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 10:32:33.941] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 10:32:33.941] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 10:32:33.941] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 10:32:33.941] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 10:32:33.941] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 10:32:33.945] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:10/output/gbm/alert.pcap.9.1765416108.jsonl|result:{"code": 0, "total_count": 0, "alert_count": 0, "abnormal_count": 0, "normal_count": 0, "timestamp": 1765420353941, "module": "anquanchu", "alerted": false, "details": []} [2025-12-11 10:32:33.945] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 0|max_alert: 1000 [2025-12-11 10:32:33.945] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 10:32:34.742] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[1] at offset 24783 key: NULL payload: {"bucket":"2025-12-11","object":"10/output/gbm/alert.pcap.9.1765351654.jsonl","url":"http://111.32.12.11:9000/2025-12-11/10/output/gbm/alert.pcap.9.1765351654.jsonl?X-Amz-Signature=1116bfce731fb8b9579150d0e2973f3231b7e8699ea49856bf7a413ab18d87ab&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Date=20251211T023234Z&X-Amz-SignedHeaders=host&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Expires=604800"} [2025-12-11 10:32:34.742] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 10:32:34.742] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 10:32:34.742] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 10:32:34.742] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 10:32:34.742] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 10:32:34.742] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 10:32:34.746] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:10/output/gbm/alert.pcap.9.1765351654.jsonl|result:{"code": 0, "total_count": 0, "alert_count": 0, "abnormal_count": 0, "normal_count": 0, "timestamp": 1765420354742, "module": "anquanchu", "alerted": false, "details": []} [2025-12-11 10:32:34.746] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 0|max_alert: 1000 [2025-12-11 10:32:34.746] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 10:32:35.574] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[1] at offset 24784 key: NULL payload: {"bucket":"2025-12-11","object":"10/output/gbm/alert.pcap.9.1765350753.jsonl","url":"http://111.32.12.11:9000/2025-12-11/10/output/gbm/alert.pcap.9.1765350753.jsonl?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-SignedHeaders=host&X-Amz-Expires=604800&X-Amz-Signature=682c19a438be927e15c8e33583afc2c7037e03abbddb72b7747571f0d31fc4c4&X-Amz-Date=20251211T023235Z&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request"} [2025-12-11 10:32:35.574] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 10:32:35.574] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 10:32:35.574] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 10:32:35.574] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 10:32:35.574] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 10:32:35.574] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 10:32:35.578] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:10/output/gbm/alert.pcap.9.1765350753.jsonl|result:{"code": 0, "total_count": 0, "alert_count": 0, "abnormal_count": 0, "normal_count": 0, "timestamp": 1765420355574, "module": "anquanchu", "alerted": false, "details": []} [2025-12-11 10:32:35.578] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 0|max_alert: 1000 [2025-12-11 10:32:35.578] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 10:32:36.449] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[2] at offset 25553 key: NULL payload: {"bucket":"2025-12-11","object":"10/output/gbm/alert.pcap.9.1765348951.jsonl","url":"http://111.32.12.11:9000/2025-12-11/10/output/gbm/alert.pcap.9.1765348951.jsonl?X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Expires=604800&X-Amz-SignedHeaders=host&X-Amz-Signature=4da24945a62ce1b3f598d2eb520fe7a672674b8b4b14486cdfbf30357c1a6fc9&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Date=20251211T023236Z"} [2025-12-11 10:32:36.449] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 10:32:36.449] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 10:32:36.449] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 10:32:36.449] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 10:32:36.449] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 10:32:36.449] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 10:32:36.453] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:10/output/gbm/alert.pcap.9.1765348951.jsonl|result:{"code": 0, "total_count": 0, "alert_count": 0, "abnormal_count": 0, "normal_count": 0, "timestamp": 1765420356449, "module": "anquanchu", "alerted": false, "details": []} [2025-12-11 10:32:36.453] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 0|max_alert: 1000 [2025-12-11 10:32:36.453] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 10:32:37.231] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[1] at offset 24785 key: NULL payload: {"bucket":"2025-12-11","object":"10/output/gbm/alert.pcap.9.1765418133.jsonl","url":"http://111.32.12.11:9000/2025-12-11/10/output/gbm/alert.pcap.9.1765418133.jsonl?X-Amz-Date=20251211T023237Z&X-Amz-SignedHeaders=host&X-Amz-Expires=604800&X-Amz-Signature=4b9af3cf7a48fd9663fc08b9473a01d53a56d3ddb7f740a857047e379e1d2dce&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request"} [2025-12-11 10:32:37.231] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 10:32:37.231] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 10:32:37.231] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 10:32:37.231] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 10:32:37.231] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 10:32:37.232] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 10:32:37.235] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:10/output/gbm/alert.pcap.9.1765418133.jsonl|result:{"code": 0, "total_count": 0, "alert_count": 0, "abnormal_count": 0, "normal_count": 0, "timestamp": 1765420357232, "module": "anquanchu", "alerted": false, "details": []} [2025-12-11 10:32:37.236] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 0|max_alert: 1000 [2025-12-11 10:32:37.236] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 10:32:38.072] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 25914 key: NULL payload: {"bucket":"2025-12-11","object":"10/output/gbm/alert.pcap.9.1765354357.jsonl","url":"http://111.32.12.11:9000/2025-12-11/10/output/gbm/alert.pcap.9.1765354357.jsonl?X-Amz-Signature=f7b388a857b6a65a9241d59244ad50a3b79f4769fed09d5a5753aa0ec587fcee&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Date=20251211T023238Z&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Expires=604800&X-Amz-SignedHeaders=host"} [2025-12-11 10:32:38.072] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 10:32:38.072] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 10:32:38.072] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 10:32:38.072] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 10:32:38.072] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 10:32:38.072] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 10:32:38.076] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:10/output/gbm/alert.pcap.9.1765354357.jsonl|result:{"code": 0, "total_count": 0, "alert_count": 0, "abnormal_count": 0, "normal_count": 0, "timestamp": 1765420358073, "module": "anquanchu", "alerted": false, "details": []} [2025-12-11 10:32:38.076] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 0|max_alert: 1000 [2025-12-11 10:32:38.076] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 10:32:38.916] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[2] at offset 25554 key: NULL payload: {"bucket":"2025-12-11","object":"10/output/gbm/alert.pcap.9.1765352555.jsonl","url":"http://111.32.12.11:9000/2025-12-11/10/output/gbm/alert.pcap.9.1765352555.jsonl?X-Amz-Signature=cbf0adb1520ed33d938d7c523c05549b5507618ad2c99928e38ef32ae46e2677&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-SignedHeaders=host&X-Amz-Date=20251211T023238Z&X-Amz-Expires=604800"} [2025-12-11 10:32:38.916] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 10:32:38.916] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 10:32:38.916] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 10:32:38.916] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 10:32:38.916] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 10:32:38.916] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 10:32:38.920] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:10/output/gbm/alert.pcap.9.1765352555.jsonl|result:{"code": 0, "total_count": 0, "alert_count": 0, "abnormal_count": 0, "normal_count": 0, "timestamp": 1765420358916, "module": "anquanchu", "alerted": false, "details": []} [2025-12-11 10:32:38.920] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 0|max_alert: 1000 [2025-12-11 10:32:38.920] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 10:32:39.817] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 25915 key: NULL payload: {"bucket":"2025-12-11","object":"10/output/gbm/alert.pcap.9.1765349852.jsonl","url":"http://111.32.12.11:9000/2025-12-11/10/output/gbm/alert.pcap.9.1765349852.jsonl?X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Expires=604800&X-Amz-Date=20251211T023239Z&X-Amz-SignedHeaders=host&X-Amz-Signature=0f03b96c60a10a28624047035a3aff2e268e3b1edf109ae59ae39aa34e8ce1d6"} [2025-12-11 10:32:39.817] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 10:32:39.817] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 10:32:39.817] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 10:32:39.817] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 10:32:39.817] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 10:32:39.818] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 10:32:39.821] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:10/output/gbm/alert.pcap.9.1765349852.jsonl|result:{"code": 0, "total_count": 0, "alert_count": 0, "abnormal_count": 0, "normal_count": 0, "timestamp": 1765420359818, "module": "anquanchu", "alerted": false, "details": []} [2025-12-11 10:32:39.822] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 0|max_alert: 1000 [2025-12-11 10:32:39.822] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 10:32:40.569] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[1] at offset 24786 key: NULL payload: {"bucket":"2025-12-11","object":"10/output/gbm/alert.pcap.9.1765353456.jsonl","url":"http://111.32.12.11:9000/2025-12-11/10/output/gbm/alert.pcap.9.1765353456.jsonl?X-Amz-Expires=604800&X-Amz-Date=20251211T023240Z&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-SignedHeaders=host&X-Amz-Signature=cc2b223e262a61d944bd57572af5c7a62bc72c3b9da0417bfc09dfdbd39e87d5"} [2025-12-11 10:32:40.569] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 10:32:40.569] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 10:32:40.569] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 10:32:40.569] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 10:32:40.569] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 10:32:40.569] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 10:32:40.573] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:10/output/gbm/alert.pcap.9.1765353456.jsonl|result:{"code": 0, "total_count": 0, "alert_count": 0, "abnormal_count": 0, "normal_count": 0, "timestamp": 1765420360569, "module": "anquanchu", "alerted": false, "details": []} [2025-12-11 10:32:40.573] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 0|max_alert: 1000 [2025-12-11 10:32:40.573] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 10:32:41.650] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 25916 key: NULL payload: {"bucket":"2025-12-11","object":"10/output/gbm/alert.pcap.9.1765359763.jsonl","url":"http://111.32.12.11:9000/2025-12-11/10/output/gbm/alert.pcap.9.1765359763.jsonl?X-Amz-Date=20251211T023241Z&X-Amz-Expires=604800&X-Amz-SignedHeaders=host&X-Amz-Signature=1022a74add9965f1d0592de50291585c432e2514231ea0266d1e4ef17fdcb623&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request"} [2025-12-11 10:32:41.650] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 10:32:41.650] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 10:32:41.650] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 10:32:41.650] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 10:32:41.650] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 10:32:41.650] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 10:32:41.654] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:10/output/gbm/alert.pcap.9.1765359763.jsonl|result:{"code": 0, "total_count": 0, "alert_count": 0, "abnormal_count": 0, "normal_count": 0, "timestamp": 1765420361650, "module": "anquanchu", "alerted": false, "details": []} [2025-12-11 10:32:41.654] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 0|max_alert: 1000 [2025-12-11 10:32:41.654] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 10:32:42.565] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[2] at offset 25555 key: NULL payload: {"bucket":"2025-12-11","object":"10/output/gbm/alert.pcap.9.1765358862.jsonl","url":"http://111.32.12.11:9000/2025-12-11/10/output/gbm/alert.pcap.9.1765358862.jsonl?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Expires=604800&X-Amz-Signature=3fcec9365f446f702098d1375cf76392cf58ee7563fe0523c05eecb4977e54fe&X-Amz-SignedHeaders=host&X-Amz-Date=20251211T023242Z"} [2025-12-11 10:32:42.565] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 10:32:42.565] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 10:32:42.565] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 10:32:42.565] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 10:32:42.565] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 10:32:42.566] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 10:32:42.570] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:10/output/gbm/alert.pcap.9.1765358862.jsonl|result:{"code": 0, "total_count": 0, "alert_count": 0, "abnormal_count": 0, "normal_count": 0, "timestamp": 1765420362566, "module": "anquanchu", "alerted": false, "details": []} [2025-12-11 10:32:42.570] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 0|max_alert: 1000 [2025-12-11 10:32:42.570] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 10:40:51.173] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[2] at offset 25556 key: NULL payload: {"bucket":"2025-12-11","object":"10/output/gbm/alert.pcap.9.1765420836.jsonl","url":"http://111.32.12.11:9000/2025-12-11/10/output/gbm/alert.pcap.9.1765420836.jsonl?X-Amz-Expires=604800&X-Amz-Signature=a601b974089ad333cb4188279470e7ab8e64528a1c9a846bcbe4709a31b2f381&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Date=20251211T024050Z&X-Amz-SignedHeaders=host&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request"} [2025-12-11 10:40:51.173] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 10:40:51.173] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 10:40:51.173] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 10:40:51.174] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 10:40:51.174] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 10:40:51.175] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 10:40:51.185] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:10/output/gbm/alert.pcap.9.1765420836.jsonl|result:{"code": 0, "total_count": 0, "alert_count": 0, "abnormal_count": 0, "normal_count": 0, "timestamp": 1765420851175, "module": "anquanchu", "alerted": false, "details": []} [2025-12-11 10:40:51.185] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 0|max_alert: 1000 [2025-12-11 10:40:51.185] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 10:40:51.734] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[2] at offset 25557 key: NULL payload: {"bucket":"2025-12-11","object":"10/output/gbm/alert.pcap.9.1765356159.jsonl","url":"http://111.32.12.11:9000/2025-12-11/10/output/gbm/alert.pcap.9.1765356159.jsonl?X-Amz-SignedHeaders=host&X-Amz-Signature=fdf4a25d9a6c5acbcb419f3cfc1ba4a846d13ed261db8f2fbf0aaed1424edcdd&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20251211T024051Z&X-Amz-Expires=604800"} [2025-12-11 10:40:51.734] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 10:40:51.734] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 10:40:51.735] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 10:40:51.735] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 10:40:51.735] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 10:40:51.735] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 10:40:51.739] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:10/output/gbm/alert.pcap.9.1765356159.jsonl|result:{"code": 0, "total_count": 0, "alert_count": 0, "abnormal_count": 0, "normal_count": 0, "timestamp": 1765420851735, "module": "anquanchu", "alerted": false, "details": []} [2025-12-11 10:40:51.739] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 0|max_alert: 1000 [2025-12-11 10:40:51.739] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 10:40:52.297] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[1] at offset 24787 key: NULL payload: {"bucket":"2025-12-11","object":"10/output/gbm/alert.pcap.9.1765357060.jsonl","url":"http://111.32.12.11:9000/2025-12-11/10/output/gbm/alert.pcap.9.1765357060.jsonl?X-Amz-Signature=e46dc837740da2d6a990d5a3dc69a4cc40f4ac2e5294485c75459c2c4f3459c0&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Date=20251211T024052Z&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Expires=604800&X-Amz-SignedHeaders=host"} [2025-12-11 10:40:52.297] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 10:40:52.297] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 10:40:52.297] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 10:40:52.297] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 10:40:52.297] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 10:40:52.297] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 10:40:52.301] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:10/output/gbm/alert.pcap.9.1765357060.jsonl|result:{"code": 0, "total_count": 0, "alert_count": 0, "abnormal_count": 0, "normal_count": 0, "timestamp": 1765420852297, "module": "anquanchu", "alerted": false, "details": []} [2025-12-11 10:40:52.301] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 0|max_alert: 1000 [2025-12-11 10:40:52.301] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 10:40:52.839] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 25917 key: NULL payload: {"bucket":"2025-12-11","object":"10/output/gbm/alert.pcap.9.1765419034.jsonl","url":"http://111.32.12.11:9000/2025-12-11/10/output/gbm/alert.pcap.9.1765419034.jsonl?X-Amz-Date=20251211T024052Z&X-Amz-SignedHeaders=host&X-Amz-Signature=047d57baa969a2504b84f8ec95b60e5a6c890244375571c3e6e4e3c2c32a7433&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Expires=604800"} [2025-12-11 10:40:52.839] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 10:40:52.839] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 10:40:52.839] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 10:40:52.839] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 10:40:52.839] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 10:40:52.840] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 10:40:52.843] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:10/output/gbm/alert.pcap.9.1765419034.jsonl|result:{"code": 0, "total_count": 0, "alert_count": 0, "abnormal_count": 0, "normal_count": 0, "timestamp": 1765420852840, "module": "anquanchu", "alerted": false, "details": []} [2025-12-11 10:40:52.843] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 0|max_alert: 1000 [2025-12-11 10:40:52.843] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 10:55:44.588] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 25918 key: NULL payload: {"bucket":"2025-12-11","object":"10/output/gbm/alert.pcap.9.1765421737.jsonl","url":"http://111.32.12.11:9000/2025-12-11/10/output/gbm/alert.pcap.9.1765421737.jsonl?X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-SignedHeaders=host&X-Amz-Expires=604800&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Signature=793a229226afc3548ee5010c99afca2d07c5bc6ce1e2c06b26fe8a5de78ea5b8&X-Amz-Date=20251211T025544Z"} [2025-12-11 10:55:44.589] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 10:55:44.589] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 10:55:44.589] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 10:55:44.589] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 10:55:44.589] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 10:55:44.590] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 10:55:44.601] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:10/output/gbm/alert.pcap.9.1765421737.jsonl|result:{"code": 0, "total_count": 0, "alert_count": 0, "abnormal_count": 0, "normal_count": 0, "timestamp": 1765421744590, "module": "anquanchu", "alerted": false, "details": []} [2025-12-11 10:55:44.601] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 0|max_alert: 1000 [2025-12-11 10:55:44.601] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 11:10:45.981] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 25919 key: NULL payload: {"bucket":"2025-12-11","object":"11/output/gbm/alert.pcap.9.1765422638.jsonl","url":"http://111.32.12.11:9000/2025-12-11/11/output/gbm/alert.pcap.9.1765422638.jsonl?X-Amz-Expires=604800&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-SignedHeaders=host&X-Amz-Date=20251211T031045Z&X-Amz-Signature=527db610b46164c6bc0edb6d83b9c357f037da77e1f9a7319941abf18678b226"} [2025-12-11 11:10:45.982] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 11:10:45.982] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 11:10:45.982] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 11:10:45.982] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 11:10:45.982] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 11:10:45.983] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 11:10:45.994] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:11/output/gbm/alert.pcap.9.1765422638.jsonl|result:{"code": 0, "total_count": 0, "alert_count": 0, "abnormal_count": 0, "normal_count": 0, "timestamp": 1765422645983, "module": "anquanchu", "alerted": false, "details": []} [2025-12-11 11:10:45.994] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 0|max_alert: 1000 [2025-12-11 11:10:45.994] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 11:21:34.119] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[1] at offset 24788 key: NULL payload: {"bucket":"2025-12-11","object":"11/output/gbm/alert.pcap.22.1765423286.jsonl","url":"http://111.32.12.11:9000/2025-12-11/11/output/gbm/alert.pcap.22.1765423286.jsonl?X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20251211T032133Z&X-Amz-SignedHeaders=host&X-Amz-Signature=b28fce73f4c39018746058f3aee3a498348cc2952ae09051dcfbc3ac085359c9&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Expires=604800"} [2025-12-11 11:21:34.119] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 11:21:34.119] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 11:21:34.119] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 11:21:34.119] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 11:21:34.119] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 11:21:34.125] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 11:21:34.363] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:11/output/gbm/alert.pcap.22.1765423286.jsonl|result:{"code": 0, "total_count": 2, "alert_count": 0, "abnormal_count": 0, "normal_count": 2, "timestamp": 1765423294125, "module": "anquanchu", "alerted": false, "details": []} [2025-12-11 11:21:34.363] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 0|max_alert: 1000 [2025-12-11 11:21:34.363] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 11:21:37.866] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[1] at offset 24789 key: NULL payload: {"bucket":"2025-12-11","object":"11/output/gbm/alert.pcap.11.1765423279.jsonl","url":"http://111.32.12.11:9000/2025-12-11/11/output/gbm/alert.pcap.11.1765423279.jsonl?X-Amz-Date=20251211T032137Z&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Expires=604800&X-Amz-SignedHeaders=host&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Signature=1814199f2cb4c4e2273db0184020c3ee6ba826d45c09fe2bac2fcc777099576e"} [2025-12-11 11:21:37.866] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 11:21:37.866] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 11:21:37.866] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 11:21:37.866] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 11:21:37.866] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 11:21:37.867] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 11:21:38.101] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:11/output/gbm/alert.pcap.11.1765423279.jsonl|result:{"code": 0, "total_count": 1, "alert_count": 0, "abnormal_count": 0, "normal_count": 1, "timestamp": 1765423297867, "module": "anquanchu", "alerted": false, "details": []} [2025-12-11 11:21:38.101] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 0|max_alert: 1000 [2025-12-11 11:21:38.101] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 11:21:40.970] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[1] at offset 24790 key: NULL payload: {"bucket":"2025-12-11","object":"11/output/gbm/alert.pcap.12.1765423290.jsonl","url":"http://111.32.12.11:9000/2025-12-11/11/output/gbm/alert.pcap.12.1765423290.jsonl?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Expires=604800&X-Amz-Date=20251211T032140Z&X-Amz-SignedHeaders=host&X-Amz-Signature=1d527adecaf4ed10226de93b7829a84058f05212c4adc86445a6bc7cc8d7a67e&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request"} [2025-12-11 11:21:40.970] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 11:21:40.970] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 11:21:40.970] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 11:21:40.971] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 11:21:40.971] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 11:21:40.971] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 11:21:40.977] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:11/output/gbm/alert.pcap.12.1765423290.jsonl|result:{"code": 0, "total_count": 0, "alert_count": 0, "abnormal_count": 0, "normal_count": 0, "timestamp": 1765423300971, "module": "anquanchu", "alerted": false, "details": []} [2025-12-11 11:21:40.977] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 0|max_alert: 1000 [2025-12-11 11:21:40.977] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 11:21:44.075] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 25920 key: NULL payload: {"bucket":"2025-12-11","object":"11/output/gbm/alert.pcap.17.1765423278.jsonl","url":"http://111.32.12.11:9000/2025-12-11/11/output/gbm/alert.pcap.17.1765423278.jsonl?X-Amz-Signature=c2fd39afa56677d09613c1bd4251fdc170cd64c32cadae24c61e029028048ecf&X-Amz-Date=20251211T032143Z&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Expires=604800&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-SignedHeaders=host"} [2025-12-11 11:21:44.075] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 11:21:44.075] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 11:21:44.075] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 11:21:44.075] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 11:21:44.075] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 11:21:44.076] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 11:21:44.321] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:11/output/gbm/alert.pcap.17.1765423278.jsonl|result:{"code": 0, "total_count": 1, "alert_count": 0, "abnormal_count": 0, "normal_count": 1, "timestamp": 1765423304076, "module": "anquanchu", "alerted": false, "details": []} [2025-12-11 11:21:44.322] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 0|max_alert: 1000 [2025-12-11 11:21:44.322] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 11:21:47.177] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 25921 key: NULL payload: {"bucket":"2025-12-11","object":"11/output/gbm/alert.pcap.16.1765423279.jsonl","url":"http://111.32.12.11:9000/2025-12-11/11/output/gbm/alert.pcap.16.1765423279.jsonl?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-SignedHeaders=host&X-Amz-Signature=82e7b47ef2c8145ab71c45275ae78acb5eb8a63921d343eb5e97f30210429cb6&X-Amz-Date=20251211T032146Z&X-Amz-Expires=604800"} [2025-12-11 11:21:47.178] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 11:21:47.178] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 11:21:47.178] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 11:21:47.178] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 11:21:47.178] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 11:21:47.178] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 11:21:47.368] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:11/output/gbm/alert.pcap.16.1765423279.jsonl|result:{"code": 0, "total_count": 1, "alert_count": 0, "abnormal_count": 0, "normal_count": 1, "timestamp": 1765423307178, "module": "anquanchu", "alerted": false, "details": []} [2025-12-11 11:21:47.368] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 0|max_alert: 1000 [2025-12-11 11:21:47.369] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 11:21:50.279] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[1] at offset 24791 key: NULL payload: {"bucket":"2025-12-11","object":"11/output/gbm/alert.pcap.5.1765423291.jsonl","url":"http://111.32.12.11:9000/2025-12-11/11/output/gbm/alert.pcap.5.1765423291.jsonl?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-SignedHeaders=host&X-Amz-Signature=a45cca2fcf00695ccf2335866e6173e0854775e28ee0a592eed44c31ff7b82f9&X-Amz-Expires=604800&X-Amz-Date=20251211T032149Z"} [2025-12-11 11:21:50.279] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 11:21:50.279] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 11:21:50.279] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 11:21:50.279] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 11:21:50.279] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 11:21:50.280] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 11:21:50.478] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:11/output/gbm/alert.pcap.5.1765423291.jsonl|result:{"code": 0, "total_count": 2, "alert_count": 0, "abnormal_count": 0, "normal_count": 2, "timestamp": 1765423310280, "module": "anquanchu", "alerted": false, "details": []} [2025-12-11 11:21:50.478] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 0|max_alert: 1000 [2025-12-11 11:21:50.478] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 11:21:53.382] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[1] at offset 24792 key: NULL payload: {"bucket":"2025-12-11","object":"11/output/gbm/alert.pcap.18.1765423292.jsonl","url":"http://111.32.12.11:9000/2025-12-11/11/output/gbm/alert.pcap.18.1765423292.jsonl?X-Amz-SignedHeaders=host&X-Amz-Date=20251211T032152Z&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Expires=604800&X-Amz-Signature=5336a444e004a34442f73d643376de938e05dfc1f49ea157e29b9d25c76093f6"} [2025-12-11 11:21:53.383] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 11:21:53.383] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 11:21:53.383] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 11:21:53.383] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 11:21:53.383] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 11:21:53.383] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 11:21:53.578] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:11/output/gbm/alert.pcap.18.1765423292.jsonl|result:{"code": 0, "total_count": 2, "alert_count": 0, "abnormal_count": 0, "normal_count": 2, "timestamp": 1765423313383, "module": "anquanchu", "alerted": false, "details": []} [2025-12-11 11:21:53.578] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 0|max_alert: 1000 [2025-12-11 11:21:53.578] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 11:21:56.501] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 25922 key: NULL payload: {"bucket":"2025-12-11","object":"11/output/gbm/alert.pcap.3.1765423279.jsonl","url":"http://111.32.12.11:9000/2025-12-11/11/output/gbm/alert.pcap.3.1765423279.jsonl?X-Amz-Date=20251211T032156Z&X-Amz-Expires=604800&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-SignedHeaders=host&X-Amz-Signature=d0c9aa93c19709caa08faa6711f815194752e5eaaa1a8c3425c60de49de28c66"} [2025-12-11 11:21:56.501] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 11:21:56.501] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 11:21:56.501] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 11:21:56.501] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 11:21:56.501] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 11:21:56.501] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 11:21:56.695] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:11/output/gbm/alert.pcap.3.1765423279.jsonl|result:{"code": 0, "total_count": 2, "alert_count": 0, "abnormal_count": 0, "normal_count": 2, "timestamp": 1765423316501, "module": "anquanchu", "alerted": false, "details": []} [2025-12-11 11:21:56.695] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 0|max_alert: 1000 [2025-12-11 11:21:56.695] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 11:22:05.368] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[1] at offset 24793 key: NULL payload: {"bucket":"2025-12-11","object":"11/output/gbm/alert.pcap.20.1765423311.jsonl","url":"http://111.32.12.11:9000/2025-12-11/11/output/gbm/alert.pcap.20.1765423311.jsonl?X-Amz-Date=20251211T032204Z&X-Amz-SignedHeaders=host&X-Amz-Signature=a082b72e523dadb6dbb970e8216584ca4cf1981ee72d6f459993a29cf0c0d00c&X-Amz-Expires=604800&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request"} [2025-12-11 11:22:05.369] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 11:22:05.369] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 11:22:05.369] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 11:22:05.369] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 11:22:05.369] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 11:22:05.370] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 11:22:05.380] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:11/output/gbm/alert.pcap.20.1765423311.jsonl|result:{"code": 0, "total_count": 0, "alert_count": 0, "abnormal_count": 0, "normal_count": 0, "timestamp": 1765423325370, "module": "anquanchu", "alerted": false, "details": []} [2025-12-11 11:22:05.381] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 0|max_alert: 1000 [2025-12-11 11:22:05.381] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 11:22:08.472] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[1] at offset 24794 key: NULL payload: {"bucket":"2025-12-11","object":"11/output/gbm/alert.pcap.19.1765423279.jsonl","url":"http://111.32.12.11:9000/2025-12-11/11/output/gbm/alert.pcap.19.1765423279.jsonl?X-Amz-Expires=604800&X-Amz-Date=20251211T032208Z&X-Amz-SignedHeaders=host&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Signature=c280979d4ef0b8b45894b056b23fc1b3143bc27e5a7d5258ba39e164505802f0&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request"} [2025-12-11 11:22:08.472] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 11:22:08.472] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 11:22:08.473] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 11:22:08.473] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 11:22:08.473] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 11:22:08.474] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 11:22:08.708] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:11/output/gbm/alert.pcap.19.1765423279.jsonl|result:{"code": 0, "total_count": 1, "alert_count": 0, "abnormal_count": 0, "normal_count": 1, "timestamp": 1765423328474, "module": "anquanchu", "alerted": false, "details": []} [2025-12-11 11:22:08.708] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 0|max_alert: 1000 [2025-12-11 11:22:08.708] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 11:22:11.574] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[1] at offset 24795 key: NULL payload: {"bucket":"2025-12-11","object":"11/output/gbm/alert.pcap.24.1765423320.jsonl","url":"http://111.32.12.11:9000/2025-12-11/11/output/gbm/alert.pcap.24.1765423320.jsonl?X-Amz-Signature=8414775dbcf3423466d2b6dd07ea403ea6dd86136b4f14a8f21ee9ef4ae16f7d&X-Amz-Date=20251211T032211Z&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Expires=604800&X-Amz-SignedHeaders=host"} [2025-12-11 11:22:11.574] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 11:22:11.574] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 11:22:11.574] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 11:22:11.574] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 11:22:11.574] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 11:22:11.575] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 11:22:11.767] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:11/output/gbm/alert.pcap.24.1765423320.jsonl|result:{"code": 0, "total_count": 1, "alert_count": 0, "abnormal_count": 0, "normal_count": 1, "timestamp": 1765423331575, "module": "anquanchu", "alerted": false, "details": []} [2025-12-11 11:22:11.767] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 0|max_alert: 1000 [2025-12-11 11:22:11.767] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 11:22:14.677] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 25923 key: NULL payload: {"bucket":"2025-12-11","object":"11/output/gbm/alert.pcap.21.1765423292.jsonl","url":"http://111.32.12.11:9000/2025-12-11/11/output/gbm/alert.pcap.21.1765423292.jsonl?X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20251211T032214Z&X-Amz-Signature=49ec159c5dee5e56f31ae1b09d33d22588de04d5adb08266ab7dbbd89cf98491&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Expires=604800&X-Amz-SignedHeaders=host"} [2025-12-11 11:22:14.677] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 11:22:14.677] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 11:22:14.677] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 11:22:14.677] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 11:22:14.677] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 11:22:14.678] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 11:22:14.885] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:11/output/gbm/alert.pcap.21.1765423292.jsonl|result:{"code": 0, "total_count": 1, "alert_count": 0, "abnormal_count": 0, "normal_count": 1, "timestamp": 1765423334678, "module": "anquanchu", "alerted": false, "details": []} [2025-12-11 11:22:14.885] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 0|max_alert: 1000 [2025-12-11 11:22:14.885] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 11:22:21.638] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[1] at offset 24796 key: NULL payload: {"bucket":"2025-12-11","object":"11/output/gbm/alert.pcap.23.1765423295.jsonl","url":"http://111.32.12.11:9000/2025-12-11/11/output/gbm/alert.pcap.23.1765423295.jsonl?X-Amz-SignedHeaders=host&X-Amz-Signature=e479dfdf0db3c6409cd45534b472fb2fb4e2662fc1a163a71b3631e18f2505e3&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Expires=604800&X-Amz-Date=20251211T032221Z&X-Amz-Algorithm=AWS4-HMAC-SHA256"} [2025-12-11 11:22:21.638] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 11:22:21.638] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 11:22:21.638] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 11:22:21.638] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 11:22:21.638] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 11:22:21.639] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 11:22:21.881] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:11/output/gbm/alert.pcap.23.1765423295.jsonl|result:{"code": 0, "total_count": 1, "alert_count": 0, "abnormal_count": 0, "normal_count": 1, "timestamp": 1765423341640, "module": "anquanchu", "alerted": false, "details": []} [2025-12-11 11:22:21.881] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 0|max_alert: 1000 [2025-12-11 11:22:21.881] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 11:22:35.390] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[2] at offset 25558 key: NULL payload: {"bucket":"2025-12-11","object":"11/output/gbm/alert.pcap.14.1765423291.jsonl","url":"http://111.32.12.11:9000/2025-12-11/11/output/gbm/alert.pcap.14.1765423291.jsonl?X-Amz-Date=20251211T032234Z&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-SignedHeaders=host&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Signature=e9945edebea663086db7cdf4ef403ce055ebef39dccc1f4cea5612f6723c7b9b&X-Amz-Expires=604800"} [2025-12-11 11:22:35.390] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 11:22:35.390] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 11:22:35.390] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 11:22:35.390] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 11:22:35.390] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 11:22:35.390] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 11:22:35.657] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:11/output/gbm/alert.pcap.14.1765423291.jsonl|result:{"code": 0, "total_count": 1, "alert_count": 0, "abnormal_count": 0, "normal_count": 1, "timestamp": 1765423355390, "module": "anquanchu", "alerted": false, "details": []} [2025-12-11 11:22:35.657] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 0|max_alert: 1000 [2025-12-11 11:22:35.657] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 11:22:46.641] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 25924 key: NULL payload: {"bucket":"2025-12-11","object":"11/output/gbm/alert.pcap.2.1765423325.jsonl","url":"http://111.32.12.11:9000/2025-12-11/11/output/gbm/alert.pcap.2.1765423325.jsonl?X-Amz-SignedHeaders=host&X-Amz-Date=20251211T032246Z&X-Amz-Signature=18de3999fa26375d91d54a288956610748e32eb4caf1360186cd3bdafbd6bd62&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Expires=604800"} [2025-12-11 11:22:46.641] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 11:22:46.641] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 11:22:46.641] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 11:22:46.641] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 11:22:46.641] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 11:22:46.642] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 11:22:46.883] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:11/output/gbm/alert.pcap.2.1765423325.jsonl|result:{"code": 0, "total_count": 2, "alert_count": 0, "abnormal_count": 0, "normal_count": 2, "timestamp": 1765423366643, "module": "anquanchu", "alerted": false, "details": []} [2025-12-11 11:22:46.883] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 0|max_alert: 1000 [2025-12-11 11:22:46.883] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 11:25:46.729] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[1] at offset 24797 key: NULL payload: {"bucket":"2025-12-11","object":"11/output/gbm/alert.pcap.9.1765423539.jsonl","url":"http://111.32.12.11:9000/2025-12-11/11/output/gbm/alert.pcap.9.1765423539.jsonl?X-Amz-Date=20251211T032546Z&X-Amz-Signature=6d39eafc6843f9a9254c909d0914edd8b183ece1d9dbd24959236db1ec4327b8&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Expires=604800&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-SignedHeaders=host"} [2025-12-11 11:25:46.729] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 11:25:46.729] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 11:25:46.730] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 11:25:46.730] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 11:25:46.730] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 11:25:46.731] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 11:25:46.742] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:11/output/gbm/alert.pcap.9.1765423539.jsonl|result:{"code": 0, "total_count": 0, "alert_count": 0, "abnormal_count": 0, "normal_count": 0, "timestamp": 1765423546731, "module": "anquanchu", "alerted": false, "details": []} [2025-12-11 11:25:46.742] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 0|max_alert: 1000 [2025-12-11 11:25:46.742] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 11:30:09.518] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[1] at offset 24798 key: NULL payload: {"bucket":"2025-12-11","object":"11/output/gbm/alert.pcap.10.17610986931130.jsonl","url":"http://111.32.12.11:9000/2025-12-11/11/output/gbm/alert.pcap.10.17610986931130.jsonl?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Expires=604800&X-Amz-Signature=365522b493c3c1df81333d0fbbacd20cf1eecbbdd09809c175250d27bf0ade7a&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-SignedHeaders=host&X-Amz-Date=20251211T033009Z"} [2025-12-11 11:30:09.518] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 11:30:09.518] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 11:30:09.518] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 11:30:09.518] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 11:30:09.518] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 11:30:09.519] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 11:30:09.804] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:11/output/gbm/alert.pcap.10.17610986931130.jsonl|result:{"code": 1, "total_count": 18, "alert_count": 18, "abnormal_count": 18, "normal_count": 0, "timestamp": 1765423809520, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "120.241.86.9", "protocol": "tcp", "src_port": 50354, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9266852516381958, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.240.8.132", "protocol": "tcp", "src_port": 49942, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9833686131374094, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50202, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50155, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50510, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50247, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "124.70.37.167", "protocol": "tcp", "src_port": 50497, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9671327905226952, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 49802, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "112.34.113.250", "protocol": "tcp", "src_port": 50417, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9871899379387804, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.38.119", "protocol": "tcp", "src_port": 50490, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9986222879414073, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.162.10.192", "protocol": "tcp", "src_port": 50102, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9628606284766527, "2_count": 3, "2_sum": 3, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "124.70.62.170", "protocol": "tcp", "src_port": 50384, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9944584265644585, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50197, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.194.233", "protocol": "tcp", "src_port": 50251, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.6458299041355519, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.162.10.192", "protocol": "tcp", "src_port": 50105, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8497049935950336, "2_count": 3, "2_sum": 3, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.162.10.192", "protocol": "tcp", "src_port": 50106, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7891251009837256, "2_count": 3, "2_sum": 3, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50180, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50527, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 11:30:09.804] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 18|max_alert: 1000 [2025-12-11 11:30:09.804] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 11:30:09.804] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 11:30:09.804] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 11:30:12.675] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 25925 key: NULL payload: {"bucket":"2025-12-11","object":"11/output/gbm/alert.pcap.11.17610986931130.jsonl","url":"http://111.32.12.11:9000/2025-12-11/11/output/gbm/alert.pcap.11.17610986931130.jsonl?X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20251211T033012Z&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Expires=604800&X-Amz-SignedHeaders=host&X-Amz-Signature=fe10201d7485b15c316c85984df5a28b9460d0104be817c44ac7b6558048fcea"} [2025-12-11 11:30:12.675] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 11:30:12.675] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 11:30:12.676] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 11:30:12.676] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 11:30:12.676] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 11:30:12.676] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 11:30:12.915] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:11/output/gbm/alert.pcap.11.17610986931130.jsonl|result:{"code": 1, "total_count": 20, "alert_count": 20, "abnormal_count": 20, "normal_count": 0, "timestamp": 1765423812676, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "36.143.199.172", "protocol": "tcp", "src_port": 50142, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9881503019491974, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.25", "protocol": "tcp", "src_port": 50379, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8940216726975259, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "106.52.100.183", "protocol": "tcp", "src_port": 50502, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9858931570717602, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 49811, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50179, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.45", "protocol": "tcp", "src_port": 50438, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9837569544664104, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50050, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.131.139.241", "protocol": "tcp", "src_port": 50546, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8893268365633519, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50561, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "57.155.120.218", "protocol": "tcp", "src_port": 50415, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9227656751828837, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.38.119", "protocol": "tcp", "src_port": 50494, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9837251088220053, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "13.107.253.49", "protocol": "tcp", "src_port": 50479, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9204671188927631, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.57.94.38", "protocol": "tcp", "src_port": 49888, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8913583475272854, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50176, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.45", "protocol": "tcp", "src_port": 50447, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9871209269901958, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50520, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50523, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.122.55", "protocol": "tcp", "src_port": 50503, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9854062911109006, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.165.120", "protocol": "tcp", "src_port": 50305, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9986466602684037, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50519, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 11:30:12.915] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 20|max_alert: 1000 [2025-12-11 11:30:12.915] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 11:30:12.915] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 11:30:12.915] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 11:30:15.826] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[1] at offset 24799 key: NULL payload: {"bucket":"2025-12-11","object":"11/output/gbm/alert.pcap.1.17610986931130.jsonl","url":"http://111.32.12.11:9000/2025-12-11/11/output/gbm/alert.pcap.1.17610986931130.jsonl?X-Amz-Signature=0f44c17dc15ee5856ff80f7e3a3fda2830dc3240fc790f39266ebef67078b2ab&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-SignedHeaders=host&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20251211T033015Z&X-Amz-Expires=604800"} [2025-12-11 11:30:15.826] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 11:30:15.826] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 11:30:15.827] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 11:30:15.827] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 11:30:15.827] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 11:30:15.827] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 11:30:16.066] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:11/output/gbm/alert.pcap.1.17610986931130.jsonl|result:{"code": 1, "total_count": 23, "alert_count": 22, "abnormal_count": 22, "normal_count": 1, "timestamp": 1765423815827, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50246, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.2.16.16", "protocol": "tcp", "src_port": 49977, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9997183616258911, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "104.18.38.233", "protocol": "tcp", "src_port": 49694, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.38.119", "protocol": "tcp", "src_port": 50487, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9993624819729473, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50154, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.114.80", "protocol": "tcp", "src_port": 50380, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.18", "protocol": "tcp", "src_port": 50526, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.131.139.241", "protocol": "tcp", "src_port": 50548, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9166098868921807, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.18", "protocol": "tcp", "src_port": 50607, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.9", "protocol": "tcp", "src_port": 50355, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9178209457268623, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.2.16.16", "protocol": "tcp", "src_port": 49978, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9999741330258014, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50635, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50660, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.5160756214892233, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.254", "protocol": "tcp", "src_port": 50161, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9861184497791043, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.254", "protocol": "tcp", "src_port": 50236, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8758576397939718, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50203, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.166.151", "protocol": "tcp", "src_port": 50297, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.99961990187526, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "123.249.12.207", "protocol": "tcp", "src_port": 50349, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9517653518955267, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50451, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9935841069204537, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50511, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.9", "protocol": "tcp", "src_port": 50352, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9822856114799795, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50196, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 11:30:16.066] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 22|max_alert: 1000 [2025-12-11 11:30:16.066] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 11:30:16.066] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 11:30:16.066] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 11:30:19.019] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[2] at offset 25559 key: NULL payload: {"bucket":"2025-12-11","object":"11/output/gbm/alert.pcap.12.17610986931130.jsonl","url":"http://111.32.12.11:9000/2025-12-11/11/output/gbm/alert.pcap.12.17610986931130.jsonl?X-Amz-SignedHeaders=host&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Expires=604800&X-Amz-Signature=6c54a6df0aec9ef84bf93aba605d100dab17c6da1f41a0034a84518c11882384&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20251211T033018Z"} [2025-12-11 11:30:19.019] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 11:30:19.019] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 11:30:19.019] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 11:30:19.019] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 11:30:19.019] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 11:30:19.020] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 11:30:19.263] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:11/output/gbm/alert.pcap.12.17610986931130.jsonl|result:{"code": 1, "total_count": 23, "alert_count": 23, "abnormal_count": 23, "normal_count": 0, "timestamp": 1765423819020, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "120.241.86.253", "protocol": "tcp", "src_port": 50374, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9124107711631884, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50524, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 10, "2_sum": 10, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "150.171.28.10", "protocol": "tcp", "src_port": 50098, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.979476406385797, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50289, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 10, "2_sum": 10, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50563, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 10, "2_sum": 10, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "43.132.242.154", "protocol": "tcp", "src_port": 49882, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9890063873624129, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.88.223", "protocol": "tcp", "src_port": 50135, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9151737736531406, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.162.10.192", "protocol": "tcp", "src_port": 50115, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9982562146170709, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.46.51.20", "protocol": "tcp", "src_port": 50273, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8949209220998952, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.91", "protocol": "tcp", "src_port": 50325, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9723471895815434, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50290, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 10, "2_sum": 10, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.91", "protocol": "tcp", "src_port": 50312, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8775283158754487, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 49801, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 50446, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50517, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 10, "2_sum": 10, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50063, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 10, "2_sum": 10, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.88.223", "protocol": "tcp", "src_port": 50256, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9952297098413537, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50043, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 10, "2_sum": 10, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50327, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 10, "2_sum": 10, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.232.40.133", "protocol": "tcp", "src_port": 49918, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9434178651974208, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.32.132.48", "protocol": "tcp", "src_port": 50596, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8736367684939467, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50036, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 10, "2_sum": 10, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50048, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 10, "2_sum": 10, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 11:30:19.263] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 23|max_alert: 1000 [2025-12-11 11:30:19.263] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 11:30:19.263] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 11:30:19.263] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 11:30:22.174] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[2] at offset 25560 key: NULL payload: {"bucket":"2025-12-11","object":"11/output/gbm/alert.pcap.13.17610986931130.jsonl","url":"http://111.32.12.11:9000/2025-12-11/11/output/gbm/alert.pcap.13.17610986931130.jsonl?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-SignedHeaders=host&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Signature=108cefad00952a7851b7e7aa5e3bc846d12c5bcfa523160cbd435055253a767c&X-Amz-Date=20251211T033021Z&X-Amz-Expires=604800"} [2025-12-11 11:30:22.175] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 11:30:22.175] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 11:30:22.175] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 11:30:22.175] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 11:30:22.175] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 11:30:22.176] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 11:30:22.414] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:11/output/gbm/alert.pcap.13.17610986931130.jsonl|result:{"code": 1, "total_count": 25, "alert_count": 25, "abnormal_count": 25, "normal_count": 0, "timestamp": 1765423822176, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50167, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.38.119", "protocol": "tcp", "src_port": 50493, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9895604510076603, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.38.119", "protocol": "tcp", "src_port": 50507, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.992095265861976, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.4.224.113", "protocol": "tcp", "src_port": 49856, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.6505383816340582, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50029, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50153, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50206, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50602, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50657, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9858390475712154, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.185.134", "protocol": "tcp", "src_port": 50405, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9906477192719227, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50280, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.163.59.175", "protocol": "tcp", "src_port": 50009, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9898052087615025, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 50550, "dest_port": 37527, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50074, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50483, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "202.89.233.96", "protocol": "tcp", "src_port": 49842, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.22.3", "protocol": "tcp", "src_port": 49941, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9027507773608666, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.114.80", "protocol": "tcp", "src_port": 50364, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50276, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50283, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "150.171.30.11", "protocol": "tcp", "src_port": 50629, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9221505003231499, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "142.250.66.78", "protocol": "tcp", "src_port": 49939, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50035, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "150.171.29.11", "protocol": "tcp", "src_port": 50366, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9811379852086798, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50150, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 11:30:22.414] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 25|max_alert: 1000 [2025-12-11 11:30:22.414] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 11:30:22.414] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 11:30:22.414] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 11:30:25.555] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 25926 key: NULL payload: {"bucket":"2025-12-11","object":"11/output/gbm/alert.pcap.14.17610986931130.jsonl","url":"http://111.32.12.11:9000/2025-12-11/11/output/gbm/alert.pcap.14.17610986931130.jsonl?X-Amz-SignedHeaders=host&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Date=20251211T033025Z&X-Amz-Expires=604800&X-Amz-Signature=c998d2976f488fb2e305de2bc5df717ffc69ec4e1263c022aee50da8176b2fda&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request"} [2025-12-11 11:30:25.555] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 11:30:25.556] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 11:30:25.556] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 11:30:25.556] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 11:30:25.556] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 11:30:25.556] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 11:30:25.807] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:11/output/gbm/alert.pcap.14.17610986931130.jsonl|result:{"code": 1, "total_count": 22, "alert_count": 22, "abnormal_count": 22, "normal_count": 0, "timestamp": 1765423825557, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50488, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50151, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 50008, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7325211921496005, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.45", "protocol": "tcp", "src_port": 50232, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8427978520815071, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50509, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "150.171.28.10", "protocol": "tcp", "src_port": 50547, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9810893334081382, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.131.128.241", "protocol": "tcp", "src_port": 50628, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.6327220629300937, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.4.224.113", "protocol": "tcp", "src_port": 49858, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.948833755868132, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50087, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.201.232.61", "protocol": "tcp", "src_port": 50406, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8074537105643911, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50431, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50277, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50045, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50299, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.92", "protocol": "tcp", "src_port": 50350, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9581254078848882, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.114.80", "protocol": "tcp", "src_port": 50462, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50481, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50148, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50464, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.201.232.63", "protocol": "tcp", "src_port": 50185, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8623842237021218, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50075, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50282, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 11:30:25.807] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 22|max_alert: 1000 [2025-12-11 11:30:25.807] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 11:30:25.807] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 11:30:25.807] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 11:30:28.678] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[2] at offset 25561 key: NULL payload: {"bucket":"2025-12-11","object":"11/output/gbm/alert.pcap.15.17610986931130.jsonl","url":"http://111.32.12.11:9000/2025-12-11/11/output/gbm/alert.pcap.15.17610986931130.jsonl?X-Amz-Signature=eafab5708c2a4a5c6cc45616496c24d1bf3e492b593be217b0e5474752d26722&X-Amz-Expires=604800&X-Amz-Date=20251211T033028Z&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-SignedHeaders=host&X-Amz-Algorithm=AWS4-HMAC-SHA256"} [2025-12-11 11:30:28.679] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 11:30:28.679] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 11:30:28.679] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 11:30:28.679] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 11:30:28.679] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 11:30:28.680] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 11:30:28.919] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:11/output/gbm/alert.pcap.15.17610986931130.jsonl|result:{"code": 1, "total_count": 21, "alert_count": 21, "abnormal_count": 21, "normal_count": 0, "timestamp": 1765423828680, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50061, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "124.70.37.167", "protocol": "tcp", "src_port": 50505, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8862503171336631, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.241.198", "protocol": "tcp", "src_port": 49881, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9908791961625715, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50489, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.114.80", "protocol": "tcp", "src_port": 50358, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "13.107.213.50", "protocol": "tcp", "src_port": 50090, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9195643673584233, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.51.80", "protocol": "tcp", "src_port": 49914, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.13.29.202", "protocol": "tcp", "src_port": 49899, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9319984670207415, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.166.151", "protocol": "tcp", "src_port": 50300, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9931981638327161, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50452, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.165.120", "protocol": "tcp", "src_port": 50418, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9596977275034663, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.46.216.189", "protocol": "tcp", "src_port": 50192, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9854409930237161, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.194.233", "protocol": "tcp", "src_port": 50442, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9870391528574759, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.175.38.6", "protocol": "tcp", "src_port": 50508, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9251013815505887, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50516, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50298, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.194.189.11", "protocol": "tcp", "src_port": 50426, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9895428159947536, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.165.120", "protocol": "tcp", "src_port": 50427, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9451570018511891, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "142.250.66.78", "protocol": "tcp", "src_port": 50474, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50542, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "13.89.179.10", "protocol": "tcp", "src_port": 49878, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9974829953380221, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 11:30:28.919] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 21|max_alert: 1000 [2025-12-11 11:30:28.919] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 11:30:28.919] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 11:30:28.919] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 11:30:32.020] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[1] at offset 24800 key: NULL payload: {"bucket":"2025-12-11","object":"11/output/gbm/alert.pcap.16.17610986931130.jsonl","url":"http://111.32.12.11:9000/2025-12-11/11/output/gbm/alert.pcap.16.17610986931130.jsonl?X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20251211T033031Z&X-Amz-Expires=604800&X-Amz-Signature=e8eb90d431adb3cbbff951a7030785c608c5f6fa8ac000892f29e6bfa1dbb574&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-SignedHeaders=host"} [2025-12-11 11:30:32.020] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 11:30:32.020] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 11:30:32.021] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 11:30:32.021] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 11:30:32.021] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 11:30:32.021] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 11:30:32.279] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:11/output/gbm/alert.pcap.16.17610986931130.jsonl|result:{"code": 1, "total_count": 26, "alert_count": 26, "abnormal_count": 26, "normal_count": 0, "timestamp": 1765423832021, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "23.219.73.130", "protocol": "tcp", "src_port": 49887, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.253", "protocol": "tcp", "src_port": 50377, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9228634096625739, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.2", "protocol": "tcp", "src_port": 49916, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50051, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.26", "protocol": "tcp", "src_port": 50053, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9859420979243508, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.32.132.48", "protocol": "tcp", "src_port": 50416, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.872489769645985, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.185.134", "protocol": "tcp", "src_port": 50557, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9312191603697401, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.92", "protocol": "tcp", "src_port": 50344, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.4285159353571787, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.13.25.27", "protocol": "tcp", "src_port": 49953, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9999659947187012, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50500, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.88.223", "protocol": "tcp", "src_port": 50262, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9920454156536166, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "211.151.19.148", "protocol": "tcp", "src_port": 50239, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9867736940219898, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.165.120", "protocol": "tcp", "src_port": 50304, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9425584919270099, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "13.89.179.10", "protocol": "tcp", "src_port": 49873, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9740054173010114, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.1", "protocol": "tcp", "src_port": 49927, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.46.216.189", "protocol": "tcp", "src_port": 50095, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8005313339363406, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.29.14.183", "protocol": "tcp", "src_port": 49861, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9202885873733923, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.220.77.56", "protocol": "tcp", "src_port": 50313, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9756469161092314, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50331, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50367, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50496, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7047630891986135, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50177, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.4.224.113", "protocol": "tcp", "src_port": 49857, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.873642452450752, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50207, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.29.14.183", "protocol": "tcp", "src_port": 50404, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9858144175177987, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50522, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 11:30:32.279] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 26|max_alert: 1000 [2025-12-11 11:30:32.279] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 11:30:32.279] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 11:30:32.279] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 11:30:35.486] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[2] at offset 25562 key: NULL payload: {"bucket":"2025-12-11","object":"11/output/gbm/alert.pcap.17.17610986931130.jsonl","url":"http://111.32.12.11:9000/2025-12-11/11/output/gbm/alert.pcap.17.17610986931130.jsonl?X-Amz-SignedHeaders=host&X-Amz-Date=20251211T033034Z&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Expires=604800&X-Amz-Signature=59e688e2cca746536f3b23f0136b6314df79925cd4f92fa9915f9e75045c3b1c"} [2025-12-11 11:30:35.486] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 11:30:35.486] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 11:30:35.486] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 11:30:35.486] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 11:30:35.486] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 11:30:35.487] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 11:30:35.764] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:11/output/gbm/alert.pcap.17.17610986931130.jsonl|result:{"code": 1, "total_count": 18, "alert_count": 18, "abnormal_count": 18, "normal_count": 0, "timestamp": 1765423835488, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50606, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9790099228201751, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.27", "protocol": "tcp", "src_port": 49990, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9979995189937263, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.194.233", "protocol": "tcp", "src_port": 50435, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9837705668750215, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.162.10.192", "protocol": "tcp", "src_port": 50114, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.976863610352734, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50499, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 50225, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9087545563693218, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.2.16.16", "protocol": "tcp", "src_port": 49973, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9993460937257912, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.122.55", "protocol": "tcp", "src_port": 50101, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9697454177805649, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.162.10.192", "protocol": "tcp", "src_port": 50103, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.5419285978798709, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.88.223", "protocol": "tcp", "src_port": 50257, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9990492370434219, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.234.97.89", "protocol": "tcp", "src_port": 50409, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.733240780563495, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "124.70.62.170", "protocol": "tcp", "src_port": 50094, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9999212365720671, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.27", "protocol": "tcp", "src_port": 49989, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8500557914131911, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.114.80", "protocol": "tcp", "src_port": 50476, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.122.55", "protocol": "tcp", "src_port": 50448, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.5769980707430126, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "124.70.62.170", "protocol": "tcp", "src_port": 50395, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.999908459646488, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.9", "protocol": "tcp", "src_port": 50012, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9956502822261911, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.38.151", "protocol": "tcp", "src_port": 49788, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 11:30:35.764] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 18|max_alert: 1000 [2025-12-11 11:30:35.764] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 11:30:35.764] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 11:30:35.764] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 11:30:38.659] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 25927 key: NULL payload: {"bucket":"2025-12-11","object":"11/output/gbm/alert.pcap.18.17610986931130.jsonl","url":"http://111.32.12.11:9000/2025-12-11/11/output/gbm/alert.pcap.18.17610986931130.jsonl?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Expires=604800&X-Amz-Date=20251211T033038Z&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-SignedHeaders=host&X-Amz-Signature=e0ef94d6e2f7d79b2bb102605c05f251e357c247d6b48aa48889f65dfe26a429"} [2025-12-11 11:30:38.659] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 11:30:38.659] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 11:30:38.659] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 11:30:38.659] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 11:30:38.659] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 11:30:38.660] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 11:30:38.852] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:11/output/gbm/alert.pcap.18.17610986931130.jsonl|result:{"code": 1, "total_count": 19, "alert_count": 18, "abnormal_count": 18, "normal_count": 1, "timestamp": 1765423838660, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50088, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50386, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50475, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9477100345633777, "2_count": 4.0, "2_sum": 4, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.232.40.133", "protocol": "tcp", "src_port": 49935, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8955605067471277, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50650, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9941374340185456, "2_count": 4.0, "2_sum": 4, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50220, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.92", "protocol": "tcp", "src_port": 50383, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7481021796885889, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 50169, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50046, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.253.255.38", "protocol": "tcp", "src_port": 50449, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9496389457889445, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.113.130.85", "protocol": "tcp", "src_port": 50373, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.166.151", "protocol": "tcp", "src_port": 50371, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9989794701501156, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50554, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9489417371813754, "2_count": 4.0, "2_sum": 4, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50141, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.232.40.133", "protocol": "tcp", "src_port": 49929, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9272505117395095, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50553, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9263918774338468, "2_count": 4.0, "2_sum": 4, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50132, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.219.73.130", "protocol": "tcp", "src_port": 49893, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 11:30:38.852] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 18|max_alert: 1000 [2025-12-11 11:30:38.852] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 11:30:38.852] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 11:30:38.852] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 11:30:41.827] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[1] at offset 24801 key: NULL payload: {"bucket":"2025-12-11","object":"11/output/gbm/alert.pcap.19.17610986931130.jsonl","url":"http://111.32.12.11:9000/2025-12-11/11/output/gbm/alert.pcap.19.17610986931130.jsonl?X-Amz-Expires=604800&X-Amz-SignedHeaders=host&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Date=20251211T033041Z&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Signature=e6ea69a8d3f270959965e5743f22f6adc2c1ea02625fb3e35db115de67b03b7c"} [2025-12-11 11:30:41.827] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 11:30:41.827] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 11:30:41.828] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 11:30:41.828] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 11:30:41.828] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 11:30:41.828] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 11:30:42.032] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:11/output/gbm/alert.pcap.19.17610986931130.jsonl|result:{"code": 1, "total_count": 17, "alert_count": 17, "abnormal_count": 17, "normal_count": 0, "timestamp": 1765423841828, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50267, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 5, "2_sum": 5, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50432, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 5, "2_sum": 5, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.61.248", "protocol": "tcp", "src_port": 50006, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9986048917384169, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "124.70.62.170", "protocol": "tcp", "src_port": 50385, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9998863446143573, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "150.171.30.11", "protocol": "tcp", "src_port": 50623, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9724127917525347, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.158.247.186", "protocol": "tcp", "src_port": 50254, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9923373572362969, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 50183, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9671683755020176, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50651, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9127998696423738, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "106.13.244.95", "protocol": "tcp", "src_port": 50626, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.991571871695044, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.131.128.241", "protocol": "tcp", "src_port": 50589, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9358989909907683, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.26", "protocol": "tcp", "src_port": 49999, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9723690262017185, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "13.89.179.10", "protocol": "tcp", "src_port": 49870, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9985463831905574, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50222, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 5, "2_sum": 5, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50140, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 5, "2_sum": 5, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50221, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 5, "2_sum": 5, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.25", "protocol": "tcp", "src_port": 50345, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9053165640648995, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "211.151.19.148", "protocol": "tcp", "src_port": 50321, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9840336453751718, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 11:30:42.032] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 17|max_alert: 1000 [2025-12-11 11:30:42.032] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 11:30:42.032] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 11:30:42.032] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 11:30:45.008] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 25928 key: NULL payload: {"bucket":"2025-12-11","object":"11/output/gbm/alert.pcap.20.17610986931130.jsonl","url":"http://111.32.12.11:9000/2025-12-11/11/output/gbm/alert.pcap.20.17610986931130.jsonl?X-Amz-SignedHeaders=host&X-Amz-Signature=be336822415a603ee2e91667d0865b7f0a1f1a097e0cb2ff2d076fa5bb005263&X-Amz-Date=20251211T033044Z&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Expires=604800&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request"} [2025-12-11 11:30:45.009] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 11:30:45.009] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 11:30:45.009] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 11:30:45.009] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 11:30:45.009] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 11:30:45.009] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 11:30:45.196] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:11/output/gbm/alert.pcap.20.17610986931130.jsonl|result:{"code": 1, "total_count": 17, "alert_count": 17, "abnormal_count": 17, "normal_count": 0, "timestamp": 1765423845009, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "142.250.66.78", "protocol": "tcp", "src_port": 49773, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.62.174.243", "protocol": "tcp", "src_port": 50555, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9719451686850884, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.9", "protocol": "tcp", "src_port": 50356, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9753376675463165, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50082, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.166.151", "protocol": "tcp", "src_port": 50378, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.996645095315891, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "124.71.234.74", "protocol": "tcp", "src_port": 50189, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8094812727311573, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.253.253.233", "protocol": "tcp", "src_port": 50317, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.4786736570096651, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.219.73.130", "protocol": "tcp", "src_port": 49894, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.48.172.241", "protocol": "tcp", "src_port": 50129, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9417868802887015, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.46.68.203", "protocol": "tcp", "src_port": 50096, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9610043927222635, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "124.71.236.98", "protocol": "tcp", "src_port": 50400, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9777942042208041, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50598, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.972751885055052, "2_count": 3, "2_sum": 3, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.2.16.16", "protocol": "tcp", "src_port": 49970, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9999655776123294, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.220.151.49", "protocol": "tcp", "src_port": 49991, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9681277345350449, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50453, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50616, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.981431987646444, "2_count": 3, "2_sum": 3, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50622, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9949329167991451, "2_count": 3, "2_sum": 3, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 11:30:45.196] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 17|max_alert: 1000 [2025-12-11 11:30:45.196] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 11:30:45.196] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 11:30:45.196] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 11:30:48.143] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[2] at offset 25563 key: NULL payload: {"bucket":"2025-12-11","object":"11/output/gbm/alert.pcap.21.17610986931130.jsonl","url":"http://111.32.12.11:9000/2025-12-11/11/output/gbm/alert.pcap.21.17610986931130.jsonl?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-SignedHeaders=host&X-Amz-Signature=7608dcab08c38e4ef9ec113d129164f2a817b6d4f8de92a413ab72ef97ba7942&X-Amz-Date=20251211T033047Z&X-Amz-Expires=604800"} [2025-12-11 11:30:48.143] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 11:30:48.143] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 11:30:48.143] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 11:30:48.143] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 11:30:48.143] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 11:30:48.144] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 11:30:48.337] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:11/output/gbm/alert.pcap.21.17610986931130.jsonl|result:{"code": 1, "total_count": 20, "alert_count": 20, "abnormal_count": 20, "normal_count": 0, "timestamp": 1765423848144, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "120.241.86.254", "protocol": "tcp", "src_port": 50018, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9989742169573105, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50086, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50330, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.232.40.133", "protocol": "tcp", "src_port": 49921, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9758065422065172, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 49933, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.983522767485445, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "150.171.27.10", "protocol": "tcp", "src_port": 49871, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9792783921980416, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 50211, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9942232611378077, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.194.233", "protocol": "tcp", "src_port": 50315, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9974657537062649, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50389, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.253", "protocol": "tcp", "src_port": 50348, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9663875797170431, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50574, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50076, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50633, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9961574170482782, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.26", "protocol": "tcp", "src_port": 50027, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8630319401034162, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.18", "protocol": "tcp", "src_port": 50191, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.25", "protocol": "tcp", "src_port": 50346, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7253580536479742, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.234.97.89", "protocol": "tcp", "src_port": 50477, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7967743601421772, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50407, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9700577356238725, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50233, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.27", "protocol": "tcp", "src_port": 50014, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7728545617685111, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 11:30:48.337] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 20|max_alert: 1000 [2025-12-11 11:30:48.337] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 11:30:48.337] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 11:30:48.337] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 11:30:51.343] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 25929 key: NULL payload: {"bucket":"2025-12-11","object":"11/output/gbm/alert.pcap.2.17610986931130.jsonl","url":"http://111.32.12.11:9000/2025-12-11/11/output/gbm/alert.pcap.2.17610986931130.jsonl?X-Amz-Date=20251211T033050Z&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-SignedHeaders=host&X-Amz-Expires=604800&X-Amz-Signature=cdf3f20d50da337df0ae6a403a93a43aca9b6b37119df9fdfe7ef18ef09fdda9"} [2025-12-11 11:30:51.343] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 11:30:51.343] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 11:30:51.343] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 11:30:51.343] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 11:30:51.343] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 11:30:51.343] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 11:30:51.545] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:11/output/gbm/alert.pcap.2.17610986931130.jsonl|result:{"code": 1, "total_count": 27, "alert_count": 26, "abnormal_count": 26, "normal_count": 1, "timestamp": 1765423851344, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "118.89.204.198", "protocol": "tcp", "src_port": 50648, "dest_port": 443, "y_pred": 2, "y_pred_proba_max": 0.539671673599211, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "Behinder"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50580, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.29.14.183", "protocol": "tcp", "src_port": 50402, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9766503916105866, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.2", "protocol": "tcp", "src_port": 49821, "dest_port": 8080, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50328, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.114.80", "protocol": "tcp", "src_port": 50381, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50634, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50471, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9971823306211751, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50459, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8818531237715439, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50570, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50484, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.63.215.47", "protocol": "tcp", "src_port": 49943, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9542007136130981, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.26", "protocol": "tcp", "src_port": 49995, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9973271032011077, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.232.40.133", "protocol": "tcp", "src_port": 50004, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9448851526818528, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50278, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.240.99.58", "protocol": "tcp", "src_port": 50480, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9758749087809037, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50528, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.166.151", "protocol": "tcp", "src_port": 50296, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9998741851816862, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.92", "protocol": "tcp", "src_port": 50398, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9866180027435798, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.254", "protocol": "tcp", "src_port": 50237, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8347470129747349, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50287, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.165.120", "protocol": "tcp", "src_port": 50414, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9781294486115352, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.105", "protocol": "tcp", "src_port": 50625, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9825246278129468, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.29.14.183", "protocol": "tcp", "src_port": 50401, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9944651374268547, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.222.152.64", "protocol": "tcp", "src_port": 50658, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7337989747885654, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.185.134", "protocol": "tcp", "src_port": 50337, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9998485770667981, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 11:30:51.545] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 26|max_alert: 1000 [2025-12-11 11:30:51.545] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 11:30:51.545] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 11:30:51.545] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 11:30:54.861] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[1] at offset 24802 key: NULL payload: {"bucket":"2025-12-11","object":"11/output/gbm/alert.pcap.22.17610986931130.jsonl","url":"http://111.32.12.11:9000/2025-12-11/11/output/gbm/alert.pcap.22.17610986931130.jsonl?X-Amz-SignedHeaders=host&X-Amz-Expires=604800&X-Amz-Signature=3b0f0ef7734ccbffccf9ed14285e4c1393d9f043c4951b73bee5de7963400bcf&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20251211T033054Z"} [2025-12-11 11:30:54.861] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 11:30:54.861] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 11:30:54.861] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 11:30:54.861] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 11:30:54.861] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 11:30:54.861] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 11:30:55.098] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:11/output/gbm/alert.pcap.22.17610986931130.jsonl|result:{"code": 1, "total_count": 18, "alert_count": 17, "abnormal_count": 17, "normal_count": 1, "timestamp": 1765423854862, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50028, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 3.0, "2_sum": 3, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50530, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9024018957960891, "2_count": 3.0, "2_sum": 3, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.114.80", "protocol": "tcp", "src_port": 50365, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.131.128.241", "protocol": "tcp", "src_port": 50585, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8249611815657307, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50368, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 3.0, "2_sum": 3, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.63.215.47", "protocol": "tcp", "src_port": 49944, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9869387818080411, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.165.120", "protocol": "tcp", "src_port": 50357, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9389862274330749, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 49925, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.5747671805046822, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.62.174.243", "protocol": "tcp", "src_port": 50545, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9624252679015631, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50662, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8871346318388157, "2_count": 3.0, "2_sum": 3, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.194.233", "protocol": "tcp", "src_port": 50440, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9902328849146982, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.4.224.113", "protocol": "tcp", "src_port": 49854, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.5786036795604459, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.92", "protocol": "tcp", "src_port": 50397, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9107999416750001, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50118, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 3.0, "2_sum": 3, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.29.14.183", "protocol": "tcp", "src_port": 50026, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9986473928200259, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.51.161.66", "protocol": "tcp", "src_port": 50123, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7731938946060795, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50612, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.965275103129727, "2_count": 3.0, "2_sum": 3, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 11:30:55.098] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 17|max_alert: 1000 [2025-12-11 11:30:55.098] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 11:30:55.098] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 11:30:55.098] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 11:30:58.718] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 25930 key: NULL payload: {"bucket":"2025-12-11","object":"11/output/gbm/alert.pcap.23.17610986931130.jsonl","url":"http://111.32.12.11:9000/2025-12-11/11/output/gbm/alert.pcap.23.17610986931130.jsonl?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Expires=604800&X-Amz-Date=20251211T033058Z&X-Amz-SignedHeaders=host&X-Amz-Signature=cfb7d4d7e2a5fe756ae265f796fd17e4208c483f8f9e65a00077e97f7e6af9e1"} [2025-12-11 11:30:58.719] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 11:30:58.719] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 11:30:58.719] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 11:30:58.719] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 11:30:58.719] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 11:30:58.719] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 11:30:58.970] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:11/output/gbm/alert.pcap.23.17610986931130.jsonl|result:{"code": 1, "total_count": 21, "alert_count": 21, "abnormal_count": 21, "normal_count": 0, "timestamp": 1765423858720, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "13.107.246.74", "protocol": "tcp", "src_port": 50506, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9605298901417075, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50042, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.25", "protocol": "tcp", "src_port": 50073, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9992385224413204, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50149, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50640, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50064, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50037, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50562, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50260, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.158.247.186", "protocol": "tcp", "src_port": 50309, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.994290448467571, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.122.55", "protocol": "tcp", "src_port": 50498, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9793698927690696, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50044, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.222.152.64", "protocol": "tcp", "src_port": 50638, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9779043168436835, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.194.233", "protocol": "tcp", "src_port": 50126, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9961544144455967, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.150.160.206", "protocol": "tcp", "src_port": 50124, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9747845243097288, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50514, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.13.104.59", "protocol": "tcp", "src_port": 50627, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9944505609423887, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.25", "protocol": "tcp", "src_port": 50382, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7011351746711142, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50168, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50429, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50085, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 11:30:58.970] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 21|max_alert: 1000 [2025-12-11 11:30:58.970] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 11:30:58.970] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 11:30:58.970] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 11:31:01.955] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[2] at offset 25564 key: NULL payload: {"bucket":"2025-12-11","object":"11/output/gbm/alert.pcap.24.17610986931130.jsonl","url":"http://111.32.12.11:9000/2025-12-11/11/output/gbm/alert.pcap.24.17610986931130.jsonl?X-Amz-Date=20251211T033101Z&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-SignedHeaders=host&X-Amz-Expires=604800&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Signature=81a01c3f5ef9a84177c44f83cef673f70bcea785bb501d1bdc4105966d7b084e"} [2025-12-11 11:31:01.955] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 11:31:01.955] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 11:31:01.955] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 11:31:01.955] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 11:31:01.955] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 11:31:01.956] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 11:31:02.144] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:11/output/gbm/alert.pcap.24.17610986931130.jsonl|result:{"code": 1, "total_count": 18, "alert_count": 17, "abnormal_count": 17, "normal_count": 1, "timestamp": 1765423861956, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50281, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 50229, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7784157580153467, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50034, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.163.59.175", "protocol": "tcp", "src_port": 50478, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.990150959540726, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50603, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.13.104.59", "protocol": "tcp", "src_port": 50631, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9853386683896556, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.13.28.21", "protocol": "tcp", "src_port": 49947, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9999415747476534, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.163.59.175", "protocol": "tcp", "src_port": 50011, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9883959426357691, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50033, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.46.68.203", "protocol": "tcp", "src_port": 50195, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9897633686170296, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.4.74", "protocol": "tcp", "src_port": 50319, "dest_port": 9000, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50482, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.38.119", "protocol": "tcp", "src_port": 50495, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9911306060967026, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50594, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50031, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.27", "protocol": "tcp", "src_port": 49985, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8652710729389349, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50259, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 11:31:02.144] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 17|max_alert: 1000 [2025-12-11 11:31:02.144] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 11:31:02.144] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 11:31:02.144] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 11:31:05.374] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 25931 key: NULL payload: {"bucket":"2025-12-11","object":"11/output/gbm/alert.pcap.25.17610986931130.jsonl","url":"http://111.32.12.11:9000/2025-12-11/11/output/gbm/alert.pcap.25.17610986931130.jsonl?X-Amz-SignedHeaders=host&X-Amz-Signature=c1d64381b9019de1b718affd075732a08d2275ce84d83c7aa772db2a7302bc50&X-Amz-Date=20251211T033104Z&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Expires=604800&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request"} [2025-12-11 11:31:05.375] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 11:31:05.375] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 11:31:05.375] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 11:31:05.375] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 11:31:05.375] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 11:31:05.375] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 11:31:05.555] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:11/output/gbm/alert.pcap.25.17610986931130.jsonl|result:{"code": 1, "total_count": 18, "alert_count": 17, "abnormal_count": 17, "normal_count": 1, "timestamp": 1765423865375, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50551, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8059095115195145, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.240.99.58", "protocol": "tcp", "src_port": 50641, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9750652642107684, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50038, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4.0, "2_sum": 4, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.88.223", "protocol": "tcp", "src_port": 50258, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9955188316394289, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50652, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4.0, "2_sum": 4, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.201.232.63", "protocol": "tcp", "src_port": 50419, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.5238760318986195, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.232.40.133", "protocol": "tcp", "src_port": 50005, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8427110539814073, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "202.89.233.96", "dest_ip": "10.1.131.158", "protocol": "tcp", "src_port": 443, "dest_port": 49847, "y_pred": 1, "y_pred_proba_max": 0.9988023204669473, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 50013, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.88.223", "protocol": "tcp", "src_port": 50134, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9851867603065232, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.232.40.133", "protocol": "tcp", "src_port": 49919, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9172603475203133, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.91", "protocol": "tcp", "src_port": 50334, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9530506499197517, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "142.250.66.78", "protocol": "tcp", "src_port": 49742, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.155.160.140", "protocol": "tcp", "src_port": 49790, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50062, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4.0, "2_sum": 4, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.2", "protocol": "tcp", "src_port": 50125, "dest_port": 8080, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50288, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4.0, "2_sum": 4, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 11:31:05.556] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 17|max_alert: 1000 [2025-12-11 11:31:05.556] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 11:31:05.556] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 11:31:05.556] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 11:31:08.611] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 25932 key: NULL payload: {"bucket":"2025-12-11","object":"11/output/gbm/alert.pcap.26.17610986931130.jsonl","url":"http://111.32.12.11:9000/2025-12-11/11/output/gbm/alert.pcap.26.17610986931130.jsonl?X-Amz-Expires=604800&X-Amz-Signature=fd828311de4304a3281f6854767eecc3a14b20de09d099071fab4b995d9086bc&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-SignedHeaders=host&X-Amz-Date=20251211T033108Z"} [2025-12-11 11:31:08.611] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 11:31:08.611] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 11:31:08.611] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 11:31:08.611] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 11:31:08.611] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 11:31:08.612] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 11:31:08.833] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:11/output/gbm/alert.pcap.26.17610986931130.jsonl|result:{"code": 1, "total_count": 23, "alert_count": 22, "abnormal_count": 22, "normal_count": 1, "timestamp": 1765423868612, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50463, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7.0, "2_sum": 7, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.253", "protocol": "tcp", "src_port": 50347, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9363461552085169, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.9", "protocol": "tcp", "src_port": 50353, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9248568229582469, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.27", "protocol": "tcp", "src_port": 49986, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9907578643456904, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.92", "protocol": "tcp", "src_port": 50362, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9737436655985068, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50512, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7.0, "2_sum": 7, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.163.59.175", "protocol": "tcp", "src_port": 49930, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9813722275948225, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.13.29.134", "protocol": "tcp", "src_port": 49954, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9940003495439546, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 50230, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9601621867432435, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "151.101.1.229", "protocol": "tcp", "src_port": 50316, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.5882853156839113, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.114.80", "protocol": "tcp", "src_port": 50375, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.45", "protocol": "tcp", "src_port": 50445, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9894949279716366, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.253", "protocol": "tcp", "src_port": 50117, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9786811180845782, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50467, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7.0, "2_sum": 7, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50521, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7.0, "2_sum": 7, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.13.29.202", "protocol": "tcp", "src_port": 49897, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.99989131645703, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "43.140.12.43", "protocol": "tcp", "src_port": 50318, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9759535265977303, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.194.233", "protocol": "tcp", "src_port": 50439, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9853373018252618, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50322, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7.0, "2_sum": 7, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.165.120", "protocol": "tcp", "src_port": 50314, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.998447736613844, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50593, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7.0, "2_sum": 7, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50040, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7.0, "2_sum": 7, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 11:31:08.833] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 22|max_alert: 1000 [2025-12-11 11:31:08.833] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 11:31:08.833] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 11:31:08.833] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 11:31:11.848] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[1] at offset 24803 key: NULL payload: {"bucket":"2025-12-11","object":"11/output/gbm/alert.pcap.3.17610986931130.jsonl","url":"http://111.32.12.11:9000/2025-12-11/11/output/gbm/alert.pcap.3.17610986931130.jsonl?X-Amz-Expires=604800&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Signature=0072ad478bd9244528e15b757202e592af8b3c53037c9746adebb9c80bbf0050&X-Amz-SignedHeaders=host&X-Amz-Date=20251211T033111Z"} [2025-12-11 11:31:11.848] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 11:31:11.848] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 11:31:11.848] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 11:31:11.848] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 11:31:11.848] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 11:31:11.848] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 11:31:12.048] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:11/output/gbm/alert.pcap.3.17610986931130.jsonl|result:{"code": 1, "total_count": 31, "alert_count": 30, "abnormal_count": 30, "normal_count": 1, "timestamp": 1765423871848, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "23.219.73.130", "protocol": "tcp", "src_port": 49890, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.13.104.59", "protocol": "tcp", "src_port": 50639, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.5747755261992421, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50468, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.2", "protocol": "tcp", "src_port": 50143, "dest_port": 8080, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.27", "protocol": "tcp", "src_port": 49987, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9439550958667982, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 50231, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9912641259791639, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50560, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9372883613254258, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 49824, "dest_port": 37527, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.63.215.47", "protocol": "tcp", "src_port": 49982, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9977918468988228, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.253.253.233", "protocol": "tcp", "src_port": 50436, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8619378326923961, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.27", "protocol": "tcp", "src_port": 49983, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9683054451954104, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50390, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "124.70.62.170", "protocol": "tcp", "src_port": 50093, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9302011994091218, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50128, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.114.80", "protocol": "tcp", "src_port": 50473, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50032, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.92", "protocol": "tcp", "src_port": 49915, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8858063837145578, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50579, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50573, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.232.40.133", "protocol": "tcp", "src_port": 49922, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7619577796081339, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 50399, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "142.250.66.68", "protocol": "tcp", "src_port": 50437, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.219.73.130", "protocol": "tcp", "src_port": 49889, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50041, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50131, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.13.104.59", "protocol": "tcp", "src_port": 50630, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9949141468870227, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.29.14.183", "protocol": "tcp", "src_port": 50020, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9995274668813986, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.166.151", "protocol": "tcp", "src_port": 50286, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9998887397093179, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.194.189.11", "protocol": "tcp", "src_port": 50307, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9974631042458713, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.165.120", "protocol": "tcp", "src_port": 50423, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9079618105919538, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 11:31:12.048] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 30|max_alert: 1000 [2025-12-11 11:31:12.048] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 11:31:12.048] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 11:31:12.048] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 11:31:14.978] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 25933 key: NULL payload: {"bucket":"2025-12-11","object":"11/output/gbm/alert.pcap.4.17610986931130.jsonl","url":"http://111.32.12.11:9000/2025-12-11/11/output/gbm/alert.pcap.4.17610986931130.jsonl?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Expires=604800&X-Amz-SignedHeaders=host&X-Amz-Signature=0d0ee95f357b49964317b2034777e7befc558b82ecf7d687132f0f031a8e265f&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20251211T033114Z"} [2025-12-11 11:31:14.978] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 11:31:14.978] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 11:31:14.978] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 11:31:14.978] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 11:31:14.978] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 11:31:14.978] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 11:31:15.156] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:11/output/gbm/alert.pcap.4.17610986931130.jsonl|result:{"code": 1, "total_count": 16, "alert_count": 16, "abnormal_count": 16, "normal_count": 0, "timestamp": 1765423874978, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50642, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 9, "2_sum": 9, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50170, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 9, "2_sum": 9, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50271, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 9, "2_sum": 9, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "104.18.38.233", "protocol": "tcp", "src_port": 49696, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50599, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 9, "2_sum": 9, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "142.250.66.78", "protocol": "tcp", "src_port": 49761, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.2", "protocol": "tcp", "src_port": 49815, "dest_port": 8080, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.4.224.113", "protocol": "tcp", "src_port": 49860, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8325953986089363, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.131.128.241", "protocol": "tcp", "src_port": 50461, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9531336479755481, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50268, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 9, "2_sum": 9, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50664, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 9, "2_sum": 9, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50428, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 9, "2_sum": 9, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.25", "protocol": "tcp", "src_port": 50340, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9557360906725153, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50039, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 9, "2_sum": 9, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50653, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 9, "2_sum": 9, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "150.171.30.11", "protocol": "tcp", "src_port": 50007, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8576461187690411, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 11:31:15.156] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 16|max_alert: 1000 [2025-12-11 11:31:15.156] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 11:31:15.156] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 11:31:15.156] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 11:31:18.510] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[1] at offset 24804 key: NULL payload: {"bucket":"2025-12-11","object":"11/output/gbm/alert.pcap.5.17610986931130.jsonl","url":"http://111.32.12.11:9000/2025-12-11/11/output/gbm/alert.pcap.5.17610986931130.jsonl?X-Amz-SignedHeaders=host&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Expires=604800&X-Amz-Signature=5ba631f77a10b98b7eb1f59e35601747533866f983c8ce5355dd15546772aaf1&X-Amz-Date=20251211T033118Z"} [2025-12-11 11:31:18.510] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 11:31:18.510] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 11:31:18.510] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 11:31:18.510] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 11:31:18.510] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 11:31:18.511] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 11:31:18.700] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:11/output/gbm/alert.pcap.5.17610986931130.jsonl|result:{"code": 1, "total_count": 19, "alert_count": 18, "abnormal_count": 18, "normal_count": 1, "timestamp": 1765423878511, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 49924, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8509806284431485, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "13.89.179.10", "protocol": "tcp", "src_port": 49867, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8945460691510866, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50624, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9747306537408316, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50654, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9423199405388736, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50119, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 5.0, "2_sum": 5, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.158.247.186", "protocol": "tcp", "src_port": 50121, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9753820447058325, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.46.72.204", "protocol": "tcp", "src_port": 50136, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.956663066769366, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50564, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 5.0, "2_sum": 5, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.91", "protocol": "tcp", "src_port": 50333, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9577733114926612, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50171, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 5.0, "2_sum": 5, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "112.34.111.235", "protocol": "tcp", "src_port": 50587, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9795590475790195, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 50549, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.4.74", "protocol": "tcp", "src_port": 50320, "dest_port": 9000, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50030, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 5.0, "2_sum": 5, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.91", "protocol": "tcp", "src_port": 50242, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9588125203903446, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.163.59.175", "protocol": "tcp", "src_port": 50422, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9849394001481901, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.51.80", "protocol": "tcp", "src_port": 49902, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50541, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 5.0, "2_sum": 5, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 11:31:18.700] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 18|max_alert: 1000 [2025-12-11 11:31:18.700] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 11:31:18.700] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 11:31:18.700] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 11:31:21.651] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 25934 key: NULL payload: {"bucket":"2025-12-11","object":"11/output/gbm/alert.pcap.6.17610986931130.jsonl","url":"http://111.32.12.11:9000/2025-12-11/11/output/gbm/alert.pcap.6.17610986931130.jsonl?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-SignedHeaders=host&X-Amz-Date=20251211T033121Z&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Signature=ef702d5ba5076210c97d3b493d70a4fd9da87b1bf91bedf3f0b36868ef9e3f2e&X-Amz-Expires=604800"} [2025-12-11 11:31:21.651] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 11:31:21.651] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 11:31:21.651] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 11:31:21.651] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 11:31:21.651] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 11:31:21.652] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 11:31:21.884] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:11/output/gbm/alert.pcap.6.17610986931130.jsonl|result:{"code": 1, "total_count": 13, "alert_count": 13, "abnormal_count": 13, "normal_count": 0, "timestamp": 1765423881652, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "120.233.3.26", "protocol": "tcp", "src_port": 50003, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8694093805364917, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.2.16.16", "protocol": "tcp", "src_port": 49975, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9999376387945121, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.13.28.239", "protocol": "tcp", "src_port": 49901, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.938456651589145, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.57.94.38", "protocol": "tcp", "src_port": 49892, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9998694918181811, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "139.9.117.192", "protocol": "tcp", "src_port": 50372, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8894850327223105, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "13.89.179.10", "protocol": "tcp", "src_port": 49883, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9941602682227848, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.102.211", "protocol": "tcp", "src_port": 50413, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9734791177969814, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "139.9.117.192", "protocol": "tcp", "src_port": 50450, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9837263446909994, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "121.36.68.44", "protocol": "tcp", "src_port": 50504, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9358189956292381, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50515, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.91", "protocol": "tcp", "src_port": 50339, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.986405059765616, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50465, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.5306824619789472, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50391, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 11:31:21.884] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 13|max_alert: 1000 [2025-12-11 11:31:21.884] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 11:31:21.884] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 11:31:21.884] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 11:31:24.920] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[2] at offset 25565 key: NULL payload: {"bucket":"2025-12-11","object":"11/output/gbm/alert.pcap.7.17610986931130.jsonl","url":"http://111.32.12.11:9000/2025-12-11/11/output/gbm/alert.pcap.7.17610986931130.jsonl?X-Amz-Date=20251211T033124Z&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Expires=604800&X-Amz-SignedHeaders=host&X-Amz-Signature=58ef079b51b8b097afaa5801cbf48d942be07a9248d2865c10457bc4936ccbf7&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request"} [2025-12-11 11:31:24.920] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 11:31:24.920] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 11:31:24.920] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 11:31:24.920] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 11:31:24.920] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 11:31:24.921] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 11:31:25.170] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:11/output/gbm/alert.pcap.7.17610986931130.jsonl|result:{"code": 1, "total_count": 18, "alert_count": 18, "abnormal_count": 18, "normal_count": 0, "timestamp": 1765423884921, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "120.233.3.26", "protocol": "tcp", "src_port": 49994, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9896285535627298, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50083, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4, "2_sum": 4, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50581, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4, "2_sum": 4, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.185.125.188", "protocol": "tcp", "src_port": 49872, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9978759357079158, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 50116, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50663, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.719260591950917, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.51.80", "protocol": "tcp", "src_port": 50010, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 50172, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9400817611226765, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.194.233", "protocol": "tcp", "src_port": 50255, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9107155218087142, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.194.233", "protocol": "tcp", "src_port": 50441, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9878625671600126, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.240.8.132", "protocol": "tcp", "src_port": 50227, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8897661563929269, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.219.73.130", "protocol": "tcp", "src_port": 49885, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50270, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4, "2_sum": 4, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.4.224.113", "protocol": "tcp", "src_port": 49849, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9532634905214581, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.27", "protocol": "tcp", "src_port": 50100, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8412893359572905, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.254", "protocol": "tcp", "src_port": 50199, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9600487826290192, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50156, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4, "2_sum": 4, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "112.34.111.235", "protocol": "tcp", "src_port": 50411, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.998549290571419, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 11:31:25.170] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 18|max_alert: 1000 [2025-12-11 11:31:25.170] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 11:31:25.170] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 11:31:25.170] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 11:31:28.109] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 25935 key: NULL payload: {"bucket":"2025-12-11","object":"11/output/gbm/alert.pcap.8.17610986931130.jsonl","url":"http://111.32.12.11:9000/2025-12-11/11/output/gbm/alert.pcap.8.17610986931130.jsonl?X-Amz-Date=20251211T033127Z&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-SignedHeaders=host&X-Amz-Signature=d2636c20372e97a813fbe6c890c85e81a14e7cbd7f054d595494c3b3b71c426b&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Expires=604800"} [2025-12-11 11:31:28.109] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 11:31:28.109] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 11:31:28.110] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 11:31:28.110] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 11:31:28.110] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 11:31:28.110] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 11:31:28.360] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:11/output/gbm/alert.pcap.8.17610986931130.jsonl|result:{"code": 1, "total_count": 19, "alert_count": 19, "abnormal_count": 19, "normal_count": 0, "timestamp": 1765423888110, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "111.63.215.47", "protocol": "tcp", "src_port": 49980, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9999657034539758, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "40.74.78.229", "protocol": "tcp", "src_port": 50370, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9939770881097445, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.131.128.241", "protocol": "tcp", "src_port": 50591, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9050869489117033, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 49923, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.777270406334166, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50127, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4, "2_sum": 4, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50649, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9766422035502361, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.219.73.130", "protocol": "tcp", "src_port": 49891, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.26", "protocol": "tcp", "src_port": 49997, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.984269050955257, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50223, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4, "2_sum": 4, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50077, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4, "2_sum": 4, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "202.89.233.96", "protocol": "tcp", "src_port": 49865, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9973910874567038, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.131.139.241", "protocol": "tcp", "src_port": 50556, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9803786101644398, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50661, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.647571366572099, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "121.36.47.3", "protocol": "tcp", "src_port": 50015, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9995715118177109, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50388, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4, "2_sum": 4, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.45", "protocol": "tcp", "src_port": 50408, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9967591338452444, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 50184, "dest_port": 37527, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.232.40.133", "protocol": "tcp", "src_port": 49920, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9117178716777372, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.201.232.63", "protocol": "tcp", "src_port": 50420, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9757408487177269, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 11:31:28.360] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 19|max_alert: 1000 [2025-12-11 11:31:28.360] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 11:31:28.360] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 11:31:28.360] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 11:31:31.304] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 25936 key: NULL payload: {"bucket":"2025-12-11","object":"11/output/gbm/alert.pcap.9.17610986931130.jsonl","url":"http://111.32.12.11:9000/2025-12-11/11/output/gbm/alert.pcap.9.17610986931130.jsonl?X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Date=20251211T033130Z&X-Amz-SignedHeaders=host&X-Amz-Expires=604800&X-Amz-Signature=5701f5394fd1e6f19e2b1a61d3a8ec19602b29fb577294fcf4ca1679a5f001c8"} [2025-12-11 11:31:31.304] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 11:31:31.304] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 11:31:31.304] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 11:31:31.304] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 11:31:31.304] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 11:31:31.305] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 11:31:31.542] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:11/output/gbm/alert.pcap.9.17610986931130.jsonl|result:{"code": 1, "total_count": 19, "alert_count": 19, "abnormal_count": 19, "normal_count": 0, "timestamp": 1765423891305, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "117.163.59.175", "protocol": "tcp", "src_port": 50443, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9947042004868148, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.29.14.183", "protocol": "tcp", "src_port": 50403, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9756646950440937, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50279, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "157.148.32.174", "protocol": "tcp", "src_port": 50216, "dest_port": 8106, "y_pred": 1, "y_pred_proba_max": 0.7815374741509655, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50582, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50047, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50323, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50387, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 49928, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9931314740190077, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "112.2.102.140", "protocol": "tcp", "src_port": 49880, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8833391308810551, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "150.171.30.11", "protocol": "tcp", "src_port": 50434, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.975176941910785, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "124.71.234.74", "protocol": "tcp", "src_port": 50079, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8967653329082704, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50571, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50577, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8828376373447289, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50552, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9460026832017429, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.26", "protocol": "tcp", "src_port": 49993, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.987471741326815, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.45", "protocol": "tcp", "src_port": 50444, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9975171238915119, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.219.73.130", "protocol": "tcp", "src_port": 49895, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50234, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 11:31:31.542] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 19|max_alert: 1000 [2025-12-11 11:31:31.542] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 11:31:31.542] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 11:31:31.542] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 11:40:09.596] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[2] at offset 25566 key: NULL payload: {"bucket":"2025-12-11","object":"11/output/gbm/alert.pcap.10.17610986931140.jsonl","url":"http://111.32.12.11:9000/2025-12-11/11/output/gbm/alert.pcap.10.17610986931140.jsonl?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Expires=604800&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Signature=9ef979f15c038cff1e09ceafa93a41946fd00089a408ac7f8fe81ea129ec641c&X-Amz-Date=20251211T034009Z&X-Amz-SignedHeaders=host"} [2025-12-11 11:40:09.596] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 11:40:09.596] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 11:40:09.597] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 11:40:09.597] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 11:40:09.597] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 11:40:09.598] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 11:40:09.893] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:11/output/gbm/alert.pcap.10.17610986931140.jsonl|result:{"code": 1, "total_count": 18, "alert_count": 18, "abnormal_count": 18, "normal_count": 0, "timestamp": 1765424409598, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50510, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.162.10.192", "protocol": "tcp", "src_port": 50102, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9628606284766527, "2_count": 3, "2_sum": 3, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50202, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50247, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.38.119", "protocol": "tcp", "src_port": 50490, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9986222879414073, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.162.10.192", "protocol": "tcp", "src_port": 50105, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8497049935950336, "2_count": 3, "2_sum": 3, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "124.70.62.170", "protocol": "tcp", "src_port": 50384, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9944584265644585, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50155, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.9", "protocol": "tcp", "src_port": 50354, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9266852516381958, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 49802, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50180, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "124.70.37.167", "protocol": "tcp", "src_port": 50497, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9671327905226952, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.194.233", "protocol": "tcp", "src_port": 50251, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.6458299041355519, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.240.8.132", "protocol": "tcp", "src_port": 49942, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9833686131374094, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "112.34.113.250", "protocol": "tcp", "src_port": 50417, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9871899379387804, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50527, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50197, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.162.10.192", "protocol": "tcp", "src_port": 50106, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7891251009837256, "2_count": 3, "2_sum": 3, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 11:40:09.893] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 18|max_alert: 1000 [2025-12-11 11:40:09.893] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 11:40:09.893] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 11:40:09.893] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 11:40:12.746] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 25937 key: NULL payload: {"bucket":"2025-12-11","object":"11/output/gbm/alert.pcap.11.17610986931140.jsonl","url":"http://111.32.12.11:9000/2025-12-11/11/output/gbm/alert.pcap.11.17610986931140.jsonl?X-Amz-Expires=604800&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Signature=ecaa8463061b811e93d84bc7cba9f40e30ef7103765cc503a2c4ef018b902047&X-Amz-SignedHeaders=host&X-Amz-Date=20251211T034012Z&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request"} [2025-12-11 11:40:12.747] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 11:40:12.747] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 11:40:12.747] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 11:40:12.747] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 11:40:12.747] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 11:40:12.747] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 11:40:12.997] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:11/output/gbm/alert.pcap.11.17610986931140.jsonl|result:{"code": 1, "total_count": 20, "alert_count": 20, "abnormal_count": 20, "normal_count": 0, "timestamp": 1765424412747, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50050, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.57.94.38", "protocol": "tcp", "src_port": 49888, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8913583475272854, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "13.107.253.49", "protocol": "tcp", "src_port": 50479, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9204671188927631, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50179, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50519, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.131.139.241", "protocol": "tcp", "src_port": 50546, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8893268365633519, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.122.55", "protocol": "tcp", "src_port": 50503, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9854062911109006, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50176, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.25", "protocol": "tcp", "src_port": 50379, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8940216726975259, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.143.199.172", "protocol": "tcp", "src_port": 50142, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9881503019491974, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 49811, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "57.155.120.218", "protocol": "tcp", "src_port": 50415, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9227656751828837, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50520, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50523, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.165.120", "protocol": "tcp", "src_port": 50305, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9986466602684037, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.38.119", "protocol": "tcp", "src_port": 50494, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9837251088220053, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.45", "protocol": "tcp", "src_port": 50438, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9837569544664104, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "106.52.100.183", "protocol": "tcp", "src_port": 50502, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9858931570717602, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.45", "protocol": "tcp", "src_port": 50447, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9871209269901958, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50561, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 11:40:12.997] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 20|max_alert: 1000 [2025-12-11 11:40:12.997] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 11:40:12.997] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 11:40:12.997] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 11:40:15.898] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 25938 key: NULL payload: {"bucket":"2025-12-11","object":"11/output/gbm/alert.pcap.1.17610986931140.jsonl","url":"http://111.32.12.11:9000/2025-12-11/11/output/gbm/alert.pcap.1.17610986931140.jsonl?X-Amz-SignedHeaders=host&X-Amz-Expires=604800&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Signature=1310f3c0098cd2afef339550bd4ee3880c409ce283bcdbb91a3dea823dd6ebae&X-Amz-Date=20251211T034015Z"} [2025-12-11 11:40:15.898] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 11:40:15.898] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 11:40:15.898] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 11:40:15.898] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 11:40:15.898] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 11:40:15.898] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 11:40:16.142] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:11/output/gbm/alert.pcap.1.17610986931140.jsonl|result:{"code": 1, "total_count": 23, "alert_count": 22, "abnormal_count": 22, "normal_count": 1, "timestamp": 1765424415898, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50154, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.254", "protocol": "tcp", "src_port": 50161, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9861184497791043, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50196, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50660, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.5160756214892233, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50246, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "104.18.38.233", "protocol": "tcp", "src_port": 49694, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50451, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9935841069204537, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.131.139.241", "protocol": "tcp", "src_port": 50548, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9166098868921807, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.18", "protocol": "tcp", "src_port": 50526, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.254", "protocol": "tcp", "src_port": 50236, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8758576397939718, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.114.80", "protocol": "tcp", "src_port": 50380, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.2.16.16", "protocol": "tcp", "src_port": 49978, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9999741330258014, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.9", "protocol": "tcp", "src_port": 50355, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9178209457268623, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.38.119", "protocol": "tcp", "src_port": 50487, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9993624819729473, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50511, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.9", "protocol": "tcp", "src_port": 50352, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9822856114799795, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.2.16.16", "protocol": "tcp", "src_port": 49977, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9997183616258911, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.166.151", "protocol": "tcp", "src_port": 50297, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.99961990187526, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.18", "protocol": "tcp", "src_port": 50607, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50203, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "123.249.12.207", "protocol": "tcp", "src_port": 50349, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9517653518955267, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50635, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 11:40:16.142] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 22|max_alert: 1000 [2025-12-11 11:40:16.142] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 11:40:16.142] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 11:40:16.142] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 11:40:19.093] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[1] at offset 24805 key: NULL payload: {"bucket":"2025-12-11","object":"11/output/gbm/alert.pcap.12.17610986931140.jsonl","url":"http://111.32.12.11:9000/2025-12-11/11/output/gbm/alert.pcap.12.17610986931140.jsonl?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-SignedHeaders=host&X-Amz-Expires=604800&X-Amz-Signature=0a2e691c5bbbed1da4cb2c9992578122f0738b792f481633252e39d9fe63bc78&X-Amz-Date=20251211T034018Z&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request"} [2025-12-11 11:40:19.093] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 11:40:19.093] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 11:40:19.093] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 11:40:19.093] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 11:40:19.093] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 11:40:19.093] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 11:40:19.366] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:11/output/gbm/alert.pcap.12.17610986931140.jsonl|result:{"code": 1, "total_count": 23, "alert_count": 23, "abnormal_count": 23, "normal_count": 0, "timestamp": 1765424419093, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "120.232.40.133", "protocol": "tcp", "src_port": 49918, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9434178651974208, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.91", "protocol": "tcp", "src_port": 50312, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8775283158754487, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 49801, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50327, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 10, "2_sum": 10, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50563, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 10, "2_sum": 10, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50063, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 10, "2_sum": 10, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 50446, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.32.132.48", "protocol": "tcp", "src_port": 50596, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8736367684939467, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "43.132.242.154", "protocol": "tcp", "src_port": 49882, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9890063873624129, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.88.223", "protocol": "tcp", "src_port": 50135, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9151737736531406, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.253", "protocol": "tcp", "src_port": 50374, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9124107711631884, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.46.51.20", "protocol": "tcp", "src_port": 50273, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8949209220998952, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50043, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 10, "2_sum": 10, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50290, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 10, "2_sum": 10, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.88.223", "protocol": "tcp", "src_port": 50256, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9952297098413537, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50289, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 10, "2_sum": 10, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.162.10.192", "protocol": "tcp", "src_port": 50115, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9982562146170709, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50036, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 10, "2_sum": 10, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.91", "protocol": "tcp", "src_port": 50325, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9723471895815434, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50517, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 10, "2_sum": 10, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50524, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 10, "2_sum": 10, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "150.171.28.10", "protocol": "tcp", "src_port": 50098, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.979476406385797, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50048, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 10, "2_sum": 10, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 11:40:19.366] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 23|max_alert: 1000 [2025-12-11 11:40:19.366] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 11:40:19.366] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 11:40:19.366] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 11:40:22.248] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 25939 key: NULL payload: {"bucket":"2025-12-11","object":"11/output/gbm/alert.pcap.13.17610986931140.jsonl","url":"http://111.32.12.11:9000/2025-12-11/11/output/gbm/alert.pcap.13.17610986931140.jsonl?X-Amz-Expires=604800&X-Amz-SignedHeaders=host&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20251211T034021Z&X-Amz-Signature=78029ed810ad687a85fd838f5fb7675f88890c89fbd1959df5b64d8a55579a2d&X-Amz-Algorithm=AWS4-HMAC-SHA256"} [2025-12-11 11:40:22.248] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 11:40:22.248] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 11:40:22.248] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 11:40:22.248] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 11:40:22.248] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 11:40:22.249] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 11:40:22.495] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:11/output/gbm/alert.pcap.13.17610986931140.jsonl|result:{"code": 1, "total_count": 25, "alert_count": 25, "abnormal_count": 25, "normal_count": 0, "timestamp": 1765424422249, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50283, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.38.119", "protocol": "tcp", "src_port": 50493, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9895604510076603, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50657, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9858390475712154, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50153, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "142.250.66.78", "protocol": "tcp", "src_port": 49939, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "202.89.233.96", "protocol": "tcp", "src_port": 49842, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50602, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 50550, "dest_port": 37527, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50150, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50167, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50280, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.4.224.113", "protocol": "tcp", "src_port": 49856, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.6505383816340582, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50483, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "150.171.29.11", "protocol": "tcp", "src_port": 50366, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9811379852086798, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.163.59.175", "protocol": "tcp", "src_port": 50009, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9898052087615025, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50074, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50276, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.185.134", "protocol": "tcp", "src_port": 50405, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9906477192719227, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50206, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.114.80", "protocol": "tcp", "src_port": 50364, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.22.3", "protocol": "tcp", "src_port": 49941, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9027507773608666, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.38.119", "protocol": "tcp", "src_port": 50507, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.992095265861976, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "150.171.30.11", "protocol": "tcp", "src_port": 50629, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9221505003231499, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50035, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50029, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 11:40:22.495] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 25|max_alert: 1000 [2025-12-11 11:40:22.495] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 11:40:22.495] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 11:40:22.495] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 11:40:25.619] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[2] at offset 25567 key: NULL payload: {"bucket":"2025-12-11","object":"11/output/gbm/alert.pcap.14.17610986931140.jsonl","url":"http://111.32.12.11:9000/2025-12-11/11/output/gbm/alert.pcap.14.17610986931140.jsonl?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Date=20251211T034025Z&X-Amz-Expires=604800&X-Amz-Signature=242925795cfdd27cbefa18a38966eec2b1c3c16a9d660be28ec74ee4857de77a&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-SignedHeaders=host"} [2025-12-11 11:40:25.619] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 11:40:25.619] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 11:40:25.619] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 11:40:25.619] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 11:40:25.619] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 11:40:25.620] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 11:40:25.876] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:11/output/gbm/alert.pcap.14.17610986931140.jsonl|result:{"code": 1, "total_count": 22, "alert_count": 22, "abnormal_count": 22, "normal_count": 0, "timestamp": 1765424425620, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50087, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50464, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50277, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50431, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.201.232.61", "protocol": "tcp", "src_port": 50406, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8074537105643911, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 50008, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7325211921496005, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.45", "protocol": "tcp", "src_port": 50232, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8427978520815071, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50148, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.4.224.113", "protocol": "tcp", "src_port": 49858, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.948833755868132, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50075, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.92", "protocol": "tcp", "src_port": 50350, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9581254078848882, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.114.80", "protocol": "tcp", "src_port": 50462, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.201.232.63", "protocol": "tcp", "src_port": 50185, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8623842237021218, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50282, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50488, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50151, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.131.128.241", "protocol": "tcp", "src_port": 50628, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.6327220629300937, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50481, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50045, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50509, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "150.171.28.10", "protocol": "tcp", "src_port": 50547, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9810893334081382, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50299, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 11:40:25.876] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 22|max_alert: 1000 [2025-12-11 11:40:25.876] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 11:40:25.876] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 11:40:25.876] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 11:40:28.742] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[2] at offset 25568 key: NULL payload: {"bucket":"2025-12-11","object":"11/output/gbm/alert.pcap.15.17610986931140.jsonl","url":"http://111.32.12.11:9000/2025-12-11/11/output/gbm/alert.pcap.15.17610986931140.jsonl?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-SignedHeaders=host&X-Amz-Signature=a41dfb340662500c08366c5222f905ab3e6d6d91ce3d52c9a8c3d2d1469774c6&X-Amz-Date=20251211T034028Z&X-Amz-Expires=604800"} [2025-12-11 11:40:28.742] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 11:40:28.742] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 11:40:28.743] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 11:40:28.743] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 11:40:28.743] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 11:40:28.744] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 11:40:28.993] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:11/output/gbm/alert.pcap.15.17610986931140.jsonl|result:{"code": 1, "total_count": 21, "alert_count": 21, "abnormal_count": 21, "normal_count": 0, "timestamp": 1765424428744, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50489, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "124.70.37.167", "protocol": "tcp", "src_port": 50505, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8862503171336631, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "13.89.179.10", "protocol": "tcp", "src_port": 49878, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9974829953380221, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.194.189.11", "protocol": "tcp", "src_port": 50426, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9895428159947536, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.51.80", "protocol": "tcp", "src_port": 49914, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.165.120", "protocol": "tcp", "src_port": 50427, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9451570018511891, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50542, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.114.80", "protocol": "tcp", "src_port": 50358, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.165.120", "protocol": "tcp", "src_port": 50418, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9596977275034663, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "13.107.213.50", "protocol": "tcp", "src_port": 50090, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9195643673584233, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50061, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.166.151", "protocol": "tcp", "src_port": 50300, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9931981638327161, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50452, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.46.216.189", "protocol": "tcp", "src_port": 50192, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9854409930237161, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.175.38.6", "protocol": "tcp", "src_port": 50508, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9251013815505887, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.194.233", "protocol": "tcp", "src_port": 50442, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9870391528574759, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50516, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "142.250.66.78", "protocol": "tcp", "src_port": 50474, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.13.29.202", "protocol": "tcp", "src_port": 49899, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9319984670207415, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50298, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.241.198", "protocol": "tcp", "src_port": 49881, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9908791961625715, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 11:40:28.993] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 21|max_alert: 1000 [2025-12-11 11:40:28.993] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 11:40:28.993] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 11:40:28.993] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 11:40:32.095] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[2] at offset 25569 key: NULL payload: {"bucket":"2025-12-11","object":"11/output/gbm/alert.pcap.16.17610986931140.jsonl","url":"http://111.32.12.11:9000/2025-12-11/11/output/gbm/alert.pcap.16.17610986931140.jsonl?X-Amz-Expires=604800&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20251211T034031Z&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Signature=5471eecd171c10e8d53e2fa80a5efae1c13f5d45207019ccc8b20eb97b58d619&X-Amz-SignedHeaders=host"} [2025-12-11 11:40:32.095] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 11:40:32.095] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 11:40:32.095] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 11:40:32.095] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 11:40:32.095] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 11:40:32.096] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 11:40:32.369] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:11/output/gbm/alert.pcap.16.17610986931140.jsonl|result:{"code": 1, "total_count": 26, "alert_count": 26, "abnormal_count": 26, "normal_count": 0, "timestamp": 1765424432096, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "23.219.73.130", "protocol": "tcp", "src_port": 49887, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.2", "protocol": "tcp", "src_port": 49916, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.92", "protocol": "tcp", "src_port": 50344, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.4285159353571787, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.26", "protocol": "tcp", "src_port": 50053, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9859420979243508, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "211.151.19.148", "protocol": "tcp", "src_port": 50239, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9867736940219898, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50207, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "13.89.179.10", "protocol": "tcp", "src_port": 49873, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9740054173010114, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.29.14.183", "protocol": "tcp", "src_port": 49861, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9202885873733923, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.88.223", "protocol": "tcp", "src_port": 50262, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9920454156536166, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.4.224.113", "protocol": "tcp", "src_port": 49857, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.873642452450752, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50177, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50331, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.1", "protocol": "tcp", "src_port": 49927, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50367, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.32.132.48", "protocol": "tcp", "src_port": 50416, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.872489769645985, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50500, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.220.77.56", "protocol": "tcp", "src_port": 50313, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9756469161092314, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50051, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.165.120", "protocol": "tcp", "src_port": 50304, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9425584919270099, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.253", "protocol": "tcp", "src_port": 50377, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9228634096625739, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50522, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50496, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7047630891986135, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.46.216.189", "protocol": "tcp", "src_port": 50095, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8005313339363406, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.29.14.183", "protocol": "tcp", "src_port": 50404, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9858144175177987, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.13.25.27", "protocol": "tcp", "src_port": 49953, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9999659947187012, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.185.134", "protocol": "tcp", "src_port": 50557, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9312191603697401, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 11:40:32.369] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 26|max_alert: 1000 [2025-12-11 11:40:32.369] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 11:40:32.369] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 11:40:32.369] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 11:40:35.575] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[1] at offset 24806 key: NULL payload: {"bucket":"2025-12-11","object":"11/output/gbm/alert.pcap.17.17610986931140.jsonl","url":"http://111.32.12.11:9000/2025-12-11/11/output/gbm/alert.pcap.17.17610986931140.jsonl?X-Amz-Date=20251211T034035Z&X-Amz-SignedHeaders=host&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Signature=a5dbc35108ff3892ca6e7c5ec37b1d2cb7857316121ba0bc6e107808bb16bea1&X-Amz-Expires=604800"} [2025-12-11 11:40:35.575] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 11:40:35.575] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 11:40:35.576] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 11:40:35.576] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 11:40:35.576] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 11:40:35.576] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 11:40:35.835] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:11/output/gbm/alert.pcap.17.17610986931140.jsonl|result:{"code": 1, "total_count": 18, "alert_count": 18, "abnormal_count": 18, "normal_count": 0, "timestamp": 1765424435576, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "120.233.3.27", "protocol": "tcp", "src_port": 49990, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9979995189937263, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.9", "protocol": "tcp", "src_port": 50012, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9956502822261911, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.122.55", "protocol": "tcp", "src_port": 50101, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9697454177805649, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 50225, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9087545563693218, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.162.10.192", "protocol": "tcp", "src_port": 50103, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.5419285978798709, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.194.233", "protocol": "tcp", "src_port": 50435, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9837705668750215, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.162.10.192", "protocol": "tcp", "src_port": 50114, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.976863610352734, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.38.151", "protocol": "tcp", "src_port": 49788, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50606, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9790099228201751, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.114.80", "protocol": "tcp", "src_port": 50476, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "124.70.62.170", "protocol": "tcp", "src_port": 50395, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.999908459646488, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50499, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.27", "protocol": "tcp", "src_port": 49989, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8500557914131911, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "124.70.62.170", "protocol": "tcp", "src_port": 50094, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9999212365720671, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.122.55", "protocol": "tcp", "src_port": 50448, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.5769980707430126, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.2.16.16", "protocol": "tcp", "src_port": 49973, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9993460937257912, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.234.97.89", "protocol": "tcp", "src_port": 50409, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.733240780563495, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.88.223", "protocol": "tcp", "src_port": 50257, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9990492370434219, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 11:40:35.835] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 18|max_alert: 1000 [2025-12-11 11:40:35.835] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 11:40:35.835] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 11:40:35.835] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 11:40:38.718] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[2] at offset 25570 key: NULL payload: {"bucket":"2025-12-11","object":"11/output/gbm/alert.pcap.18.17610986931140.jsonl","url":"http://111.32.12.11:9000/2025-12-11/11/output/gbm/alert.pcap.18.17610986931140.jsonl?X-Amz-Date=20251211T034038Z&X-Amz-Expires=604800&X-Amz-SignedHeaders=host&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Signature=4aaaa6cb1ee1e2ef52fd3101b647c963dd2ab4b505590166c7edac1a9fee7d19&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request"} [2025-12-11 11:40:38.719] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 11:40:38.719] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 11:40:38.719] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 11:40:38.719] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 11:40:38.719] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 11:40:38.719] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 11:40:38.959] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:11/output/gbm/alert.pcap.18.17610986931140.jsonl|result:{"code": 1, "total_count": 19, "alert_count": 18, "abnormal_count": 18, "normal_count": 1, "timestamp": 1765424438719, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50475, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9477100345633777, "2_count": 4.0, "2_sum": 4, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.113.130.85", "protocol": "tcp", "src_port": 50373, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.232.40.133", "protocol": "tcp", "src_port": 49935, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8955605067471277, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50046, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.166.151", "protocol": "tcp", "src_port": 50371, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9989794701501156, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50088, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.92", "protocol": "tcp", "src_port": 50383, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7481021796885889, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.253.255.38", "protocol": "tcp", "src_port": 50449, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9496389457889445, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.232.40.133", "protocol": "tcp", "src_port": 49929, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9272505117395095, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50220, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50141, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50386, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50553, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9263918774338468, "2_count": 4.0, "2_sum": 4, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50132, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50650, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9941374340185456, "2_count": 4.0, "2_sum": 4, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50554, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9489417371813754, "2_count": 4.0, "2_sum": 4, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.219.73.130", "protocol": "tcp", "src_port": 49893, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 50169, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 11:40:38.959] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 18|max_alert: 1000 [2025-12-11 11:40:38.959] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 11:40:38.959] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 11:40:38.959] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 11:40:41.870] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 25940 key: NULL payload: {"bucket":"2025-12-11","object":"11/output/gbm/alert.pcap.19.17610986931140.jsonl","url":"http://111.32.12.11:9000/2025-12-11/11/output/gbm/alert.pcap.19.17610986931140.jsonl?X-Amz-SignedHeaders=host&X-Amz-Signature=dffaa2136ebb54df069b60569a8b0cd38c25a94b1add739a48a6ee5c589ab289&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20251211T034041Z&X-Amz-Expires=604800"} [2025-12-11 11:40:41.870] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 11:40:41.870] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 11:40:41.870] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 11:40:41.870] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 11:40:41.870] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 11:40:41.871] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 11:40:42.157] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:11/output/gbm/alert.pcap.19.17610986931140.jsonl|result:{"code": 1, "total_count": 17, "alert_count": 17, "abnormal_count": 17, "normal_count": 0, "timestamp": 1765424441871, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "150.171.30.11", "protocol": "tcp", "src_port": 50623, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9724127917525347, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50651, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9127998696423738, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.131.128.241", "protocol": "tcp", "src_port": 50589, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9358989909907683, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50432, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 5, "2_sum": 5, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "13.89.179.10", "protocol": "tcp", "src_port": 49870, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9985463831905574, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.158.247.186", "protocol": "tcp", "src_port": 50254, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9923373572362969, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "106.13.244.95", "protocol": "tcp", "src_port": 50626, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.991571871695044, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.26", "protocol": "tcp", "src_port": 49999, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9723690262017185, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50222, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 5, "2_sum": 5, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50221, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 5, "2_sum": 5, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.25", "protocol": "tcp", "src_port": 50345, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9053165640648995, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.61.248", "protocol": "tcp", "src_port": 50006, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9986048917384169, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "124.70.62.170", "protocol": "tcp", "src_port": 50385, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9998863446143573, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 50183, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9671683755020176, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50267, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 5, "2_sum": 5, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "211.151.19.148", "protocol": "tcp", "src_port": 50321, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9840336453751718, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50140, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 5, "2_sum": 5, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 11:40:42.157] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 17|max_alert: 1000 [2025-12-11 11:40:42.157] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 11:40:42.157] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 11:40:42.157] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 11:40:45.046] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 25941 key: NULL payload: {"bucket":"2025-12-11","object":"11/output/gbm/alert.pcap.20.17610986931140.jsonl","url":"http://111.32.12.11:9000/2025-12-11/11/output/gbm/alert.pcap.20.17610986931140.jsonl?X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Expires=604800&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-SignedHeaders=host&X-Amz-Signature=dbddc255fa318c7eb4e8810bd018b17f7e1ba18ca4eaed61f1273caeca9f90ef&X-Amz-Date=20251211T034044Z"} [2025-12-11 11:40:45.046] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 11:40:45.047] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 11:40:45.047] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 11:40:45.047] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 11:40:45.047] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 11:40:45.047] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 11:40:45.291] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:11/output/gbm/alert.pcap.20.17610986931140.jsonl|result:{"code": 1, "total_count": 17, "alert_count": 17, "abnormal_count": 17, "normal_count": 0, "timestamp": 1765424445048, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "142.250.66.78", "protocol": "tcp", "src_port": 49773, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.2.16.16", "protocol": "tcp", "src_port": 49970, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9999655776123294, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50082, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.220.151.49", "protocol": "tcp", "src_port": 49991, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9681277345350449, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "124.71.234.74", "protocol": "tcp", "src_port": 50189, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8094812727311573, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50622, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9949329167991451, "2_count": 3, "2_sum": 3, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.62.174.243", "protocol": "tcp", "src_port": 50555, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9719451686850884, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.9", "protocol": "tcp", "src_port": 50356, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9753376675463165, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.46.68.203", "protocol": "tcp", "src_port": 50096, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9610043927222635, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.48.172.241", "protocol": "tcp", "src_port": 50129, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9417868802887015, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.219.73.130", "protocol": "tcp", "src_port": 49894, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "124.71.236.98", "protocol": "tcp", "src_port": 50400, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9777942042208041, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50616, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.981431987646444, "2_count": 3, "2_sum": 3, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.166.151", "protocol": "tcp", "src_port": 50378, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.996645095315891, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50598, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.972751885055052, "2_count": 3, "2_sum": 3, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.253.253.233", "protocol": "tcp", "src_port": 50317, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.4786736570096651, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50453, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 11:40:45.291] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 17|max_alert: 1000 [2025-12-11 11:40:45.291] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 11:40:45.291] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 11:40:45.291] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 11:40:48.188] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[1] at offset 24807 key: NULL payload: {"bucket":"2025-12-11","object":"11/output/gbm/alert.pcap.21.17610986931140.jsonl","url":"http://111.32.12.11:9000/2025-12-11/11/output/gbm/alert.pcap.21.17610986931140.jsonl?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20251211T034047Z&X-Amz-Expires=604800&X-Amz-SignedHeaders=host&X-Amz-Signature=c2827ec5092c418eb7fcf4d1bbd8a1e606dff53e5da228fba45b08a1470a4064"} [2025-12-11 11:40:48.189] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 11:40:48.189] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 11:40:48.189] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 11:40:48.189] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 11:40:48.189] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 11:40:48.189] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 11:40:48.429] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:11/output/gbm/alert.pcap.21.17610986931140.jsonl|result:{"code": 1, "total_count": 20, "alert_count": 20, "abnormal_count": 20, "normal_count": 0, "timestamp": 1765424448189, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "120.233.3.25", "protocol": "tcp", "src_port": 50346, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7253580536479742, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.253", "protocol": "tcp", "src_port": 50348, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9663875797170431, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.27", "protocol": "tcp", "src_port": 50014, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7728545617685111, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.194.233", "protocol": "tcp", "src_port": 50315, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9974657537062649, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.254", "protocol": "tcp", "src_port": 50018, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9989742169573105, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.234.97.89", "protocol": "tcp", "src_port": 50477, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7967743601421772, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "150.171.27.10", "protocol": "tcp", "src_port": 49871, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9792783921980416, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50086, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.26", "protocol": "tcp", "src_port": 50027, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8630319401034162, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50076, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 50211, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9942232611378077, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50407, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9700577356238725, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.18", "protocol": "tcp", "src_port": 50191, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50389, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50574, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50330, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50233, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50633, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9961574170482782, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.232.40.133", "protocol": "tcp", "src_port": 49921, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9758065422065172, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 49933, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.983522767485445, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 11:40:48.430] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 20|max_alert: 1000 [2025-12-11 11:40:48.430] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 11:40:48.430] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 11:40:48.430] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 11:40:51.378] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 25942 key: NULL payload: {"bucket":"2025-12-11","object":"11/output/gbm/alert.pcap.2.17610986931140.jsonl","url":"http://111.32.12.11:9000/2025-12-11/11/output/gbm/alert.pcap.2.17610986931140.jsonl?X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20251211T034050Z&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-SignedHeaders=host&X-Amz-Expires=604800&X-Amz-Signature=bcaa835499dbea2ddf64b6c50e7a614a37903fa5242c52e25bb35c426ca10b7a"} [2025-12-11 11:40:51.378] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 11:40:51.378] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 11:40:51.378] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 11:40:51.378] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 11:40:51.378] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 11:40:51.379] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 11:40:51.678] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:11/output/gbm/alert.pcap.2.17610986931140.jsonl|result:{"code": 1, "total_count": 27, "alert_count": 26, "abnormal_count": 26, "normal_count": 1, "timestamp": 1765424451379, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "120.226.166.151", "protocol": "tcp", "src_port": 50296, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9998741851816862, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.92", "protocol": "tcp", "src_port": 50398, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9866180027435798, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.254", "protocol": "tcp", "src_port": 50237, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8347470129747349, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.29.14.183", "protocol": "tcp", "src_port": 50402, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9766503916105866, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.240.99.58", "protocol": "tcp", "src_port": 50480, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9758749087809037, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50570, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50287, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.29.14.183", "protocol": "tcp", "src_port": 50401, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9944651374268547, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.165.120", "protocol": "tcp", "src_port": 50414, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9781294486115352, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50528, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50580, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.26", "protocol": "tcp", "src_port": 49995, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9973271032011077, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.185.134", "protocol": "tcp", "src_port": 50337, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9998485770667981, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.2", "protocol": "tcp", "src_port": 49821, "dest_port": 8080, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50471, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9971823306211751, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.63.215.47", "protocol": "tcp", "src_port": 49943, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9542007136130981, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.232.40.133", "protocol": "tcp", "src_port": 50004, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9448851526818528, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50328, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.105", "protocol": "tcp", "src_port": 50625, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9825246278129468, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "118.89.204.198", "protocol": "tcp", "src_port": 50648, "dest_port": 443, "y_pred": 2, "y_pred_proba_max": 0.539671673599211, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "Behinder"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.114.80", "protocol": "tcp", "src_port": 50381, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50634, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50278, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50484, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.222.152.64", "protocol": "tcp", "src_port": 50658, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7337989747885654, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50459, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8818531237715439, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 11:40:51.678] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 26|max_alert: 1000 [2025-12-11 11:40:51.678] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 11:40:51.678] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 11:40:51.678] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 11:40:54.945] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[1] at offset 24808 key: NULL payload: {"bucket":"2025-12-11","object":"11/output/gbm/alert.pcap.22.17610986931140.jsonl","url":"http://111.32.12.11:9000/2025-12-11/11/output/gbm/alert.pcap.22.17610986931140.jsonl?X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Expires=604800&X-Amz-SignedHeaders=host&X-Amz-Signature=6fc18966e42c43d1b3f55d506f7382879b7f167abf3cc2afbb29fe82026665ef&X-Amz-Date=20251211T034054Z&X-Amz-Algorithm=AWS4-HMAC-SHA256"} [2025-12-11 11:40:54.945] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 11:40:54.945] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 11:40:54.945] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 11:40:54.945] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 11:40:54.945] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 11:40:54.946] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 11:40:55.204] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:11/output/gbm/alert.pcap.22.17610986931140.jsonl|result:{"code": 1, "total_count": 18, "alert_count": 17, "abnormal_count": 17, "normal_count": 1, "timestamp": 1765424454947, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 49925, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.5747671805046822, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.114.80", "protocol": "tcp", "src_port": 50365, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50662, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8871346318388157, "2_count": 3.0, "2_sum": 3, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50530, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9024018957960891, "2_count": 3.0, "2_sum": 3, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.62.174.243", "protocol": "tcp", "src_port": 50545, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9624252679015631, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.194.233", "protocol": "tcp", "src_port": 50440, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9902328849146982, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.51.161.66", "protocol": "tcp", "src_port": 50123, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7731938946060795, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50118, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 3.0, "2_sum": 3, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.63.215.47", "protocol": "tcp", "src_port": 49944, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9869387818080411, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50028, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 3.0, "2_sum": 3, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50368, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 3.0, "2_sum": 3, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.131.128.241", "protocol": "tcp", "src_port": 50585, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8249611815657307, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.29.14.183", "protocol": "tcp", "src_port": 50026, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9986473928200259, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.165.120", "protocol": "tcp", "src_port": 50357, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9389862274330749, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.4.224.113", "protocol": "tcp", "src_port": 49854, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.5786036795604459, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.92", "protocol": "tcp", "src_port": 50397, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9107999416750001, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50612, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.965275103129727, "2_count": 3.0, "2_sum": 3, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 11:40:55.204] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 17|max_alert: 1000 [2025-12-11 11:40:55.204] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 11:40:55.204] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 11:40:55.204] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 11:40:58.809] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[2] at offset 25571 key: NULL payload: {"bucket":"2025-12-11","object":"11/output/gbm/alert.pcap.23.17610986931140.jsonl","url":"http://111.32.12.11:9000/2025-12-11/11/output/gbm/alert.pcap.23.17610986931140.jsonl?X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20251211T034058Z&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Expires=604800&X-Amz-SignedHeaders=host&X-Amz-Signature=32f6f202fae0289efb3481f04121a6f64bc181175e2b5f1272c48d2a9588618a"} [2025-12-11 11:40:58.809] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 11:40:58.809] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 11:40:58.809] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 11:40:58.809] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 11:40:58.809] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 11:40:58.810] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 11:40:59.077] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:11/output/gbm/alert.pcap.23.17610986931140.jsonl|result:{"code": 1, "total_count": 21, "alert_count": 21, "abnormal_count": 21, "normal_count": 0, "timestamp": 1765424458810, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "111.31.122.55", "protocol": "tcp", "src_port": 50498, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9793698927690696, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50514, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.222.152.64", "protocol": "tcp", "src_port": 50638, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9779043168436835, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.13.104.59", "protocol": "tcp", "src_port": 50627, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9944505609423887, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.150.160.206", "protocol": "tcp", "src_port": 50124, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9747845243097288, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50037, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50429, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50064, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.25", "protocol": "tcp", "src_port": 50073, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9992385224413204, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50640, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "13.107.246.74", "protocol": "tcp", "src_port": 50506, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9605298901417075, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50085, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50260, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50562, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50044, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.158.247.186", "protocol": "tcp", "src_port": 50309, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.994290448467571, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50042, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.194.233", "protocol": "tcp", "src_port": 50126, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9961544144455967, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50168, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.25", "protocol": "tcp", "src_port": 50382, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7011351746711142, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50149, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 11:40:59.077] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 21|max_alert: 1000 [2025-12-11 11:40:59.077] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 11:40:59.077] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 11:40:59.077] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 11:41:02.034] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 25943 key: NULL payload: {"bucket":"2025-12-11","object":"11/output/gbm/alert.pcap.24.17610986931140.jsonl","url":"http://111.32.12.11:9000/2025-12-11/11/output/gbm/alert.pcap.24.17610986931140.jsonl?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-SignedHeaders=host&X-Amz-Expires=604800&X-Amz-Date=20251211T034101Z&X-Amz-Signature=6a2a0458efa245f6d28752f3f97f0f87db11470bb87aacb27b9afb033f394063&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request"} [2025-12-11 11:41:02.034] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 11:41:02.034] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 11:41:02.034] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 11:41:02.034] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 11:41:02.034] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 11:41:02.035] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 11:41:02.297] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:11/output/gbm/alert.pcap.24.17610986931140.jsonl|result:{"code": 1, "total_count": 18, "alert_count": 17, "abnormal_count": 17, "normal_count": 1, "timestamp": 1765424462035, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50281, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.163.59.175", "protocol": "tcp", "src_port": 50011, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9883959426357691, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.13.104.59", "protocol": "tcp", "src_port": 50631, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9853386683896556, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50033, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 50229, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7784157580153467, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.4.74", "protocol": "tcp", "src_port": 50319, "dest_port": 9000, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50259, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.46.68.203", "protocol": "tcp", "src_port": 50195, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9897633686170296, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50031, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.38.119", "protocol": "tcp", "src_port": 50495, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9911306060967026, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50594, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50034, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.13.28.21", "protocol": "tcp", "src_port": 49947, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9999415747476534, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50482, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50603, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.163.59.175", "protocol": "tcp", "src_port": 50478, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.990150959540726, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.27", "protocol": "tcp", "src_port": 49985, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8652710729389349, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 11:41:02.297] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 17|max_alert: 1000 [2025-12-11 11:41:02.297] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 11:41:02.297] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 11:41:02.297] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 11:41:05.449] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[2] at offset 25572 key: NULL payload: {"bucket":"2025-12-11","object":"11/output/gbm/alert.pcap.25.17610986931140.jsonl","url":"http://111.32.12.11:9000/2025-12-11/11/output/gbm/alert.pcap.25.17610986931140.jsonl?X-Amz-Date=20251211T034105Z&X-Amz-Expires=604800&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-SignedHeaders=host&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Signature=6c9bdd25a56fdeaabe278fbdd152c2c24afa7390fd0a6e62953d520dd4f33dcc"} [2025-12-11 11:41:05.449] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 11:41:05.449] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 11:41:05.449] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 11:41:05.449] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 11:41:05.450] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 11:41:05.450] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 11:41:05.698] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:11/output/gbm/alert.pcap.25.17610986931140.jsonl|result:{"code": 1, "total_count": 18, "alert_count": 17, "abnormal_count": 17, "normal_count": 1, "timestamp": 1765424465451, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "120.232.40.133", "protocol": "tcp", "src_port": 50005, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8427110539814073, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 50013, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.2", "protocol": "tcp", "src_port": 50125, "dest_port": 8080, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "142.250.66.78", "protocol": "tcp", "src_port": 49742, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50038, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4.0, "2_sum": 4, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.88.223", "protocol": "tcp", "src_port": 50134, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9851867603065232, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.232.40.133", "protocol": "tcp", "src_port": 49919, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9172603475203133, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "202.89.233.96", "dest_ip": "10.1.131.158", "protocol": "tcp", "src_port": 443, "dest_port": 49847, "y_pred": 1, "y_pred_proba_max": 0.9988023204669473, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50288, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4.0, "2_sum": 4, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.155.160.140", "protocol": "tcp", "src_port": 49790, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.240.99.58", "protocol": "tcp", "src_port": 50641, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9750652642107684, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.91", "protocol": "tcp", "src_port": 50334, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9530506499197517, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.88.223", "protocol": "tcp", "src_port": 50258, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9955188316394289, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.201.232.63", "protocol": "tcp", "src_port": 50419, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.5238760318986195, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50062, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4.0, "2_sum": 4, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50652, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4.0, "2_sum": 4, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50551, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8059095115195145, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 11:41:05.699] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 17|max_alert: 1000 [2025-12-11 11:41:05.699] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 11:41:05.699] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 11:41:05.699] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 11:41:08.691] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 25944 key: NULL payload: {"bucket":"2025-12-11","object":"11/output/gbm/alert.pcap.26.17610986931140.jsonl","url":"http://111.32.12.11:9000/2025-12-11/11/output/gbm/alert.pcap.26.17610986931140.jsonl?X-Amz-Date=20251211T034108Z&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Signature=ac312517a77154b477a01a530477a7b3a778c40c932d647ed07138bcf2db5967&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Expires=604800&X-Amz-SignedHeaders=host"} [2025-12-11 11:41:08.691] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 11:41:08.691] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 11:41:08.691] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 11:41:08.692] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 11:41:08.692] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 11:41:08.692] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 11:41:08.968] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:11/output/gbm/alert.pcap.26.17610986931140.jsonl|result:{"code": 1, "total_count": 23, "alert_count": 22, "abnormal_count": 22, "normal_count": 1, "timestamp": 1765424468692, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50463, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7.0, "2_sum": 7, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.9", "protocol": "tcp", "src_port": 50353, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9248568229582469, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.13.29.202", "protocol": "tcp", "src_port": 49897, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.99989131645703, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 50230, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9601621867432435, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.13.29.134", "protocol": "tcp", "src_port": 49954, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9940003495439546, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.163.59.175", "protocol": "tcp", "src_port": 49930, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9813722275948225, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.92", "protocol": "tcp", "src_port": 50362, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9737436655985068, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.253", "protocol": "tcp", "src_port": 50347, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9363461552085169, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50467, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7.0, "2_sum": 7, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50512, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7.0, "2_sum": 7, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.253", "protocol": "tcp", "src_port": 50117, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9786811180845782, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.165.120", "protocol": "tcp", "src_port": 50314, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.998447736613844, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.45", "protocol": "tcp", "src_port": 50445, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9894949279716366, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50593, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7.0, "2_sum": 7, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.114.80", "protocol": "tcp", "src_port": 50375, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.27", "protocol": "tcp", "src_port": 49986, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9907578643456904, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.194.233", "protocol": "tcp", "src_port": 50439, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9853373018252618, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "151.101.1.229", "protocol": "tcp", "src_port": 50316, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.5882853156839113, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "43.140.12.43", "protocol": "tcp", "src_port": 50318, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9759535265977303, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50521, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7.0, "2_sum": 7, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50322, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7.0, "2_sum": 7, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50040, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7.0, "2_sum": 7, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 11:41:08.968] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 22|max_alert: 1000 [2025-12-11 11:41:08.968] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 11:41:08.968] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 11:41:08.968] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 11:41:11.910] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 25945 key: NULL payload: {"bucket":"2025-12-11","object":"11/output/gbm/alert.pcap.3.17610986931140.jsonl","url":"http://111.32.12.11:9000/2025-12-11/11/output/gbm/alert.pcap.3.17610986931140.jsonl?X-Amz-Date=20251211T034111Z&X-Amz-SignedHeaders=host&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Signature=ef88e270c8c548cbc7e8c36e0d13dd6b1d34c33aa7469a4731628b2089c4bddb&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Expires=604800"} [2025-12-11 11:41:11.910] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 11:41:11.910] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 11:41:11.911] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 11:41:11.911] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 11:41:11.911] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 11:41:11.911] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 11:41:12.188] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:11/output/gbm/alert.pcap.3.17610986931140.jsonl|result:{"code": 1, "total_count": 31, "alert_count": 30, "abnormal_count": 30, "normal_count": 1, "timestamp": 1765424471911, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "172.16.92.2", "protocol": "tcp", "src_port": 50143, "dest_port": 8080, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.29.14.183", "protocol": "tcp", "src_port": 50020, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9995274668813986, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.92", "protocol": "tcp", "src_port": 49915, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8858063837145578, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 50231, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9912641259791639, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50579, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50390, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.27", "protocol": "tcp", "src_port": 49983, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9683054451954104, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.219.73.130", "protocol": "tcp", "src_port": 49890, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "124.70.62.170", "protocol": "tcp", "src_port": 50093, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9302011994091218, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50560, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9372883613254258, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.63.215.47", "protocol": "tcp", "src_port": 49982, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9977918468988228, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50131, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.219.73.130", "protocol": "tcp", "src_port": 49889, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.165.120", "protocol": "tcp", "src_port": 50423, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9079618105919538, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50468, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "142.250.66.68", "protocol": "tcp", "src_port": 50437, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.166.151", "protocol": "tcp", "src_port": 50286, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9998887397093179, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.253.253.233", "protocol": "tcp", "src_port": 50436, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8619378326923961, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.232.40.133", "protocol": "tcp", "src_port": 49922, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7619577796081339, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50041, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 50399, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50128, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 49824, "dest_port": 37527, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.194.189.11", "protocol": "tcp", "src_port": 50307, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9974631042458713, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.13.104.59", "protocol": "tcp", "src_port": 50630, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9949141468870227, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.114.80", "protocol": "tcp", "src_port": 50473, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.27", "protocol": "tcp", "src_port": 49987, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9439550958667982, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.13.104.59", "protocol": "tcp", "src_port": 50639, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.5747755261992421, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50573, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50032, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 11:41:12.188] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 30|max_alert: 1000 [2025-12-11 11:41:12.188] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 11:41:12.188] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 11:41:12.188] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 11:41:15.049] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 25946 key: NULL payload: {"bucket":"2025-12-11","object":"11/output/gbm/alert.pcap.4.17610986931140.jsonl","url":"http://111.32.12.11:9000/2025-12-11/11/output/gbm/alert.pcap.4.17610986931140.jsonl?X-Amz-Date=20251211T034114Z&X-Amz-SignedHeaders=host&X-Amz-Signature=d0e73bf615f417a1cca06a3376e800d54ba823729631b33243149a2184ffadd7&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Expires=604800"} [2025-12-11 11:41:15.050] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 11:41:15.050] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 11:41:15.050] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 11:41:15.050] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 11:41:15.050] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 11:41:15.050] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 11:41:15.276] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:11/output/gbm/alert.pcap.4.17610986931140.jsonl|result:{"code": 1, "total_count": 16, "alert_count": 16, "abnormal_count": 16, "normal_count": 0, "timestamp": 1765424475050, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "150.171.30.11", "protocol": "tcp", "src_port": 50007, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8576461187690411, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50268, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 9, "2_sum": 9, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50599, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 9, "2_sum": 9, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.4.224.113", "protocol": "tcp", "src_port": 49860, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8325953986089363, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50271, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 9, "2_sum": 9, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "104.18.38.233", "protocol": "tcp", "src_port": 49696, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.131.128.241", "protocol": "tcp", "src_port": 50461, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9531336479755481, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.25", "protocol": "tcp", "src_port": 50340, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9557360906725153, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50428, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 9, "2_sum": 9, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50039, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 9, "2_sum": 9, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50170, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 9, "2_sum": 9, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.2", "protocol": "tcp", "src_port": 49815, "dest_port": 8080, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "142.250.66.78", "protocol": "tcp", "src_port": 49761, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50664, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 9, "2_sum": 9, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50653, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 9, "2_sum": 9, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50642, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 9, "2_sum": 9, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 11:41:15.276] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 16|max_alert: 1000 [2025-12-11 11:41:15.276] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 11:41:15.276] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 11:41:15.277] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 11:41:18.588] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[1] at offset 24809 key: NULL payload: {"bucket":"2025-12-11","object":"11/output/gbm/alert.pcap.5.17610986931140.jsonl","url":"http://111.32.12.11:9000/2025-12-11/11/output/gbm/alert.pcap.5.17610986931140.jsonl?X-Amz-Expires=604800&X-Amz-SignedHeaders=host&X-Amz-Date=20251211T034118Z&X-Amz-Signature=2248c23822460123d942561afea553dfdced773ca5939d8560cc78e1054c9f37&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request"} [2025-12-11 11:41:18.588] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 11:41:18.588] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 11:41:18.589] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 11:41:18.589] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 11:41:18.589] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 11:41:18.589] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 11:41:18.858] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:11/output/gbm/alert.pcap.5.17610986931140.jsonl|result:{"code": 1, "total_count": 19, "alert_count": 18, "abnormal_count": 18, "normal_count": 1, "timestamp": 1765424478589, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50624, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9747306537408316, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50030, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 5.0, "2_sum": 5, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50654, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9423199405388736, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 50549, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "112.34.111.235", "protocol": "tcp", "src_port": 50587, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9795590475790195, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.158.247.186", "protocol": "tcp", "src_port": 50121, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9753820447058325, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.46.72.204", "protocol": "tcp", "src_port": 50136, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.956663066769366, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "13.89.179.10", "protocol": "tcp", "src_port": 49867, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8945460691510866, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50119, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 5.0, "2_sum": 5, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.91", "protocol": "tcp", "src_port": 50242, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9588125203903446, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50564, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 5.0, "2_sum": 5, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 49924, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8509806284431485, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.163.59.175", "protocol": "tcp", "src_port": 50422, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9849394001481901, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.91", "protocol": "tcp", "src_port": 50333, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9577733114926612, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.51.80", "protocol": "tcp", "src_port": 49902, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.4.74", "protocol": "tcp", "src_port": 50320, "dest_port": 9000, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50171, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 5.0, "2_sum": 5, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50541, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 5.0, "2_sum": 5, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 11:41:18.858] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 18|max_alert: 1000 [2025-12-11 11:41:18.858] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 11:41:18.858] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 11:41:18.858] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 11:41:21.730] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[2] at offset 25573 key: NULL payload: {"bucket":"2025-12-11","object":"11/output/gbm/alert.pcap.6.17610986931140.jsonl","url":"http://111.32.12.11:9000/2025-12-11/11/output/gbm/alert.pcap.6.17610986931140.jsonl?X-Amz-SignedHeaders=host&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Expires=604800&X-Amz-Signature=10404396b90d3295b136f41d8736e0477e9a928bdca163754ce7f77a0d937126&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Date=20251211T034121Z"} [2025-12-11 11:41:21.730] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 11:41:21.730] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 11:41:21.731] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 11:41:21.731] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 11:41:21.731] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 11:41:21.732] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 11:41:21.967] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:11/output/gbm/alert.pcap.6.17610986931140.jsonl|result:{"code": 1, "total_count": 13, "alert_count": 13, "abnormal_count": 13, "normal_count": 0, "timestamp": 1765424481732, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "121.36.68.44", "protocol": "tcp", "src_port": 50504, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9358189956292381, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.13.28.239", "protocol": "tcp", "src_port": 49901, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.938456651589145, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.2.16.16", "protocol": "tcp", "src_port": 49975, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9999376387945121, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.26", "protocol": "tcp", "src_port": 50003, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8694093805364917, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "13.89.179.10", "protocol": "tcp", "src_port": 49883, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9941602682227848, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50391, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.57.94.38", "protocol": "tcp", "src_port": 49892, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9998694918181811, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.91", "protocol": "tcp", "src_port": 50339, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.986405059765616, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.102.211", "protocol": "tcp", "src_port": 50413, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9734791177969814, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "139.9.117.192", "protocol": "tcp", "src_port": 50450, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9837263446909994, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50465, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.5306824619789472, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "139.9.117.192", "protocol": "tcp", "src_port": 50372, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8894850327223105, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50515, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 11:41:21.967] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 13|max_alert: 1000 [2025-12-11 11:41:21.967] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 11:41:21.967] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 11:41:21.967] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 11:41:24.956] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 25947 key: NULL payload: {"bucket":"2025-12-11","object":"11/output/gbm/alert.pcap.7.17610986931140.jsonl","url":"http://111.32.12.11:9000/2025-12-11/11/output/gbm/alert.pcap.7.17610986931140.jsonl?X-Amz-SignedHeaders=host&X-Amz-Date=20251211T034124Z&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Expires=604800&X-Amz-Signature=e0c6d3ee086bb7ea8334f7ceec54ed8fc458cb967814b29f90d49d9866267afd"} [2025-12-11 11:41:24.956] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 11:41:24.956] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 11:41:24.956] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 11:41:24.956] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 11:41:24.956] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 11:41:24.957] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 11:41:25.226] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:11/output/gbm/alert.pcap.7.17610986931140.jsonl|result:{"code": 1, "total_count": 18, "alert_count": 18, "abnormal_count": 18, "normal_count": 0, "timestamp": 1765424484957, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "111.4.224.113", "protocol": "tcp", "src_port": 49849, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9532634905214581, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "112.34.111.235", "protocol": "tcp", "src_port": 50411, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.998549290571419, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.194.233", "protocol": "tcp", "src_port": 50441, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9878625671600126, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.51.80", "protocol": "tcp", "src_port": 50010, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.254", "protocol": "tcp", "src_port": 50199, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9600487826290192, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50663, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.719260591950917, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50270, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4, "2_sum": 4, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.185.125.188", "protocol": "tcp", "src_port": 49872, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9978759357079158, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.26", "protocol": "tcp", "src_port": 49994, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9896285535627298, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.27", "protocol": "tcp", "src_port": 50100, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8412893359572905, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50083, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4, "2_sum": 4, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.219.73.130", "protocol": "tcp", "src_port": 49885, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50156, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4, "2_sum": 4, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.194.233", "protocol": "tcp", "src_port": 50255, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9107155218087142, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.240.8.132", "protocol": "tcp", "src_port": 50227, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8897661563929269, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50581, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4, "2_sum": 4, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 50172, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9400817611226765, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 50116, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 11:41:25.226] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 18|max_alert: 1000 [2025-12-11 11:41:25.226] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 11:41:25.226] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 11:41:25.226] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 11:41:28.171] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[1] at offset 24810 key: NULL payload: {"bucket":"2025-12-11","object":"11/output/gbm/alert.pcap.8.17610986931140.jsonl","url":"http://111.32.12.11:9000/2025-12-11/11/output/gbm/alert.pcap.8.17610986931140.jsonl?X-Amz-Expires=604800&X-Amz-Signature=1a22b2831cdde1fcfd9655768a459a0ab28bedb68c58ba61e80dd91277b904b0&X-Amz-SignedHeaders=host&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Date=20251211T034127Z"} [2025-12-11 11:41:28.171] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 11:41:28.171] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 11:41:28.171] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 11:41:28.171] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 11:41:28.171] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 11:41:28.171] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 11:41:28.410] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:11/output/gbm/alert.pcap.8.17610986931140.jsonl|result:{"code": 1, "total_count": 19, "alert_count": 19, "abnormal_count": 19, "normal_count": 0, "timestamp": 1765424488171, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "183.201.232.63", "protocol": "tcp", "src_port": 50420, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9757408487177269, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.131.128.241", "protocol": "tcp", "src_port": 50591, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9050869489117033, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50649, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9766422035502361, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50223, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4, "2_sum": 4, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50127, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4, "2_sum": 4, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "202.89.233.96", "protocol": "tcp", "src_port": 49865, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9973910874567038, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50661, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.647571366572099, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "40.74.78.229", "protocol": "tcp", "src_port": 50370, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9939770881097445, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "121.36.47.3", "protocol": "tcp", "src_port": 50015, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9995715118177109, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.63.215.47", "protocol": "tcp", "src_port": 49980, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9999657034539758, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.45", "protocol": "tcp", "src_port": 50408, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9967591338452444, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.232.40.133", "protocol": "tcp", "src_port": 49920, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9117178716777372, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 50184, "dest_port": 37527, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.219.73.130", "protocol": "tcp", "src_port": 49891, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 49923, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.777270406334166, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50077, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4, "2_sum": 4, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50388, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4, "2_sum": 4, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.26", "protocol": "tcp", "src_port": 49997, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.984269050955257, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.131.139.241", "protocol": "tcp", "src_port": 50556, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9803786101644398, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 11:41:28.410] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 19|max_alert: 1000 [2025-12-11 11:41:28.410] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 11:41:28.410] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 11:41:28.410] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 11:41:31.359] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 25948 key: NULL payload: {"bucket":"2025-12-11","object":"11/output/gbm/alert.pcap.9.17610986931140.jsonl","url":"http://111.32.12.11:9000/2025-12-11/11/output/gbm/alert.pcap.9.17610986931140.jsonl?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-SignedHeaders=host&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20251211T034130Z&X-Amz-Signature=8ef77e5003923830b313d13a4e636dfc45fe7b87d478fc2bd12091d070594133&X-Amz-Expires=604800"} [2025-12-11 11:41:31.359] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 11:41:31.359] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 11:41:31.359] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 11:41:31.359] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 11:41:31.359] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 11:41:31.360] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 11:41:31.593] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:11/output/gbm/alert.pcap.9.17610986931140.jsonl|result:{"code": 1, "total_count": 19, "alert_count": 19, "abnormal_count": 19, "normal_count": 0, "timestamp": 1765424491360, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 49928, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9931314740190077, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50552, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9460026832017429, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50323, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.26", "protocol": "tcp", "src_port": 49993, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.987471741326815, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "150.171.30.11", "protocol": "tcp", "src_port": 50434, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.975176941910785, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50234, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "124.71.234.74", "protocol": "tcp", "src_port": 50079, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8967653329082704, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50571, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50582, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.29.14.183", "protocol": "tcp", "src_port": 50403, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9756646950440937, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.219.73.130", "protocol": "tcp", "src_port": 49895, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50047, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "112.2.102.140", "protocol": "tcp", "src_port": 49880, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8833391308810551, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50577, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8828376373447289, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50387, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "157.148.32.174", "protocol": "tcp", "src_port": 50216, "dest_port": 8106, "y_pred": 1, "y_pred_proba_max": 0.7815374741509655, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.163.59.175", "protocol": "tcp", "src_port": 50443, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9947042004868148, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50279, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.45", "protocol": "tcp", "src_port": 50444, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9975171238915119, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 11:41:31.593] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 19|max_alert: 1000 [2025-12-11 11:41:31.593] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 11:41:31.593] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 11:41:31.593] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 11:41:34.749] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[1] at offset 24811 key: NULL payload: {"bucket":"2025-12-11","object":"11/output/gbm/alert.pcap.9.1765424440.jsonl","url":"http://111.32.12.11:9000/2025-12-11/11/output/gbm/alert.pcap.9.1765424440.jsonl?X-Amz-SignedHeaders=host&X-Amz-Signature=05cf91af452b4631a773cb963b54a21da431631e2bde5160522a2a5ad242cd18&X-Amz-Expires=604800&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Date=20251211T034134Z"} [2025-12-11 11:41:34.749] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 11:41:34.749] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 11:41:34.749] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 11:41:34.749] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 11:41:34.749] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 11:41:34.750] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 11:41:34.756] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:11/output/gbm/alert.pcap.9.1765424440.jsonl|result:{"code": 0, "total_count": 0, "alert_count": 0, "abnormal_count": 0, "normal_count": 0, "timestamp": 1765424494750, "module": "anquanchu", "alerted": false, "details": []} [2025-12-11 11:41:34.756] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 0|max_alert: 1000 [2025-12-11 11:41:34.756] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 11:50:09.683] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[2] at offset 25574 key: NULL payload: {"bucket":"2025-12-11","object":"11/output/gbm/alert.pcap.10.17610986931150.jsonl","url":"http://111.32.12.11:9000/2025-12-11/11/output/gbm/alert.pcap.10.17610986931150.jsonl?X-Amz-Date=20251211T035009Z&X-Amz-Signature=761f822f958ba69fbf77c2f67b184506a9877241fbf2672d9c8e9ebb4852650b&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Expires=604800&X-Amz-SignedHeaders=host"} [2025-12-11 11:50:09.683] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 11:50:09.683] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 11:50:09.683] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 11:50:09.683] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 11:50:09.683] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 11:50:09.684] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 11:50:09.963] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:11/output/gbm/alert.pcap.10.17610986931150.jsonl|result:{"code": 1, "total_count": 18, "alert_count": 18, "abnormal_count": 18, "normal_count": 0, "timestamp": 1765425009684, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "117.162.10.192", "protocol": "tcp", "src_port": 50102, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9628606284766527, "2_count": 3, "2_sum": 3, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.162.10.192", "protocol": "tcp", "src_port": 50106, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7891251009837256, "2_count": 3, "2_sum": 3, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50197, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.194.233", "protocol": "tcp", "src_port": 50251, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.6458299041355519, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.9", "protocol": "tcp", "src_port": 50354, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9266852516381958, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "124.70.62.170", "protocol": "tcp", "src_port": 50384, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9944584265644585, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "112.34.113.250", "protocol": "tcp", "src_port": 50417, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9871899379387804, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "124.70.37.167", "protocol": "tcp", "src_port": 50497, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9671327905226952, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50510, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50527, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50155, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 49802, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50202, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50180, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.162.10.192", "protocol": "tcp", "src_port": 50105, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8497049935950336, "2_count": 3, "2_sum": 3, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.240.8.132", "protocol": "tcp", "src_port": 49942, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9833686131374094, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50247, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.38.119", "protocol": "tcp", "src_port": 50490, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9986222879414073, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 11:50:09.963] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 18|max_alert: 1000 [2025-12-11 11:50:09.963] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 11:50:09.963] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 11:50:09.963] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 11:50:12.818] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 25949 key: NULL payload: {"bucket":"2025-12-11","object":"11/output/gbm/alert.pcap.11.17610986931150.jsonl","url":"http://111.32.12.11:9000/2025-12-11/11/output/gbm/alert.pcap.11.17610986931150.jsonl?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Expires=604800&X-Amz-SignedHeaders=host&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20251211T035012Z&X-Amz-Signature=e86343e923adc3dd3dd5e50f56a14d62616a687d8210b299aee97c5342e330d8"} [2025-12-11 11:50:12.819] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 11:50:12.819] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 11:50:12.819] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 11:50:12.819] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 11:50:12.819] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 11:50:12.819] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 11:50:13.079] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:11/output/gbm/alert.pcap.11.17610986931150.jsonl|result:{"code": 1, "total_count": 20, "alert_count": 20, "abnormal_count": 20, "normal_count": 0, "timestamp": 1765425012819, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "120.233.3.25", "protocol": "tcp", "src_port": 50379, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8940216726975259, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50176, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 49811, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.165.120", "protocol": "tcp", "src_port": 50305, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9986466602684037, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "13.107.253.49", "protocol": "tcp", "src_port": 50479, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9204671188927631, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.38.119", "protocol": "tcp", "src_port": 50494, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9837251088220053, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.122.55", "protocol": "tcp", "src_port": 50503, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9854062911109006, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50520, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50523, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50561, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50050, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.131.139.241", "protocol": "tcp", "src_port": 50546, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8893268365633519, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50519, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "106.52.100.183", "protocol": "tcp", "src_port": 50502, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9858931570717602, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50179, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.45", "protocol": "tcp", "src_port": 50447, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9871209269901958, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "57.155.120.218", "protocol": "tcp", "src_port": 50415, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9227656751828837, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.45", "protocol": "tcp", "src_port": 50438, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9837569544664104, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.57.94.38", "protocol": "tcp", "src_port": 49888, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8913583475272854, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.143.199.172", "protocol": "tcp", "src_port": 50142, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9881503019491974, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 11:50:13.079] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 20|max_alert: 1000 [2025-12-11 11:50:13.079] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 11:50:13.079] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 11:50:13.079] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 11:50:15.971] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[2] at offset 25575 key: NULL payload: {"bucket":"2025-12-11","object":"11/output/gbm/alert.pcap.1.17610986931150.jsonl","url":"http://111.32.12.11:9000/2025-12-11/11/output/gbm/alert.pcap.1.17610986931150.jsonl?X-Amz-SignedHeaders=host&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Expires=604800&X-Amz-Signature=57625298552a4e73700cd4d36a1367d493c3592c8a772b4fcf3e6398f766b0f8&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Date=20251211T035015Z"} [2025-12-11 11:50:15.971] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 11:50:15.971] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 11:50:15.971] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 11:50:15.971] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 11:50:15.971] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 11:50:15.971] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 11:50:16.223] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:11/output/gbm/alert.pcap.1.17610986931150.jsonl|result:{"code": 1, "total_count": 23, "alert_count": 22, "abnormal_count": 22, "normal_count": 1, "timestamp": 1765425015971, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "23.2.16.16", "protocol": "tcp", "src_port": 49978, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9999741330258014, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.18", "protocol": "tcp", "src_port": 50526, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.131.139.241", "protocol": "tcp", "src_port": 50548, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9166098868921807, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50203, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.9", "protocol": "tcp", "src_port": 50355, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9178209457268623, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50660, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.5160756214892233, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.254", "protocol": "tcp", "src_port": 50236, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8758576397939718, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50196, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "123.249.12.207", "protocol": "tcp", "src_port": 50349, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9517653518955267, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.166.151", "protocol": "tcp", "src_port": 50297, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.99961990187526, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50154, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.38.119", "protocol": "tcp", "src_port": 50487, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9993624819729473, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50511, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50246, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.2.16.16", "protocol": "tcp", "src_port": 49977, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9997183616258911, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "104.18.38.233", "protocol": "tcp", "src_port": 49694, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.9", "protocol": "tcp", "src_port": 50352, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9822856114799795, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50451, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9935841069204537, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.18", "protocol": "tcp", "src_port": 50607, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50635, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.114.80", "protocol": "tcp", "src_port": 50380, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.254", "protocol": "tcp", "src_port": 50161, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9861184497791043, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 11:50:16.223] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 22|max_alert: 1000 [2025-12-11 11:50:16.223] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 11:50:16.223] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 11:50:16.223] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 11:50:19.179] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 25950 key: NULL payload: {"bucket":"2025-12-11","object":"11/output/gbm/alert.pcap.12.17610986931150.jsonl","url":"http://111.32.12.11:9000/2025-12-11/11/output/gbm/alert.pcap.12.17610986931150.jsonl?X-Amz-Expires=604800&X-Amz-SignedHeaders=host&X-Amz-Signature=c769cfe9aea731a7e1ac8c02c56bffe26603af269d6d70451f55a6a4abb1295a&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20251211T035018Z"} [2025-12-11 11:50:19.179] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 11:50:19.179] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 11:50:19.179] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 11:50:19.179] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 11:50:19.179] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 11:50:19.179] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 11:50:19.426] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:11/output/gbm/alert.pcap.12.17610986931150.jsonl|result:{"code": 1, "total_count": 23, "alert_count": 23, "abnormal_count": 23, "normal_count": 0, "timestamp": 1765425019179, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "120.241.86.253", "protocol": "tcp", "src_port": 50374, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9124107711631884, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.162.10.192", "protocol": "tcp", "src_port": 50115, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9982562146170709, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50063, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 10, "2_sum": 10, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.91", "protocol": "tcp", "src_port": 50325, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9723471895815434, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.32.132.48", "protocol": "tcp", "src_port": 50596, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8736367684939467, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.91", "protocol": "tcp", "src_port": 50312, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8775283158754487, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50036, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 10, "2_sum": 10, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.232.40.133", "protocol": "tcp", "src_port": 49918, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9434178651974208, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 49801, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "43.132.242.154", "protocol": "tcp", "src_port": 49882, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9890063873624129, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.46.51.20", "protocol": "tcp", "src_port": 50273, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8949209220998952, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50043, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 10, "2_sum": 10, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 50446, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50563, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 10, "2_sum": 10, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50290, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 10, "2_sum": 10, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50327, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 10, "2_sum": 10, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "150.171.28.10", "protocol": "tcp", "src_port": 50098, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.979476406385797, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50524, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 10, "2_sum": 10, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50289, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 10, "2_sum": 10, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.88.223", "protocol": "tcp", "src_port": 50256, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9952297098413537, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.88.223", "protocol": "tcp", "src_port": 50135, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9151737736531406, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50517, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 10, "2_sum": 10, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50048, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 10, "2_sum": 10, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 11:50:19.426] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 23|max_alert: 1000 [2025-12-11 11:50:19.426] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 11:50:19.426] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 11:50:19.426] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 11:50:22.339] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 25951 key: NULL payload: {"bucket":"2025-12-11","object":"11/output/gbm/alert.pcap.13.17610986931150.jsonl","url":"http://111.32.12.11:9000/2025-12-11/11/output/gbm/alert.pcap.13.17610986931150.jsonl?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-SignedHeaders=host&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Expires=604800&X-Amz-Signature=cf947fee31b743834617283cb9ca4bba5e87b4aa4f7308b89bfd85d1584eb8c7&X-Amz-Date=20251211T035021Z"} [2025-12-11 11:50:22.339] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 11:50:22.339] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 11:50:22.339] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 11:50:22.339] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 11:50:22.339] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 11:50:22.339] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 11:50:22.595] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:11/output/gbm/alert.pcap.13.17610986931150.jsonl|result:{"code": 1, "total_count": 25, "alert_count": 25, "abnormal_count": 25, "normal_count": 0, "timestamp": 1765425022339, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50657, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9858390475712154, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "142.250.66.78", "protocol": "tcp", "src_port": 49939, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50483, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.22.3", "protocol": "tcp", "src_port": 49941, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9027507773608666, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50074, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50206, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "150.171.30.11", "protocol": "tcp", "src_port": 50629, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9221505003231499, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50280, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.114.80", "protocol": "tcp", "src_port": 50364, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.185.134", "protocol": "tcp", "src_port": 50405, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9906477192719227, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.38.119", "protocol": "tcp", "src_port": 50507, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.992095265861976, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50035, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "150.171.29.11", "protocol": "tcp", "src_port": 50366, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9811379852086798, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.38.119", "protocol": "tcp", "src_port": 50493, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9895604510076603, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50153, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 50550, "dest_port": 37527, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50029, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50602, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "202.89.233.96", "protocol": "tcp", "src_port": 49842, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.163.59.175", "protocol": "tcp", "src_port": 50009, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9898052087615025, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.4.224.113", "protocol": "tcp", "src_port": 49856, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.6505383816340582, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50283, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50150, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50276, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50167, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 11:50:22.595] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 25|max_alert: 1000 [2025-12-11 11:50:22.595] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 11:50:22.595] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 11:50:22.595] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 11:50:25.735] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[1] at offset 24812 key: NULL payload: {"bucket":"2025-12-11","object":"11/output/gbm/alert.pcap.14.17610986931150.jsonl","url":"http://111.32.12.11:9000/2025-12-11/11/output/gbm/alert.pcap.14.17610986931150.jsonl?X-Amz-Expires=604800&X-Amz-Signature=542118548e13ee04f2a1487d1f26ea092b802fbf31e4fded06f253bae892f837&X-Amz-SignedHeaders=host&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20251211T035025Z&X-Amz-Algorithm=AWS4-HMAC-SHA256"} [2025-12-11 11:50:25.735] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 11:50:25.736] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 11:50:25.736] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 11:50:25.736] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 11:50:25.736] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 11:50:25.736] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 11:50:25.973] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:11/output/gbm/alert.pcap.14.17610986931150.jsonl|result:{"code": 1, "total_count": 22, "alert_count": 22, "abnormal_count": 22, "normal_count": 0, "timestamp": 1765425025736, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "36.131.128.241", "protocol": "tcp", "src_port": 50628, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.6327220629300937, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50488, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50509, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50045, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50282, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.201.232.61", "protocol": "tcp", "src_port": 50406, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8074537105643911, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50481, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50431, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50151, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.45", "protocol": "tcp", "src_port": 50232, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8427978520815071, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.201.232.63", "protocol": "tcp", "src_port": 50185, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8623842237021218, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50299, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50277, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50464, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50148, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "150.171.28.10", "protocol": "tcp", "src_port": 50547, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9810893334081382, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50087, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.92", "protocol": "tcp", "src_port": 50350, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9581254078848882, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 50008, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7325211921496005, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.4.224.113", "protocol": "tcp", "src_port": 49858, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.948833755868132, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50075, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.114.80", "protocol": "tcp", "src_port": 50462, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 11:50:25.973] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 22|max_alert: 1000 [2025-12-11 11:50:25.973] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 11:50:25.973] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 11:50:25.973] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 11:50:28.862] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[2] at offset 25576 key: NULL payload: {"bucket":"2025-12-11","object":"11/output/gbm/alert.pcap.15.17610986931150.jsonl","url":"http://111.32.12.11:9000/2025-12-11/11/output/gbm/alert.pcap.15.17610986931150.jsonl?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-SignedHeaders=host&X-Amz-Signature=8f800b275f32c5040d6adfa5af1de1c0b1323c92d66f17ba79fef1a895c01213&X-Amz-Expires=604800&X-Amz-Date=20251211T035028Z"} [2025-12-11 11:50:28.862] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 11:50:28.862] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 11:50:28.862] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 11:50:28.862] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 11:50:28.862] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 11:50:28.863] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 11:50:29.100] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:11/output/gbm/alert.pcap.15.17610986931150.jsonl|result:{"code": 1, "total_count": 21, "alert_count": 21, "abnormal_count": 21, "normal_count": 0, "timestamp": 1765425028863, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50298, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.194.189.11", "protocol": "tcp", "src_port": 50426, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9895428159947536, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.46.216.189", "protocol": "tcp", "src_port": 50192, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9854409930237161, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.114.80", "protocol": "tcp", "src_port": 50358, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50452, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.165.120", "protocol": "tcp", "src_port": 50418, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9596977275034663, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.175.38.6", "protocol": "tcp", "src_port": 50508, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9251013815505887, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.194.233", "protocol": "tcp", "src_port": 50442, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9870391528574759, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.165.120", "protocol": "tcp", "src_port": 50427, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9451570018511891, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50489, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.241.198", "protocol": "tcp", "src_port": 49881, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9908791961625715, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "13.89.179.10", "protocol": "tcp", "src_port": 49878, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9974829953380221, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.51.80", "protocol": "tcp", "src_port": 49914, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50061, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "142.250.66.78", "protocol": "tcp", "src_port": 50474, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "124.70.37.167", "protocol": "tcp", "src_port": 50505, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8862503171336631, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50542, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.13.29.202", "protocol": "tcp", "src_port": 49899, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9319984670207415, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.166.151", "protocol": "tcp", "src_port": 50300, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9931981638327161, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "13.107.213.50", "protocol": "tcp", "src_port": 50090, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9195643673584233, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50516, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 11:50:29.100] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 21|max_alert: 1000 [2025-12-11 11:50:29.100] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 11:50:29.100] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 11:50:29.100] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 11:50:32.139] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 25952 key: NULL payload: {"bucket":"2025-12-11","object":"11/output/gbm/alert.pcap.16.17610986931150.jsonl","url":"http://111.32.12.11:9000/2025-12-11/11/output/gbm/alert.pcap.16.17610986931150.jsonl?X-Amz-SignedHeaders=host&X-Amz-Expires=604800&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Signature=cd480cbc87b85d7601ebb3dada3ec0d2f6acdf50cfb5a5c6369e73ec407652c7&X-Amz-Date=20251211T035031Z&X-Amz-Algorithm=AWS4-HMAC-SHA256"} [2025-12-11 11:50:32.139] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 11:50:32.139] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 11:50:32.140] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 11:50:32.140] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 11:50:32.140] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 11:50:32.140] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 11:50:32.434] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:11/output/gbm/alert.pcap.16.17610986931150.jsonl|result:{"code": 1, "total_count": 26, "alert_count": 26, "abnormal_count": 26, "normal_count": 0, "timestamp": 1765425032140, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50367, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50522, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50331, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50496, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7047630891986135, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.185.134", "protocol": "tcp", "src_port": 50557, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9312191603697401, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.253", "protocol": "tcp", "src_port": 50377, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9228634096625739, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.29.14.183", "protocol": "tcp", "src_port": 49861, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9202885873733923, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.32.132.48", "protocol": "tcp", "src_port": 50416, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.872489769645985, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "211.151.19.148", "protocol": "tcp", "src_port": 50239, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9867736940219898, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "13.89.179.10", "protocol": "tcp", "src_port": 49873, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9740054173010114, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.13.25.27", "protocol": "tcp", "src_port": 49953, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9999659947187012, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.220.77.56", "protocol": "tcp", "src_port": 50313, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9756469161092314, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.165.120", "protocol": "tcp", "src_port": 50304, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9425584919270099, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.2", "protocol": "tcp", "src_port": 49916, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50051, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.46.216.189", "protocol": "tcp", "src_port": 50095, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8005313339363406, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.29.14.183", "protocol": "tcp", "src_port": 50404, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9858144175177987, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50207, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.1", "protocol": "tcp", "src_port": 49927, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50500, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.92", "protocol": "tcp", "src_port": 50344, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.4285159353571787, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50177, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.26", "protocol": "tcp", "src_port": 50053, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9859420979243508, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.88.223", "protocol": "tcp", "src_port": 50262, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9920454156536166, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.4.224.113", "protocol": "tcp", "src_port": 49857, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.873642452450752, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.219.73.130", "protocol": "tcp", "src_port": 49887, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 11:50:32.434] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 26|max_alert: 1000 [2025-12-11 11:50:32.434] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 11:50:32.434] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 11:50:32.434] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 11:50:35.600] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[1] at offset 24813 key: NULL payload: {"bucket":"2025-12-11","object":"11/output/gbm/alert.pcap.17.17610986931150.jsonl","url":"http://111.32.12.11:9000/2025-12-11/11/output/gbm/alert.pcap.17.17610986931150.jsonl?X-Amz-Expires=604800&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20251211T035035Z&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Signature=2361668cbd7b0af47a4537a5bc269c4739f7ffaf824cd9f13e7cddc0c34599ee&X-Amz-SignedHeaders=host"} [2025-12-11 11:50:35.600] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 11:50:35.600] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 11:50:35.601] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 11:50:35.601] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 11:50:35.601] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 11:50:35.601] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 11:50:35.851] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:11/output/gbm/alert.pcap.17.17610986931150.jsonl|result:{"code": 1, "total_count": 18, "alert_count": 18, "abnormal_count": 18, "normal_count": 0, "timestamp": 1765425035601, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "117.162.10.192", "protocol": "tcp", "src_port": 50103, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.5419285978798709, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.27", "protocol": "tcp", "src_port": 49990, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9979995189937263, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.88.223", "protocol": "tcp", "src_port": 50257, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9990492370434219, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.114.80", "protocol": "tcp", "src_port": 50476, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50499, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.162.10.192", "protocol": "tcp", "src_port": 50114, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.976863610352734, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50606, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9790099228201751, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.234.97.89", "protocol": "tcp", "src_port": 50409, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.733240780563495, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.194.233", "protocol": "tcp", "src_port": 50435, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9837705668750215, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.27", "protocol": "tcp", "src_port": 49989, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8500557914131911, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.9", "protocol": "tcp", "src_port": 50012, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9956502822261911, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "124.70.62.170", "protocol": "tcp", "src_port": 50094, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9999212365720671, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.122.55", "protocol": "tcp", "src_port": 50101, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9697454177805649, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.122.55", "protocol": "tcp", "src_port": 50448, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.5769980707430126, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.38.151", "protocol": "tcp", "src_port": 49788, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.2.16.16", "protocol": "tcp", "src_port": 49973, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9993460937257912, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "124.70.62.170", "protocol": "tcp", "src_port": 50395, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.999908459646488, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 50225, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9087545563693218, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 11:50:35.851] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 18|max_alert: 1000 [2025-12-11 11:50:35.851] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 11:50:35.851] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 11:50:35.851] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 11:50:38.746] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 25953 key: NULL payload: {"bucket":"2025-12-11","object":"11/output/gbm/alert.pcap.18.17610986931150.jsonl","url":"http://111.32.12.11:9000/2025-12-11/11/output/gbm/alert.pcap.18.17610986931150.jsonl?X-Amz-Expires=604800&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-SignedHeaders=host&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Signature=d14188db1d19d7588ce6e2549544567def7d92969f971cee6f265d8a2bfdf6d1&X-Amz-Date=20251211T035038Z"} [2025-12-11 11:50:38.746] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 11:50:38.746] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 11:50:38.746] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 11:50:38.746] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 11:50:38.746] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 11:50:38.747] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 11:50:38.978] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:11/output/gbm/alert.pcap.18.17610986931150.jsonl|result:{"code": 1, "total_count": 19, "alert_count": 18, "abnormal_count": 18, "normal_count": 1, "timestamp": 1765425038747, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "120.253.255.38", "protocol": "tcp", "src_port": 50449, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9496389457889445, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.232.40.133", "protocol": "tcp", "src_port": 49929, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9272505117395095, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.113.130.85", "protocol": "tcp", "src_port": 50373, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.232.40.133", "protocol": "tcp", "src_port": 49935, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8955605067471277, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.219.73.130", "protocol": "tcp", "src_port": 49893, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50141, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.166.151", "protocol": "tcp", "src_port": 50371, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9989794701501156, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50088, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50386, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50046, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.92", "protocol": "tcp", "src_port": 50383, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7481021796885889, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50650, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9941374340185456, "2_count": 4.0, "2_sum": 4, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50220, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50132, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 50169, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50475, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9477100345633777, "2_count": 4.0, "2_sum": 4, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50553, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9263918774338468, "2_count": 4.0, "2_sum": 4, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50554, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9489417371813754, "2_count": 4.0, "2_sum": 4, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 11:50:38.979] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 18|max_alert: 1000 [2025-12-11 11:50:38.979] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 11:50:38.979] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 11:50:38.979] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 11:50:41.885] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[2] at offset 25577 key: NULL payload: {"bucket":"2025-12-11","object":"11/output/gbm/alert.pcap.19.17610986931150.jsonl","url":"http://111.32.12.11:9000/2025-12-11/11/output/gbm/alert.pcap.19.17610986931150.jsonl?X-Amz-Signature=06174bfa721335717b05dde27bf145c1c4b6727d7e79c340f140f62ba53a12ca&X-Amz-SignedHeaders=host&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20251211T035041Z&X-Amz-Expires=604800"} [2025-12-11 11:50:41.885] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 11:50:41.886] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 11:50:41.886] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 11:50:41.886] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 11:50:41.886] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 11:50:41.887] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 11:50:42.125] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:11/output/gbm/alert.pcap.19.17610986931150.jsonl|result:{"code": 1, "total_count": 17, "alert_count": 17, "abnormal_count": 17, "normal_count": 0, "timestamp": 1765425041887, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 50183, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9671683755020176, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "150.171.30.11", "protocol": "tcp", "src_port": 50623, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9724127917525347, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "13.89.179.10", "protocol": "tcp", "src_port": 49870, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9985463831905574, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50267, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 5, "2_sum": 5, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.61.248", "protocol": "tcp", "src_port": 50006, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9986048917384169, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.158.247.186", "protocol": "tcp", "src_port": 50254, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9923373572362969, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.26", "protocol": "tcp", "src_port": 49999, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9723690262017185, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50221, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 5, "2_sum": 5, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "106.13.244.95", "protocol": "tcp", "src_port": 50626, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.991571871695044, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "211.151.19.148", "protocol": "tcp", "src_port": 50321, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9840336453751718, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "124.70.62.170", "protocol": "tcp", "src_port": 50385, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9998863446143573, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50432, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 5, "2_sum": 5, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.25", "protocol": "tcp", "src_port": 50345, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9053165640648995, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50651, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9127998696423738, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.131.128.241", "protocol": "tcp", "src_port": 50589, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9358989909907683, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50140, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 5, "2_sum": 5, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50222, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 5, "2_sum": 5, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 11:50:42.125] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 17|max_alert: 1000 [2025-12-11 11:50:42.125] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 11:50:42.125] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 11:50:42.125] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 11:50:45.060] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[1] at offset 24814 key: NULL payload: {"bucket":"2025-12-11","object":"11/output/gbm/alert.pcap.20.17610986931150.jsonl","url":"http://111.32.12.11:9000/2025-12-11/11/output/gbm/alert.pcap.20.17610986931150.jsonl?X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Expires=604800&X-Amz-Date=20251211T035044Z&X-Amz-Signature=b8b02b1b4eea175b987526feb0f99550ae4cb0e5abc177c3c7d0b33f3da252f1&X-Amz-SignedHeaders=host&X-Amz-Algorithm=AWS4-HMAC-SHA256"} [2025-12-11 11:50:45.060] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 11:50:45.060] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 11:50:45.061] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 11:50:45.061] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 11:50:45.061] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 11:50:45.061] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 11:50:45.310] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:11/output/gbm/alert.pcap.20.17610986931150.jsonl|result:{"code": 1, "total_count": 17, "alert_count": 17, "abnormal_count": 17, "normal_count": 0, "timestamp": 1765425045062, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50622, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9949329167991451, "2_count": 3, "2_sum": 3, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.46.68.203", "protocol": "tcp", "src_port": 50096, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9610043927222635, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50598, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.972751885055052, "2_count": 3, "2_sum": 3, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.220.151.49", "protocol": "tcp", "src_port": 49991, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9681277345350449, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.9", "protocol": "tcp", "src_port": 50356, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9753376675463165, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.48.172.241", "protocol": "tcp", "src_port": 50129, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9417868802887015, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.62.174.243", "protocol": "tcp", "src_port": 50555, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9719451686850884, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50082, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "142.250.66.78", "protocol": "tcp", "src_port": 49773, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.2.16.16", "protocol": "tcp", "src_port": 49970, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9999655776123294, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.219.73.130", "protocol": "tcp", "src_port": 49894, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.166.151", "protocol": "tcp", "src_port": 50378, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.996645095315891, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "124.71.236.98", "protocol": "tcp", "src_port": 50400, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9777942042208041, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "124.71.234.74", "protocol": "tcp", "src_port": 50189, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8094812727311573, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50616, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.981431987646444, "2_count": 3, "2_sum": 3, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50453, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.253.253.233", "protocol": "tcp", "src_port": 50317, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.4786736570096651, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 11:50:45.310] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 17|max_alert: 1000 [2025-12-11 11:50:45.310] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 11:50:45.310] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 11:50:45.310] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 11:50:48.196] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 25954 key: NULL payload: {"bucket":"2025-12-11","object":"11/output/gbm/alert.pcap.21.17610986931150.jsonl","url":"http://111.32.12.11:9000/2025-12-11/11/output/gbm/alert.pcap.21.17610986931150.jsonl?X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20251211T035047Z&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Expires=604800&X-Amz-SignedHeaders=host&X-Amz-Signature=912247977375e5fd22e34d678ddf0dbb95994652e260c03bcb86744110eaf88e"} [2025-12-11 11:50:48.197] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 11:50:48.197] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 11:50:48.197] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 11:50:48.197] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 11:50:48.197] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 11:50:48.197] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 11:50:48.455] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:11/output/gbm/alert.pcap.21.17610986931150.jsonl|result:{"code": 1, "total_count": 20, "alert_count": 20, "abnormal_count": 20, "normal_count": 0, "timestamp": 1765425048197, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "120.241.86.254", "protocol": "tcp", "src_port": 50018, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9989742169573105, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.18", "protocol": "tcp", "src_port": 50191, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.234.97.89", "protocol": "tcp", "src_port": 50477, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7967743601421772, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50233, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.253", "protocol": "tcp", "src_port": 50348, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9663875797170431, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.26", "protocol": "tcp", "src_port": 50027, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8630319401034162, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50633, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9961574170482782, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50076, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 50211, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9942232611378077, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50389, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50407, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9700577356238725, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "150.171.27.10", "protocol": "tcp", "src_port": 49871, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9792783921980416, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.194.233", "protocol": "tcp", "src_port": 50315, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9974657537062649, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 49933, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.983522767485445, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50574, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50086, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50330, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.27", "protocol": "tcp", "src_port": 50014, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7728545617685111, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.25", "protocol": "tcp", "src_port": 50346, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7253580536479742, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.232.40.133", "protocol": "tcp", "src_port": 49921, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9758065422065172, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 11:50:48.455] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 20|max_alert: 1000 [2025-12-11 11:50:48.455] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 11:50:48.455] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 11:50:48.456] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 11:50:51.429] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 25955 key: NULL payload: {"bucket":"2025-12-11","object":"11/output/gbm/alert.pcap.2.17610986931150.jsonl","url":"http://111.32.12.11:9000/2025-12-11/11/output/gbm/alert.pcap.2.17610986931150.jsonl?X-Amz-Signature=360b62e6c29adb024fd64c2b7c33463c95a64a2457a0df40f6308498f3172cbf&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20251211T035051Z&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Expires=604800&X-Amz-SignedHeaders=host"} [2025-12-11 11:50:51.429] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 11:50:51.429] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 11:50:51.430] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 11:50:51.430] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 11:50:51.430] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 11:50:51.430] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 11:50:51.728] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:11/output/gbm/alert.pcap.2.17610986931150.jsonl|result:{"code": 1, "total_count": 27, "alert_count": 26, "abnormal_count": 26, "normal_count": 1, "timestamp": 1765425051430, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50634, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.63.215.47", "protocol": "tcp", "src_port": 49943, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9542007136130981, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50278, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.92", "protocol": "tcp", "src_port": 50398, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9866180027435798, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50459, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8818531237715439, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.105", "protocol": "tcp", "src_port": 50625, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9825246278129468, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.254", "protocol": "tcp", "src_port": 50237, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8347470129747349, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.165.120", "protocol": "tcp", "src_port": 50414, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9781294486115352, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.240.99.58", "protocol": "tcp", "src_port": 50480, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9758749087809037, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "118.89.204.198", "protocol": "tcp", "src_port": 50648, "dest_port": 443, "y_pred": 2, "y_pred_proba_max": 0.539671673599211, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "Behinder"}, {"src_ip": "10.1.131.158", "dest_ip": "120.222.152.64", "protocol": "tcp", "src_port": 50658, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7337989747885654, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50287, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50471, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9971823306211751, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.26", "protocol": "tcp", "src_port": 49995, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9973271032011077, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.232.40.133", "protocol": "tcp", "src_port": 50004, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9448851526818528, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50570, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50580, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.29.14.183", "protocol": "tcp", "src_port": 50401, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9944651374268547, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.2", "protocol": "tcp", "src_port": 49821, "dest_port": 8080, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.166.151", "protocol": "tcp", "src_port": 50296, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9998741851816862, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.185.134", "protocol": "tcp", "src_port": 50337, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9998485770667981, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50328, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50528, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.29.14.183", "protocol": "tcp", "src_port": 50402, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9766503916105866, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.114.80", "protocol": "tcp", "src_port": 50381, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50484, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 11:50:51.728] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 26|max_alert: 1000 [2025-12-11 11:50:51.728] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 11:50:51.728] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 11:50:51.728] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 11:50:54.937] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 25956 key: NULL payload: {"bucket":"2025-12-11","object":"11/output/gbm/alert.pcap.22.17610986931150.jsonl","url":"http://111.32.12.11:9000/2025-12-11/11/output/gbm/alert.pcap.22.17610986931150.jsonl?X-Amz-Signature=aaf74be942ab02a2edcf2d0713eefca3e0281e0befa0b1f771686bba7f0cf6dd&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20251211T035054Z&X-Amz-Expires=604800&X-Amz-SignedHeaders=host"} [2025-12-11 11:50:54.937] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 11:50:54.937] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 11:50:54.937] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 11:50:54.937] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 11:50:54.937] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 11:50:54.938] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 11:50:55.188] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:11/output/gbm/alert.pcap.22.17610986931150.jsonl|result:{"code": 1, "total_count": 18, "alert_count": 17, "abnormal_count": 17, "normal_count": 1, "timestamp": 1765425054938, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50368, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 3.0, "2_sum": 3, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.131.128.241", "protocol": "tcp", "src_port": 50585, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8249611815657307, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50612, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.965275103129727, "2_count": 3.0, "2_sum": 3, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50118, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 3.0, "2_sum": 3, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.114.80", "protocol": "tcp", "src_port": 50365, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.194.233", "protocol": "tcp", "src_port": 50440, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9902328849146982, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.62.174.243", "protocol": "tcp", "src_port": 50545, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9624252679015631, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50662, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8871346318388157, "2_count": 3.0, "2_sum": 3, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.4.224.113", "protocol": "tcp", "src_port": 49854, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.5786036795604459, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50530, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9024018957960891, "2_count": 3.0, "2_sum": 3, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.51.161.66", "protocol": "tcp", "src_port": 50123, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7731938946060795, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50028, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 3.0, "2_sum": 3, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.92", "protocol": "tcp", "src_port": 50397, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9107999416750001, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.29.14.183", "protocol": "tcp", "src_port": 50026, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9986473928200259, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.165.120", "protocol": "tcp", "src_port": 50357, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9389862274330749, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.63.215.47", "protocol": "tcp", "src_port": 49944, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9869387818080411, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 49925, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.5747671805046822, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 11:50:55.188] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 17|max_alert: 1000 [2025-12-11 11:50:55.188] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 11:50:55.188] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 11:50:55.188] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 11:50:58.887] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[1] at offset 24815 key: NULL payload: {"bucket":"2025-12-11","object":"11/output/gbm/alert.pcap.23.17610986931150.jsonl","url":"http://111.32.12.11:9000/2025-12-11/11/output/gbm/alert.pcap.23.17610986931150.jsonl?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Expires=604800&X-Amz-Date=20251211T035058Z&X-Amz-SignedHeaders=host&X-Amz-Signature=3cfeb07ddd279e79b0ebda06f4082172e0819d0da9b3ad34855e9fd210033a3b"} [2025-12-11 11:50:58.887] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 11:50:58.887] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 11:50:58.887] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 11:50:58.887] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 11:50:58.887] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 11:50:58.888] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 11:50:59.142] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:11/output/gbm/alert.pcap.23.17610986931150.jsonl|result:{"code": 1, "total_count": 21, "alert_count": 21, "abnormal_count": 21, "normal_count": 0, "timestamp": 1765425058888, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50168, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "13.107.246.74", "protocol": "tcp", "src_port": 50506, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9605298901417075, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50640, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50044, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50149, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50429, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50260, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.25", "protocol": "tcp", "src_port": 50382, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7011351746711142, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.122.55", "protocol": "tcp", "src_port": 50498, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9793698927690696, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50562, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.158.247.186", "protocol": "tcp", "src_port": 50309, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.994290448467571, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.194.233", "protocol": "tcp", "src_port": 50126, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9961544144455967, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50085, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.222.152.64", "protocol": "tcp", "src_port": 50638, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9779043168436835, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50037, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.25", "protocol": "tcp", "src_port": 50073, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9992385224413204, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50514, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.150.160.206", "protocol": "tcp", "src_port": 50124, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9747845243097288, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50064, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.13.104.59", "protocol": "tcp", "src_port": 50627, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9944505609423887, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50042, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 11:50:59.142] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 21|max_alert: 1000 [2025-12-11 11:50:59.142] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 11:50:59.142] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 11:50:59.142] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 11:51:02.112] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[2] at offset 25578 key: NULL payload: {"bucket":"2025-12-11","object":"11/output/gbm/alert.pcap.24.17610986931150.jsonl","url":"http://111.32.12.11:9000/2025-12-11/11/output/gbm/alert.pcap.24.17610986931150.jsonl?X-Amz-Signature=22923ab7b03a58ccfc836f246e608b95a3c59b8ed292e627f12ec7798a0582e0&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20251211T035101Z&X-Amz-SignedHeaders=host&X-Amz-Expires=604800"} [2025-12-11 11:51:02.112] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 11:51:02.112] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 11:51:02.112] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 11:51:02.112] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 11:51:02.112] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 11:51:02.112] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 11:51:02.299] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:11/output/gbm/alert.pcap.24.17610986931150.jsonl|result:{"code": 1, "total_count": 18, "alert_count": 17, "abnormal_count": 17, "normal_count": 1, "timestamp": 1765425062112, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 50229, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7784157580153467, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50281, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50033, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.13.104.59", "protocol": "tcp", "src_port": 50631, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9853386683896556, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50031, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.46.68.203", "protocol": "tcp", "src_port": 50195, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9897633686170296, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50259, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.4.74", "protocol": "tcp", "src_port": 50319, "dest_port": 9000, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50594, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50482, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50034, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50603, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.163.59.175", "protocol": "tcp", "src_port": 50011, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9883959426357691, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.13.28.21", "protocol": "tcp", "src_port": 49947, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9999415747476534, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.27", "protocol": "tcp", "src_port": 49985, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8652710729389349, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.38.119", "protocol": "tcp", "src_port": 50495, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9911306060967026, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.163.59.175", "protocol": "tcp", "src_port": 50478, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.990150959540726, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 11:51:02.300] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 17|max_alert: 1000 [2025-12-11 11:51:02.300] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 11:51:02.300] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 11:51:02.300] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 11:51:05.536] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[1] at offset 24816 key: NULL payload: {"bucket":"2025-12-11","object":"11/output/gbm/alert.pcap.25.17610986931150.jsonl","url":"http://111.32.12.11:9000/2025-12-11/11/output/gbm/alert.pcap.25.17610986931150.jsonl?X-Amz-Expires=604800&X-Amz-Signature=9205e1f998b53509bf1166f6ba5e0dfc3842e2158b68828fe9b45365b378fe15&X-Amz-SignedHeaders=host&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Date=20251211T035105Z"} [2025-12-11 11:51:05.537] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 11:51:05.537] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 11:51:05.537] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 11:51:05.537] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 11:51:05.537] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 11:51:05.538] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 11:51:05.796] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:11/output/gbm/alert.pcap.25.17610986931150.jsonl|result:{"code": 1, "total_count": 18, "alert_count": 17, "abnormal_count": 17, "normal_count": 1, "timestamp": 1765425065538, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "36.155.160.140", "protocol": "tcp", "src_port": 49790, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "202.89.233.96", "dest_ip": "10.1.131.158", "protocol": "tcp", "src_port": 443, "dest_port": 49847, "y_pred": 1, "y_pred_proba_max": 0.9988023204669473, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.91", "protocol": "tcp", "src_port": 50334, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9530506499197517, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.88.223", "protocol": "tcp", "src_port": 50258, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9955188316394289, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 50013, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "142.250.66.78", "protocol": "tcp", "src_port": 49742, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50038, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4.0, "2_sum": 4, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.2", "protocol": "tcp", "src_port": 50125, "dest_port": 8080, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50062, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4.0, "2_sum": 4, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50551, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8059095115195145, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.240.99.58", "protocol": "tcp", "src_port": 50641, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9750652642107684, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50288, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4.0, "2_sum": 4, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.88.223", "protocol": "tcp", "src_port": 50134, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9851867603065232, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50652, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4.0, "2_sum": 4, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.232.40.133", "protocol": "tcp", "src_port": 50005, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8427110539814073, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.201.232.63", "protocol": "tcp", "src_port": 50419, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.5238760318986195, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.232.40.133", "protocol": "tcp", "src_port": 49919, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9172603475203133, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 11:51:05.796] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 17|max_alert: 1000 [2025-12-11 11:51:05.796] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 11:51:05.796] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 11:51:05.796] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 11:51:08.786] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[2] at offset 25579 key: NULL payload: {"bucket":"2025-12-11","object":"11/output/gbm/alert.pcap.26.17610986931150.jsonl","url":"http://111.32.12.11:9000/2025-12-11/11/output/gbm/alert.pcap.26.17610986931150.jsonl?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Expires=604800&X-Amz-Date=20251211T035108Z&X-Amz-SignedHeaders=host&X-Amz-Signature=fb1e185df14b3d28a47b20e170d512be3742e7e81b765cfcfc34cd79c45f1fe0"} [2025-12-11 11:51:08.786] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 11:51:08.786] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 11:51:08.787] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 11:51:08.787] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 11:51:08.787] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 11:51:08.788] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 11:51:09.029] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:11/output/gbm/alert.pcap.26.17610986931150.jsonl|result:{"code": 1, "total_count": 23, "alert_count": 22, "abnormal_count": 22, "normal_count": 1, "timestamp": 1765425068788, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50521, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7.0, "2_sum": 7, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50040, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7.0, "2_sum": 7, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.253", "protocol": "tcp", "src_port": 50347, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9363461552085169, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.13.29.202", "protocol": "tcp", "src_port": 49897, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.99989131645703, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.165.120", "protocol": "tcp", "src_port": 50314, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.998447736613844, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.27", "protocol": "tcp", "src_port": 49986, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9907578643456904, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 50230, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9601621867432435, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.9", "protocol": "tcp", "src_port": 50353, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9248568229582469, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.194.233", "protocol": "tcp", "src_port": 50439, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9853373018252618, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50593, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7.0, "2_sum": 7, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.163.59.175", "protocol": "tcp", "src_port": 49930, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9813722275948225, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50322, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7.0, "2_sum": 7, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "151.101.1.229", "protocol": "tcp", "src_port": 50316, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.5882853156839113, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "43.140.12.43", "protocol": "tcp", "src_port": 50318, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9759535265977303, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.13.29.134", "protocol": "tcp", "src_port": 49954, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9940003495439546, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.114.80", "protocol": "tcp", "src_port": 50375, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.253", "protocol": "tcp", "src_port": 50117, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9786811180845782, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.92", "protocol": "tcp", "src_port": 50362, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9737436655985068, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50512, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7.0, "2_sum": 7, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.45", "protocol": "tcp", "src_port": 50445, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9894949279716366, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50463, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7.0, "2_sum": 7, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50467, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7.0, "2_sum": 7, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 11:51:09.029] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 22|max_alert: 1000 [2025-12-11 11:51:09.029] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 11:51:09.029] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 11:51:09.029] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 11:51:12.008] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 25957 key: NULL payload: {"bucket":"2025-12-11","object":"11/output/gbm/alert.pcap.3.17610986931150.jsonl","url":"http://111.32.12.11:9000/2025-12-11/11/output/gbm/alert.pcap.3.17610986931150.jsonl?X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-SignedHeaders=host&X-Amz-Signature=57c7e09860eaed79d53526b68463d0fdfbcbe8f1422103f9b78e822749b70e7d&X-Amz-Expires=604800&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Date=20251211T035111Z"} [2025-12-11 11:51:12.008] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 11:51:12.008] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 11:51:12.008] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 11:51:12.008] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 11:51:12.008] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 11:51:12.009] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 11:51:12.282] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:11/output/gbm/alert.pcap.3.17610986931150.jsonl|result:{"code": 1, "total_count": 31, "alert_count": 30, "abnormal_count": 30, "normal_count": 1, "timestamp": 1765425072009, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50573, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50390, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.27", "protocol": "tcp", "src_port": 49983, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9683054451954104, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.2", "protocol": "tcp", "src_port": 50143, "dest_port": 8080, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.194.189.11", "protocol": "tcp", "src_port": 50307, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9974631042458713, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.13.104.59", "protocol": "tcp", "src_port": 50630, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9949141468870227, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.114.80", "protocol": "tcp", "src_port": 50473, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 49824, "dest_port": 37527, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.166.151", "protocol": "tcp", "src_port": 50286, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9998887397093179, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50131, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "142.250.66.68", "protocol": "tcp", "src_port": 50437, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.219.73.130", "protocol": "tcp", "src_port": 49890, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50032, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50041, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.232.40.133", "protocol": "tcp", "src_port": 49922, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7619577796081339, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50128, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.13.104.59", "protocol": "tcp", "src_port": 50639, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.5747755261992421, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.219.73.130", "protocol": "tcp", "src_port": 49889, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "124.70.62.170", "protocol": "tcp", "src_port": 50093, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9302011994091218, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50468, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50560, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9372883613254258, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 50399, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50579, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.27", "protocol": "tcp", "src_port": 49987, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9439550958667982, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.253.253.233", "protocol": "tcp", "src_port": 50436, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8619378326923961, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 50231, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9912641259791639, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.165.120", "protocol": "tcp", "src_port": 50423, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9079618105919538, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.63.215.47", "protocol": "tcp", "src_port": 49982, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9977918468988228, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.92", "protocol": "tcp", "src_port": 49915, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8858063837145578, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.29.14.183", "protocol": "tcp", "src_port": 50020, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9995274668813986, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 11:51:12.282] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 30|max_alert: 1000 [2025-12-11 11:51:12.282] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 11:51:12.282] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 11:51:12.282] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 11:51:15.140] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 25958 key: NULL payload: {"bucket":"2025-12-11","object":"11/output/gbm/alert.pcap.4.17610986931150.jsonl","url":"http://111.32.12.11:9000/2025-12-11/11/output/gbm/alert.pcap.4.17610986931150.jsonl?X-Amz-Signature=8541790554a96a0d639d30b981c0d6ed6863e62eeeb15abf5d2536d544176e40&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Expires=604800&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-SignedHeaders=host&X-Amz-Date=20251211T035114Z"} [2025-12-11 11:51:15.140] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 11:51:15.140] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 11:51:15.140] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 11:51:15.140] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 11:51:15.140] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 11:51:15.141] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 11:51:15.370] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:11/output/gbm/alert.pcap.4.17610986931150.jsonl|result:{"code": 1, "total_count": 16, "alert_count": 16, "abnormal_count": 16, "normal_count": 0, "timestamp": 1765425075141, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "104.18.38.233", "protocol": "tcp", "src_port": 49696, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50271, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 9, "2_sum": 9, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "142.250.66.78", "protocol": "tcp", "src_port": 49761, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50642, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 9, "2_sum": 9, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50268, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 9, "2_sum": 9, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50428, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 9, "2_sum": 9, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.131.128.241", "protocol": "tcp", "src_port": 50461, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9531336479755481, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "150.171.30.11", "protocol": "tcp", "src_port": 50007, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8576461187690411, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.2", "protocol": "tcp", "src_port": 49815, "dest_port": 8080, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50599, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 9, "2_sum": 9, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50653, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 9, "2_sum": 9, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50664, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 9, "2_sum": 9, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.25", "protocol": "tcp", "src_port": 50340, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9557360906725153, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50170, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 9, "2_sum": 9, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50039, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 9, "2_sum": 9, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.4.224.113", "protocol": "tcp", "src_port": 49860, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8325953986089363, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 11:51:15.370] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 16|max_alert: 1000 [2025-12-11 11:51:15.370] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 11:51:15.370] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 11:51:15.370] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 11:51:18.663] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[2] at offset 25580 key: NULL payload: {"bucket":"2025-12-11","object":"11/output/gbm/alert.pcap.5.17610986931150.jsonl","url":"http://111.32.12.11:9000/2025-12-11/11/output/gbm/alert.pcap.5.17610986931150.jsonl?X-Amz-SignedHeaders=host&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Expires=604800&X-Amz-Date=20251211T035118Z&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Signature=96d927aba8140939ce38ed55a247b779c6f71dce704fdb19491755d5991428e4"} [2025-12-11 11:51:18.663] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 11:51:18.663] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 11:51:18.663] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 11:51:18.663] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 11:51:18.663] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 11:51:18.664] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 11:51:18.929] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:11/output/gbm/alert.pcap.5.17610986931150.jsonl|result:{"code": 1, "total_count": 19, "alert_count": 18, "abnormal_count": 18, "normal_count": 1, "timestamp": 1765425078664, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "120.46.72.204", "protocol": "tcp", "src_port": 50136, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.956663066769366, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 50549, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "112.34.111.235", "protocol": "tcp", "src_port": 50587, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9795590475790195, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50119, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 5.0, "2_sum": 5, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.158.247.186", "protocol": "tcp", "src_port": 50121, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9753820447058325, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50541, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 5.0, "2_sum": 5, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "13.89.179.10", "protocol": "tcp", "src_port": 49867, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8945460691510866, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.91", "protocol": "tcp", "src_port": 50333, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9577733114926612, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.91", "protocol": "tcp", "src_port": 50242, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9588125203903446, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.163.59.175", "protocol": "tcp", "src_port": 50422, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9849394001481901, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.51.80", "protocol": "tcp", "src_port": 49902, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 49924, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8509806284431485, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50564, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 5.0, "2_sum": 5, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50624, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9747306537408316, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.4.74", "protocol": "tcp", "src_port": 50320, "dest_port": 9000, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50654, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9423199405388736, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50171, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 5.0, "2_sum": 5, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50030, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 5.0, "2_sum": 5, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 11:51:18.929] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 18|max_alert: 1000 [2025-12-11 11:51:18.929] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 11:51:18.929] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 11:51:18.929] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 11:51:21.804] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[1] at offset 24817 key: NULL payload: {"bucket":"2025-12-11","object":"11/output/gbm/alert.pcap.6.17610986931150.jsonl","url":"http://111.32.12.11:9000/2025-12-11/11/output/gbm/alert.pcap.6.17610986931150.jsonl?X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Expires=604800&X-Amz-Signature=16eb44badc3d9ba74f6536c91403a30bfd7aa630b33c55ea506b104cc62e4796&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-SignedHeaders=host&X-Amz-Date=20251211T035121Z"} [2025-12-11 11:51:21.804] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 11:51:21.804] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 11:51:21.805] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 11:51:21.805] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 11:51:21.805] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 11:51:21.805] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 11:51:22.033] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:11/output/gbm/alert.pcap.6.17610986931150.jsonl|result:{"code": 1, "total_count": 13, "alert_count": 13, "abnormal_count": 13, "normal_count": 0, "timestamp": 1765425081805, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50391, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "139.9.117.192", "protocol": "tcp", "src_port": 50372, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8894850327223105, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.91", "protocol": "tcp", "src_port": 50339, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.986405059765616, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.13.28.239", "protocol": "tcp", "src_port": 49901, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.938456651589145, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "139.9.117.192", "protocol": "tcp", "src_port": 50450, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9837263446909994, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "13.89.179.10", "protocol": "tcp", "src_port": 49883, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9941602682227848, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.2.16.16", "protocol": "tcp", "src_port": 49975, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9999376387945121, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "121.36.68.44", "protocol": "tcp", "src_port": 50504, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9358189956292381, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.102.211", "protocol": "tcp", "src_port": 50413, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9734791177969814, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.26", "protocol": "tcp", "src_port": 50003, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8694093805364917, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50465, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.5306824619789472, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.57.94.38", "protocol": "tcp", "src_port": 49892, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9998694918181811, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50515, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 11:51:22.033] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 13|max_alert: 1000 [2025-12-11 11:51:22.033] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 11:51:22.033] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 11:51:22.033] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 11:51:25.076] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[1] at offset 24818 key: NULL payload: {"bucket":"2025-12-11","object":"11/output/gbm/alert.pcap.7.17610986931150.jsonl","url":"http://111.32.12.11:9000/2025-12-11/11/output/gbm/alert.pcap.7.17610986931150.jsonl?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Expires=604800&X-Amz-SignedHeaders=host&X-Amz-Date=20251211T035124Z&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Signature=53dfc1b93de2a816e37ac6db10bed6cc821ffc9bc74f241597bb40cc084b96fe"} [2025-12-11 11:51:25.077] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 11:51:25.077] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 11:51:25.077] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 11:51:25.077] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 11:51:25.077] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 11:51:25.077] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 11:51:25.361] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:11/output/gbm/alert.pcap.7.17610986931150.jsonl|result:{"code": 1, "total_count": 18, "alert_count": 18, "abnormal_count": 18, "normal_count": 0, "timestamp": 1765425085078, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50270, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4, "2_sum": 4, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.219.73.130", "protocol": "tcp", "src_port": 49885, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50581, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4, "2_sum": 4, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.4.224.113", "protocol": "tcp", "src_port": 49849, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9532634905214581, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50156, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4, "2_sum": 4, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.51.80", "protocol": "tcp", "src_port": 50010, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50083, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4, "2_sum": 4, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 50172, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9400817611226765, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.240.8.132", "protocol": "tcp", "src_port": 50227, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8897661563929269, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 50116, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.185.125.188", "protocol": "tcp", "src_port": 49872, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9978759357079158, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.194.233", "protocol": "tcp", "src_port": 50255, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9107155218087142, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.27", "protocol": "tcp", "src_port": 50100, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8412893359572905, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.26", "protocol": "tcp", "src_port": 49994, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9896285535627298, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.254", "protocol": "tcp", "src_port": 50199, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9600487826290192, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "112.34.111.235", "protocol": "tcp", "src_port": 50411, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.998549290571419, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.194.233", "protocol": "tcp", "src_port": 50441, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9878625671600126, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50663, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.719260591950917, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 11:51:25.361] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 18|max_alert: 1000 [2025-12-11 11:51:25.361] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 11:51:25.361] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 11:51:25.361] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 11:51:28.268] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[1] at offset 24819 key: NULL payload: {"bucket":"2025-12-11","object":"11/output/gbm/alert.pcap.8.17610986931150.jsonl","url":"http://111.32.12.11:9000/2025-12-11/11/output/gbm/alert.pcap.8.17610986931150.jsonl?X-Amz-Signature=fc2c84edfe726c4e6181ab57deb7de707638b85f55ac712c4fc0719d94fa7423&X-Amz-Date=20251211T035127Z&X-Amz-Expires=604800&X-Amz-SignedHeaders=host&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request"} [2025-12-11 11:51:28.268] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 11:51:28.268] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 11:51:28.268] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 11:51:28.268] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 11:51:28.268] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 11:51:28.268] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 11:51:28.514] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:11/output/gbm/alert.pcap.8.17610986931150.jsonl|result:{"code": 1, "total_count": 19, "alert_count": 19, "abnormal_count": 19, "normal_count": 0, "timestamp": 1765425088268, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "40.74.78.229", "protocol": "tcp", "src_port": 50370, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9939770881097445, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.131.128.241", "protocol": "tcp", "src_port": 50591, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9050869489117033, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.26", "protocol": "tcp", "src_port": 49997, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.984269050955257, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 50184, "dest_port": 37527, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.45", "protocol": "tcp", "src_port": 50408, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9967591338452444, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.131.139.241", "protocol": "tcp", "src_port": 50556, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9803786101644398, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.63.215.47", "protocol": "tcp", "src_port": 49980, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9999657034539758, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50388, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4, "2_sum": 4, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50649, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9766422035502361, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50661, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.647571366572099, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "121.36.47.3", "protocol": "tcp", "src_port": 50015, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9995715118177109, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "202.89.233.96", "protocol": "tcp", "src_port": 49865, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9973910874567038, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.201.232.63", "protocol": "tcp", "src_port": 50420, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9757408487177269, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.219.73.130", "protocol": "tcp", "src_port": 49891, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50077, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4, "2_sum": 4, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.232.40.133", "protocol": "tcp", "src_port": 49920, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9117178716777372, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50223, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4, "2_sum": 4, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50127, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4, "2_sum": 4, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 49923, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.777270406334166, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 11:51:28.514] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 19|max_alert: 1000 [2025-12-11 11:51:28.514] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 11:51:28.514] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 11:51:28.514] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 11:51:31.459] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[1] at offset 24820 key: NULL payload: {"bucket":"2025-12-11","object":"11/output/gbm/alert.pcap.9.17610986931150.jsonl","url":"http://111.32.12.11:9000/2025-12-11/11/output/gbm/alert.pcap.9.17610986931150.jsonl?X-Amz-Signature=d8021535a0e49f45a2cfe62161caaf41f4b3a2ac8e9467f5cf3c2300f4808698&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Date=20251211T035131Z&X-Amz-Expires=604800&X-Amz-SignedHeaders=host"} [2025-12-11 11:51:31.460] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 11:51:31.460] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 11:51:31.460] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 11:51:31.460] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 11:51:31.460] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 11:51:31.461] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 11:51:31.691] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:11/output/gbm/alert.pcap.9.17610986931150.jsonl|result:{"code": 1, "total_count": 19, "alert_count": 19, "abnormal_count": 19, "normal_count": 0, "timestamp": 1765425091461, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50047, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50552, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9460026832017429, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "124.71.234.74", "protocol": "tcp", "src_port": 50079, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8967653329082704, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50234, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "157.148.32.174", "protocol": "tcp", "src_port": 50216, "dest_port": 8106, "y_pred": 1, "y_pred_proba_max": 0.7815374741509655, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50323, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50279, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.163.59.175", "protocol": "tcp", "src_port": 50443, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9947042004868148, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50582, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "150.171.30.11", "protocol": "tcp", "src_port": 50434, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.975176941910785, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.219.73.130", "protocol": "tcp", "src_port": 49895, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50577, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8828376373447289, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50387, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.45", "protocol": "tcp", "src_port": 50444, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9975171238915119, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50571, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 49928, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9931314740190077, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.29.14.183", "protocol": "tcp", "src_port": 50403, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9756646950440937, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.26", "protocol": "tcp", "src_port": 49993, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.987471741326815, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "112.2.102.140", "protocol": "tcp", "src_port": 49880, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8833391308810551, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 11:51:31.691] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 19|max_alert: 1000 [2025-12-11 11:51:31.691] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 11:51:31.691] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 11:51:31.691] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 11:55:48.220] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[2] at offset 25581 key: NULL payload: {"bucket":"2025-12-11","object":"11/output/gbm/alert.pcap.9.1765425341.jsonl","url":"http://111.32.12.11:9000/2025-12-11/11/output/gbm/alert.pcap.9.1765425341.jsonl?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-SignedHeaders=host&X-Amz-Signature=cae42f52d70994d46d2144479bb499e706269a556458b7a302f54bf2933d39b8&X-Amz-Date=20251211T035547Z&X-Amz-Expires=604800"} [2025-12-11 11:55:48.220] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 11:55:48.220] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 11:55:48.220] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 11:55:48.220] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 11:55:48.220] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 11:55:48.221] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 11:55:48.227] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:11/output/gbm/alert.pcap.9.1765425341.jsonl|result:{"code": 0, "total_count": 0, "alert_count": 0, "abnormal_count": 0, "normal_count": 0, "timestamp": 1765425348221, "module": "anquanchu", "alerted": false, "details": []} [2025-12-11 11:55:48.227] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 0|max_alert: 1000 [2025-12-11 11:55:48.227] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 12:00:09.763] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[1] at offset 24821 key: NULL payload: {"bucket":"2025-12-11","object":"12/output/gbm/alert.pcap.10.17610986931200.jsonl","url":"http://111.32.12.11:9000/2025-12-11/12/output/gbm/alert.pcap.10.17610986931200.jsonl?X-Amz-Date=20251211T040009Z&X-Amz-Expires=604800&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Signature=47da57ff20a4131f34b198c514b1fb30f05e8062964cfc43809ee6def2109159&X-Amz-SignedHeaders=host"} [2025-12-11 12:00:09.763] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 12:00:09.763] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 12:00:09.763] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 12:00:09.763] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 12:00:09.763] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 12:00:09.764] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 12:00:09.951] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:12/output/gbm/alert.pcap.10.17610986931200.jsonl|result:{"code": 1, "total_count": 18, "alert_count": 18, "abnormal_count": 18, "normal_count": 0, "timestamp": 1765425609765, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50155, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.9", "protocol": "tcp", "src_port": 50354, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9266852516381958, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.162.10.192", "protocol": "tcp", "src_port": 50106, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7891251009837256, "2_count": 3, "2_sum": 3, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.194.233", "protocol": "tcp", "src_port": 50251, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.6458299041355519, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.240.8.132", "protocol": "tcp", "src_port": 49942, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9833686131374094, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "124.70.37.167", "protocol": "tcp", "src_port": 50497, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9671327905226952, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50197, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.162.10.192", "protocol": "tcp", "src_port": 50105, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8497049935950336, "2_count": 3, "2_sum": 3, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "124.70.62.170", "protocol": "tcp", "src_port": 50384, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9944584265644585, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.38.119", "protocol": "tcp", "src_port": 50490, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9986222879414073, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50510, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50527, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50180, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50247, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50202, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "112.34.113.250", "protocol": "tcp", "src_port": 50417, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9871899379387804, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.162.10.192", "protocol": "tcp", "src_port": 50102, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9628606284766527, "2_count": 3, "2_sum": 3, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 49802, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 12:00:09.951] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 18|max_alert: 1000 [2025-12-11 12:00:09.951] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 12:00:09.951] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 12:00:09.951] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 12:00:12.912] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 25959 key: NULL payload: {"bucket":"2025-12-11","object":"12/output/gbm/alert.pcap.11.17610986931200.jsonl","url":"http://111.32.12.11:9000/2025-12-11/12/output/gbm/alert.pcap.11.17610986931200.jsonl?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Expires=604800&X-Amz-Date=20251211T040012Z&X-Amz-SignedHeaders=host&X-Amz-Signature=c3c753c4f7e800302edb9a2f0327c300e4d5ca6442b6f331ee242070242a72d4"} [2025-12-11 12:00:12.912] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 12:00:12.912] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 12:00:12.912] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 12:00:12.912] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 12:00:12.912] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 12:00:12.912] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 12:00:13.100] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:12/output/gbm/alert.pcap.11.17610986931200.jsonl|result:{"code": 1, "total_count": 20, "alert_count": 20, "abnormal_count": 20, "normal_count": 0, "timestamp": 1765425612912, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "120.226.165.120", "protocol": "tcp", "src_port": 50305, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9986466602684037, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.143.199.172", "protocol": "tcp", "src_port": 50142, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9881503019491974, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.38.119", "protocol": "tcp", "src_port": 50494, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9837251088220053, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.45", "protocol": "tcp", "src_port": 50447, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9871209269901958, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50176, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.25", "protocol": "tcp", "src_port": 50379, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8940216726975259, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.57.94.38", "protocol": "tcp", "src_port": 49888, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8913583475272854, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50523, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 49811, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50179, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.45", "protocol": "tcp", "src_port": 50438, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9837569544664104, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "13.107.253.49", "protocol": "tcp", "src_port": 50479, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9204671188927631, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "106.52.100.183", "protocol": "tcp", "src_port": 50502, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9858931570717602, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50520, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.122.55", "protocol": "tcp", "src_port": 50503, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9854062911109006, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50050, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.131.139.241", "protocol": "tcp", "src_port": 50546, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8893268365633519, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50561, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "57.155.120.218", "protocol": "tcp", "src_port": 50415, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9227656751828837, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50519, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 12:00:13.100] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 20|max_alert: 1000 [2025-12-11 12:00:13.100] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 12:00:13.100] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 12:00:13.100] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 12:00:16.105] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[1] at offset 24822 key: NULL payload: {"bucket":"2025-12-11","object":"12/output/gbm/alert.pcap.1.17610986931200.jsonl","url":"http://111.32.12.11:9000/2025-12-11/12/output/gbm/alert.pcap.1.17610986931200.jsonl?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Date=20251211T040015Z&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Signature=c39ba43ca882526d82ecd9135254093632f21d66c82edada4cbd9be48a785fd5&X-Amz-SignedHeaders=host&X-Amz-Expires=604800"} [2025-12-11 12:00:16.105] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 12:00:16.105] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 12:00:16.105] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 12:00:16.105] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 12:00:16.105] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 12:00:16.105] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 12:00:16.324] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:12/output/gbm/alert.pcap.1.17610986931200.jsonl|result:{"code": 1, "total_count": 23, "alert_count": 22, "abnormal_count": 22, "normal_count": 1, "timestamp": 1765425616105, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "120.241.86.254", "protocol": "tcp", "src_port": 50161, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9861184497791043, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.254", "protocol": "tcp", "src_port": 50236, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8758576397939718, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.166.151", "protocol": "tcp", "src_port": 50297, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.99961990187526, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.2.16.16", "protocol": "tcp", "src_port": 49978, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9999741330258014, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50246, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "123.249.12.207", "protocol": "tcp", "src_port": 50349, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9517653518955267, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50196, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.38.119", "protocol": "tcp", "src_port": 50487, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9993624819729473, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.131.139.241", "protocol": "tcp", "src_port": 50548, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9166098868921807, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50451, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9935841069204537, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.9", "protocol": "tcp", "src_port": 50352, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9822856114799795, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.9", "protocol": "tcp", "src_port": 50355, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9178209457268623, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50635, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50203, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50511, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.2.16.16", "protocol": "tcp", "src_port": 49977, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9997183616258911, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50154, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.114.80", "protocol": "tcp", "src_port": 50380, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "104.18.38.233", "protocol": "tcp", "src_port": 49694, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50660, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.5160756214892233, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.18", "protocol": "tcp", "src_port": 50526, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.18", "protocol": "tcp", "src_port": 50607, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 12:00:16.324] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 22|max_alert: 1000 [2025-12-11 12:00:16.324] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 12:00:16.324] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 12:00:16.324] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 12:00:19.316] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[2] at offset 25582 key: NULL payload: {"bucket":"2025-12-11","object":"12/output/gbm/alert.pcap.12.17610986931200.jsonl","url":"http://111.32.12.11:9000/2025-12-11/12/output/gbm/alert.pcap.12.17610986931200.jsonl?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Date=20251211T040018Z&X-Amz-SignedHeaders=host&X-Amz-Signature=0a53cb3c8ea27cbc403414278e4b791c8df0a0676ab2de1294440693deab105b&X-Amz-Expires=604800&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request"} [2025-12-11 12:00:19.316] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 12:00:19.316] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 12:00:19.316] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 12:00:19.316] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 12:00:19.316] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 12:00:19.316] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 12:00:19.581] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:12/output/gbm/alert.pcap.12.17610986931200.jsonl|result:{"code": 1, "total_count": 23, "alert_count": 23, "abnormal_count": 23, "normal_count": 0, "timestamp": 1765425619317, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "223.111.88.223", "protocol": "tcp", "src_port": 50256, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9952297098413537, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.91", "protocol": "tcp", "src_port": 50312, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8775283158754487, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50290, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 10, "2_sum": 10, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "150.171.28.10", "protocol": "tcp", "src_port": 50098, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.979476406385797, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50063, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 10, "2_sum": 10, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.232.40.133", "protocol": "tcp", "src_port": 49918, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9434178651974208, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.162.10.192", "protocol": "tcp", "src_port": 50115, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9982562146170709, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.46.51.20", "protocol": "tcp", "src_port": 50273, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8949209220998952, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.32.132.48", "protocol": "tcp", "src_port": 50596, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8736367684939467, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.88.223", "protocol": "tcp", "src_port": 50135, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9151737736531406, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50563, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 10, "2_sum": 10, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50043, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 10, "2_sum": 10, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 50446, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50524, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 10, "2_sum": 10, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 49801, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50048, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 10, "2_sum": 10, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "43.132.242.154", "protocol": "tcp", "src_port": 49882, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9890063873624129, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.91", "protocol": "tcp", "src_port": 50325, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9723471895815434, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50289, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 10, "2_sum": 10, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50517, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 10, "2_sum": 10, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50327, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 10, "2_sum": 10, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50036, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 10, "2_sum": 10, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.253", "protocol": "tcp", "src_port": 50374, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9124107711631884, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 12:00:19.581] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 23|max_alert: 1000 [2025-12-11 12:00:19.581] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 12:00:19.581] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 12:00:19.581] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 12:00:22.473] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[1] at offset 24823 key: NULL payload: {"bucket":"2025-12-11","object":"12/output/gbm/alert.pcap.13.17610986931200.jsonl","url":"http://111.32.12.11:9000/2025-12-11/12/output/gbm/alert.pcap.13.17610986931200.jsonl?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Expires=604800&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-SignedHeaders=host&X-Amz-Signature=131ad88dbf39e6d66317735037ac79fcea214b7ef2a6d8946cdb94b6e1b7c349&X-Amz-Date=20251211T040022Z"} [2025-12-11 12:00:22.473] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 12:00:22.473] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 12:00:22.473] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 12:00:22.473] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 12:00:22.473] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 12:00:22.479] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 12:00:22.744] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:12/output/gbm/alert.pcap.13.17610986931200.jsonl|result:{"code": 1, "total_count": 25, "alert_count": 25, "abnormal_count": 25, "normal_count": 0, "timestamp": 1765425622479, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50029, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50035, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50153, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50206, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.22.3", "protocol": "tcp", "src_port": 49941, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9027507773608666, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50283, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50280, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "142.250.66.78", "protocol": "tcp", "src_port": 49939, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 50550, "dest_port": 37527, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50150, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.114.80", "protocol": "tcp", "src_port": 50364, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.38.119", "protocol": "tcp", "src_port": 50507, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.992095265861976, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "202.89.233.96", "protocol": "tcp", "src_port": 49842, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "150.171.29.11", "protocol": "tcp", "src_port": 50366, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9811379852086798, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50483, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50657, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9858390475712154, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.38.119", "protocol": "tcp", "src_port": 50493, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9895604510076603, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.4.224.113", "protocol": "tcp", "src_port": 49856, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.6505383816340582, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50276, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "150.171.30.11", "protocol": "tcp", "src_port": 50629, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9221505003231499, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50074, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.185.134", "protocol": "tcp", "src_port": 50405, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9906477192719227, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.163.59.175", "protocol": "tcp", "src_port": 50009, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9898052087615025, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50602, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50167, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 12:00:22.744] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 25|max_alert: 1000 [2025-12-11 12:00:22.744] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 12:00:22.744] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 12:00:22.744] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 12:00:25.850] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[1] at offset 24824 key: NULL payload: {"bucket":"2025-12-11","object":"12/output/gbm/alert.pcap.14.17610986931200.jsonl","url":"http://111.32.12.11:9000/2025-12-11/12/output/gbm/alert.pcap.14.17610986931200.jsonl?X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20251211T040025Z&X-Amz-Expires=604800&X-Amz-SignedHeaders=host&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Signature=10e07ab48e582de80fdc7d43e153ab24bac1e0c46cb51ea604a450f8f5c8fdcb"} [2025-12-11 12:00:25.850] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 12:00:25.850] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 12:00:25.850] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 12:00:25.850] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 12:00:25.850] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 12:00:25.850] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 12:00:26.036] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:12/output/gbm/alert.pcap.14.17610986931200.jsonl|result:{"code": 1, "total_count": 22, "alert_count": 22, "abnormal_count": 22, "normal_count": 0, "timestamp": 1765425625850, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "111.31.114.80", "protocol": "tcp", "src_port": 50462, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50087, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50481, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.45", "protocol": "tcp", "src_port": 50232, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8427978520815071, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "150.171.28.10", "protocol": "tcp", "src_port": 50547, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9810893334081382, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50488, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.201.232.63", "protocol": "tcp", "src_port": 50185, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8623842237021218, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.4.224.113", "protocol": "tcp", "src_port": 49858, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.948833755868132, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.201.232.61", "protocol": "tcp", "src_port": 50406, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8074537105643911, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50277, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50431, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50464, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.131.128.241", "protocol": "tcp", "src_port": 50628, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.6327220629300937, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50151, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 50008, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7325211921496005, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50148, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50045, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.92", "protocol": "tcp", "src_port": 50350, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9581254078848882, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50509, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50282, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50075, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50299, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 12:00:26.036] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 22|max_alert: 1000 [2025-12-11 12:00:26.036] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 12:00:26.036] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 12:00:26.036] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 12:00:28.974] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[2] at offset 25583 key: NULL payload: {"bucket":"2025-12-11","object":"12/output/gbm/alert.pcap.15.17610986931200.jsonl","url":"http://111.32.12.11:9000/2025-12-11/12/output/gbm/alert.pcap.15.17610986931200.jsonl?X-Amz-SignedHeaders=host&X-Amz-Signature=90b26c4f51098ec32c5dab36bb393441dffb4690635fca554875fccaa10183d6&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Date=20251211T040028Z&X-Amz-Expires=604800"} [2025-12-11 12:00:28.974] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 12:00:28.974] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 12:00:28.975] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 12:00:28.975] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 12:00:28.975] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 12:00:28.975] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 12:00:29.163] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:12/output/gbm/alert.pcap.15.17610986931200.jsonl|result:{"code": 1, "total_count": 21, "alert_count": 21, "abnormal_count": 21, "normal_count": 0, "timestamp": 1765425628975, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "111.31.114.80", "protocol": "tcp", "src_port": 50358, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50542, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50061, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "13.89.179.10", "protocol": "tcp", "src_port": 49878, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9974829953380221, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.165.120", "protocol": "tcp", "src_port": 50427, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9451570018511891, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50298, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.166.151", "protocol": "tcp", "src_port": 50300, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9931981638327161, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.175.38.6", "protocol": "tcp", "src_port": 50508, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9251013815505887, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50516, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "124.70.37.167", "protocol": "tcp", "src_port": 50505, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8862503171336631, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50452, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "13.107.213.50", "protocol": "tcp", "src_port": 50090, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9195643673584233, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.46.216.189", "protocol": "tcp", "src_port": 50192, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9854409930237161, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.165.120", "protocol": "tcp", "src_port": 50418, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9596977275034663, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.194.233", "protocol": "tcp", "src_port": 50442, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9870391528574759, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.13.29.202", "protocol": "tcp", "src_port": 49899, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9319984670207415, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.51.80", "protocol": "tcp", "src_port": 49914, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.241.198", "protocol": "tcp", "src_port": 49881, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9908791961625715, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.194.189.11", "protocol": "tcp", "src_port": 50426, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9895428159947536, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50489, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "142.250.66.78", "protocol": "tcp", "src_port": 50474, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 12:00:29.163] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 21|max_alert: 1000 [2025-12-11 12:00:29.163] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 12:00:29.163] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 12:00:29.163] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 12:00:32.312] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[1] at offset 24825 key: NULL payload: {"bucket":"2025-12-11","object":"12/output/gbm/alert.pcap.16.17610986931200.jsonl","url":"http://111.32.12.11:9000/2025-12-11/12/output/gbm/alert.pcap.16.17610986931200.jsonl?X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-SignedHeaders=host&X-Amz-Signature=2b0c825dead1b0639a198b18c34dfeb5eb9d649e8df00def80b6927f15ca5322&X-Amz-Date=20251211T040031Z&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Expires=604800"} [2025-12-11 12:00:32.312] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 12:00:32.312] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 12:00:32.312] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 12:00:32.312] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 12:00:32.312] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 12:00:32.312] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 12:00:32.517] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:12/output/gbm/alert.pcap.16.17610986931200.jsonl|result:{"code": 1, "total_count": 26, "alert_count": 26, "abnormal_count": 26, "normal_count": 0, "timestamp": 1765425632312, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "111.4.224.113", "protocol": "tcp", "src_port": 49857, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.873642452450752, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.29.14.183", "protocol": "tcp", "src_port": 49861, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9202885873733923, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.219.73.130", "protocol": "tcp", "src_port": 49887, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50207, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "211.151.19.148", "protocol": "tcp", "src_port": 50239, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9867736940219898, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.220.77.56", "protocol": "tcp", "src_port": 50313, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9756469161092314, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.26", "protocol": "tcp", "src_port": 50053, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9859420979243508, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50367, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.2", "protocol": "tcp", "src_port": 49916, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.13.25.27", "protocol": "tcp", "src_port": 49953, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9999659947187012, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.253", "protocol": "tcp", "src_port": 50377, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9228634096625739, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.165.120", "protocol": "tcp", "src_port": 50304, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9425584919270099, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.29.14.183", "protocol": "tcp", "src_port": 50404, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9858144175177987, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.88.223", "protocol": "tcp", "src_port": 50262, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9920454156536166, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50496, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7047630891986135, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "13.89.179.10", "protocol": "tcp", "src_port": 49873, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9740054173010114, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50500, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50177, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.185.134", "protocol": "tcp", "src_port": 50557, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9312191603697401, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.32.132.48", "protocol": "tcp", "src_port": 50416, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.872489769645985, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.1", "protocol": "tcp", "src_port": 49927, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.46.216.189", "protocol": "tcp", "src_port": 50095, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8005313339363406, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.92", "protocol": "tcp", "src_port": 50344, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.4285159353571787, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50331, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50522, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50051, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 12:00:32.517] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 26|max_alert: 1000 [2025-12-11 12:00:32.517] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 12:00:32.517] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 12:00:32.517] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 12:00:35.771] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[2] at offset 25584 key: NULL payload: {"bucket":"2025-12-11","object":"12/output/gbm/alert.pcap.17.17610986931200.jsonl","url":"http://111.32.12.11:9000/2025-12-11/12/output/gbm/alert.pcap.17.17610986931200.jsonl?X-Amz-Signature=7ef3e46cc994bbb67db39f7aecfcc16252096badb69cf9248c623762cecd812e&X-Amz-Expires=604800&X-Amz-SignedHeaders=host&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20251211T040035Z&X-Amz-Algorithm=AWS4-HMAC-SHA256"} [2025-12-11 12:00:35.771] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 12:00:35.771] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 12:00:35.771] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 12:00:35.771] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 12:00:35.771] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 12:00:35.771] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 12:00:35.964] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:12/output/gbm/alert.pcap.17.17610986931200.jsonl|result:{"code": 1, "total_count": 18, "alert_count": 18, "abnormal_count": 18, "normal_count": 0, "timestamp": 1765425635771, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "120.233.3.27", "protocol": "tcp", "src_port": 49990, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9979995189937263, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.27", "protocol": "tcp", "src_port": 49989, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8500557914131911, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.122.55", "protocol": "tcp", "src_port": 50101, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9697454177805649, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.162.10.192", "protocol": "tcp", "src_port": 50103, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.5419285978798709, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.122.55", "protocol": "tcp", "src_port": 50448, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.5769980707430126, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.9", "protocol": "tcp", "src_port": 50012, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9956502822261911, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50499, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50606, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9790099228201751, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.2.16.16", "protocol": "tcp", "src_port": 49973, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9993460937257912, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.234.97.89", "protocol": "tcp", "src_port": 50409, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.733240780563495, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "124.70.62.170", "protocol": "tcp", "src_port": 50395, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.999908459646488, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.88.223", "protocol": "tcp", "src_port": 50257, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9990492370434219, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.38.151", "protocol": "tcp", "src_port": 49788, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.162.10.192", "protocol": "tcp", "src_port": 50114, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.976863610352734, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.194.233", "protocol": "tcp", "src_port": 50435, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9837705668750215, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "124.70.62.170", "protocol": "tcp", "src_port": 50094, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9999212365720671, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.114.80", "protocol": "tcp", "src_port": 50476, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 50225, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9087545563693218, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 12:00:35.964] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 18|max_alert: 1000 [2025-12-11 12:00:35.964] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 12:00:35.964] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 12:00:35.964] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 12:00:38.908] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 25960 key: NULL payload: {"bucket":"2025-12-11","object":"12/output/gbm/alert.pcap.18.17610986931200.jsonl","url":"http://111.32.12.11:9000/2025-12-11/12/output/gbm/alert.pcap.18.17610986931200.jsonl?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Expires=604800&X-Amz-Date=20251211T040038Z&X-Amz-Signature=ea530c4a62dff4879c6872273624d13215326c98a7c7937d6b7fe0ac182bf859&X-Amz-SignedHeaders=host"} [2025-12-11 12:00:38.908] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 12:00:38.908] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 12:00:38.908] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 12:00:38.908] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 12:00:38.908] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 12:00:38.909] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 12:00:39.096] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:12/output/gbm/alert.pcap.18.17610986931200.jsonl|result:{"code": 1, "total_count": 19, "alert_count": 18, "abnormal_count": 18, "normal_count": 1, "timestamp": 1765425638909, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50132, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50386, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.219.73.130", "protocol": "tcp", "src_port": 49893, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 50169, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50141, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.166.151", "protocol": "tcp", "src_port": 50371, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9989794701501156, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.232.40.133", "protocol": "tcp", "src_port": 49935, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8955605067471277, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.113.130.85", "protocol": "tcp", "src_port": 50373, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50553, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9263918774338468, "2_count": 4.0, "2_sum": 4, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.232.40.133", "protocol": "tcp", "src_port": 49929, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9272505117395095, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50650, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9941374340185456, "2_count": 4.0, "2_sum": 4, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50088, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50046, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50220, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.253.255.38", "protocol": "tcp", "src_port": 50449, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9496389457889445, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50554, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9489417371813754, "2_count": 4.0, "2_sum": 4, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.92", "protocol": "tcp", "src_port": 50383, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7481021796885889, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50475, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9477100345633777, "2_count": 4.0, "2_sum": 4, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 12:00:39.096] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 18|max_alert: 1000 [2025-12-11 12:00:39.096] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 12:00:39.096] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 12:00:39.096] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 12:00:42.049] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[2] at offset 25585 key: NULL payload: {"bucket":"2025-12-11","object":"12/output/gbm/alert.pcap.19.17610986931200.jsonl","url":"http://111.32.12.11:9000/2025-12-11/12/output/gbm/alert.pcap.19.17610986931200.jsonl?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Date=20251211T040041Z&X-Amz-Signature=0a7e5145e9078d1e13bfb2d8708bc8397c87b9c6a16f139ef38269679a5c13b3&X-Amz-SignedHeaders=host&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Expires=604800"} [2025-12-11 12:00:42.049] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 12:00:42.049] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 12:00:42.050] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 12:00:42.050] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 12:00:42.050] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 12:00:42.050] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 12:00:42.376] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:12/output/gbm/alert.pcap.19.17610986931200.jsonl|result:{"code": 1, "total_count": 17, "alert_count": 17, "abnormal_count": 17, "normal_count": 0, "timestamp": 1765425642050, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "150.171.30.11", "protocol": "tcp", "src_port": 50623, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9724127917525347, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "13.89.179.10", "protocol": "tcp", "src_port": 49870, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9985463831905574, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.25", "protocol": "tcp", "src_port": 50345, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9053165640648995, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50651, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9127998696423738, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "211.151.19.148", "protocol": "tcp", "src_port": 50321, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9840336453751718, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50222, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 5, "2_sum": 5, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.61.248", "protocol": "tcp", "src_port": 50006, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9986048917384169, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50221, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 5, "2_sum": 5, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.131.128.241", "protocol": "tcp", "src_port": 50589, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9358989909907683, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50267, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 5, "2_sum": 5, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50140, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 5, "2_sum": 5, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 50183, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9671683755020176, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "124.70.62.170", "protocol": "tcp", "src_port": 50385, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9998863446143573, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "106.13.244.95", "protocol": "tcp", "src_port": 50626, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.991571871695044, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.158.247.186", "protocol": "tcp", "src_port": 50254, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9923373572362969, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50432, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 5, "2_sum": 5, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.26", "protocol": "tcp", "src_port": 49999, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9723690262017185, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 12:00:42.376] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 17|max_alert: 1000 [2025-12-11 12:00:42.376] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 12:00:42.376] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 12:00:42.376] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 12:00:45.279] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[1] at offset 24826 key: NULL payload: {"bucket":"2025-12-11","object":"12/output/gbm/alert.pcap.20.17610986931200.jsonl","url":"http://111.32.12.11:9000/2025-12-11/12/output/gbm/alert.pcap.20.17610986931200.jsonl?X-Amz-SignedHeaders=host&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Date=20251211T040044Z&X-Amz-Expires=604800&X-Amz-Signature=868b654e343a2c8696a3cf207b85af66fe5122e27cbba99cd6d7fa16d6aed3cb"} [2025-12-11 12:00:45.279] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 12:00:45.279] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 12:00:45.279] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 12:00:45.279] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 12:00:45.279] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 12:00:45.280] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 12:00:45.529] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:12/output/gbm/alert.pcap.20.17610986931200.jsonl|result:{"code": 1, "total_count": 17, "alert_count": 17, "abnormal_count": 17, "normal_count": 0, "timestamp": 1765425645280, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "120.253.253.233", "protocol": "tcp", "src_port": 50317, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.4786736570096651, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50622, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9949329167991451, "2_count": 3, "2_sum": 3, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "142.250.66.78", "protocol": "tcp", "src_port": 49773, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50598, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.972751885055052, "2_count": 3, "2_sum": 3, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "124.71.236.98", "protocol": "tcp", "src_port": 50400, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9777942042208041, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.62.174.243", "protocol": "tcp", "src_port": 50555, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9719451686850884, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50616, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.981431987646444, "2_count": 3, "2_sum": 3, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.166.151", "protocol": "tcp", "src_port": 50378, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.996645095315891, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.48.172.241", "protocol": "tcp", "src_port": 50129, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9417868802887015, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.9", "protocol": "tcp", "src_port": 50356, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9753376675463165, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.46.68.203", "protocol": "tcp", "src_port": 50096, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9610043927222635, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.2.16.16", "protocol": "tcp", "src_port": 49970, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9999655776123294, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.219.73.130", "protocol": "tcp", "src_port": 49894, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.220.151.49", "protocol": "tcp", "src_port": 49991, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9681277345350449, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50082, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50453, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "124.71.234.74", "protocol": "tcp", "src_port": 50189, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8094812727311573, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 12:00:45.529] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 17|max_alert: 1000 [2025-12-11 12:00:45.529] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 12:00:45.529] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 12:00:45.529] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 12:00:48.464] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[2] at offset 25586 key: NULL payload: {"bucket":"2025-12-11","object":"12/output/gbm/alert.pcap.21.17610986931200.jsonl","url":"http://111.32.12.11:9000/2025-12-11/12/output/gbm/alert.pcap.21.17610986931200.jsonl?X-Amz-Signature=922f696f9c99b3f30190078518625c21d0c73ec2cbea038240cfa212d455e11b&X-Amz-Date=20251211T040048Z&X-Amz-Expires=604800&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-SignedHeaders=host&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request"} [2025-12-11 12:00:48.464] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 12:00:48.464] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 12:00:48.464] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 12:00:48.464] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 12:00:48.464] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 12:00:48.464] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 12:00:48.753] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:12/output/gbm/alert.pcap.21.17610986931200.jsonl|result:{"code": 1, "total_count": 20, "alert_count": 20, "abnormal_count": 20, "normal_count": 0, "timestamp": 1765425648465, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "120.233.3.27", "protocol": "tcp", "src_port": 50014, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7728545617685111, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.254", "protocol": "tcp", "src_port": 50018, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9989742169573105, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50233, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50407, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9700577356238725, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "150.171.27.10", "protocol": "tcp", "src_port": 49871, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9792783921980416, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50076, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 49933, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.983522767485445, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50574, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50086, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50330, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.253", "protocol": "tcp", "src_port": 50348, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9663875797170431, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.234.97.89", "protocol": "tcp", "src_port": 50477, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7967743601421772, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.26", "protocol": "tcp", "src_port": 50027, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8630319401034162, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.25", "protocol": "tcp", "src_port": 50346, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7253580536479742, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 50211, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9942232611378077, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.232.40.133", "protocol": "tcp", "src_port": 49921, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9758065422065172, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.18", "protocol": "tcp", "src_port": 50191, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.194.233", "protocol": "tcp", "src_port": 50315, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9974657537062649, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50633, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9961574170482782, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50389, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 12:00:48.753] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 20|max_alert: 1000 [2025-12-11 12:00:48.753] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 12:00:48.753] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 12:00:48.753] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 12:00:51.664] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 25961 key: NULL payload: {"bucket":"2025-12-11","object":"12/output/gbm/alert.pcap.2.17610986931200.jsonl","url":"http://111.32.12.11:9000/2025-12-11/12/output/gbm/alert.pcap.2.17610986931200.jsonl?X-Amz-Date=20251211T040051Z&X-Amz-Signature=b4e6617466a73e7e818448634fdb59361fdcde69abb2331389c2aeb2df073d2a&X-Amz-Expires=604800&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-SignedHeaders=host"} [2025-12-11 12:00:51.664] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 12:00:51.664] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 12:00:51.664] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 12:00:51.664] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 12:00:51.664] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 12:00:51.664] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 12:00:51.926] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:12/output/gbm/alert.pcap.2.17610986931200.jsonl|result:{"code": 1, "total_count": 27, "alert_count": 26, "abnormal_count": 26, "normal_count": 1, "timestamp": 1765425651665, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "172.16.92.2", "protocol": "tcp", "src_port": 49821, "dest_port": 8080, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50328, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.185.134", "protocol": "tcp", "src_port": 50337, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9998485770667981, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.29.14.183", "protocol": "tcp", "src_port": 50402, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9766503916105866, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.254", "protocol": "tcp", "src_port": 50237, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8347470129747349, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.26", "protocol": "tcp", "src_port": 49995, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9973271032011077, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.232.40.133", "protocol": "tcp", "src_port": 50004, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9448851526818528, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50528, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50471, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9971823306211751, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50278, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50580, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.105", "protocol": "tcp", "src_port": 50625, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9825246278129468, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.240.99.58", "protocol": "tcp", "src_port": 50480, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9758749087809037, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.114.80", "protocol": "tcp", "src_port": 50381, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.92", "protocol": "tcp", "src_port": 50398, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9866180027435798, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50570, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50634, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "118.89.204.198", "protocol": "tcp", "src_port": 50648, "dest_port": 443, "y_pred": 2, "y_pred_proba_max": 0.539671673599211, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "Behinder"}, {"src_ip": "10.1.131.158", "dest_ip": "111.29.14.183", "protocol": "tcp", "src_port": 50401, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9944651374268547, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.166.151", "protocol": "tcp", "src_port": 50296, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9998741851816862, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.222.152.64", "protocol": "tcp", "src_port": 50658, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7337989747885654, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.63.215.47", "protocol": "tcp", "src_port": 49943, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9542007136130981, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50459, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8818531237715439, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.165.120", "protocol": "tcp", "src_port": 50414, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9781294486115352, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50484, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50287, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 12:00:51.926] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 26|max_alert: 1000 [2025-12-11 12:00:51.926] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 12:00:51.926] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 12:00:51.926] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 12:00:55.173] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[1] at offset 24827 key: NULL payload: {"bucket":"2025-12-11","object":"12/output/gbm/alert.pcap.22.17610986931200.jsonl","url":"http://111.32.12.11:9000/2025-12-11/12/output/gbm/alert.pcap.22.17610986931200.jsonl?X-Amz-Expires=604800&X-Amz-Signature=bebee7a26cb612eb2c3f5ecb436e94ab8743bf1b410a1072b8cdfe20172016eb&X-Amz-SignedHeaders=host&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20251211T040054Z"} [2025-12-11 12:00:55.173] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 12:00:55.173] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 12:00:55.173] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 12:00:55.173] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 12:00:55.173] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 12:00:55.174] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 12:00:55.419] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:12/output/gbm/alert.pcap.22.17610986931200.jsonl|result:{"code": 1, "total_count": 18, "alert_count": 17, "abnormal_count": 17, "normal_count": 1, "timestamp": 1765425655174, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50530, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9024018957960891, "2_count": 3.0, "2_sum": 3, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.194.233", "protocol": "tcp", "src_port": 50440, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9902328849146982, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.4.224.113", "protocol": "tcp", "src_port": 49854, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.5786036795604459, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.165.120", "protocol": "tcp", "src_port": 50357, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9389862274330749, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50028, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 3.0, "2_sum": 3, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.63.215.47", "protocol": "tcp", "src_port": 49944, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9869387818080411, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.62.174.243", "protocol": "tcp", "src_port": 50545, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9624252679015631, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.114.80", "protocol": "tcp", "src_port": 50365, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50612, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.965275103129727, "2_count": 3.0, "2_sum": 3, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.29.14.183", "protocol": "tcp", "src_port": 50026, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9986473928200259, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 49925, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.5747671805046822, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.51.161.66", "protocol": "tcp", "src_port": 50123, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7731938946060795, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50368, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 3.0, "2_sum": 3, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50118, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 3.0, "2_sum": 3, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.131.128.241", "protocol": "tcp", "src_port": 50585, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8249611815657307, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.92", "protocol": "tcp", "src_port": 50397, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9107999416750001, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50662, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8871346318388157, "2_count": 3.0, "2_sum": 3, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 12:00:55.419] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 17|max_alert: 1000 [2025-12-11 12:00:55.419] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 12:00:55.419] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 12:00:55.419] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 12:00:59.039] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[1] at offset 24828 key: NULL payload: {"bucket":"2025-12-11","object":"12/output/gbm/alert.pcap.23.17610986931200.jsonl","url":"http://111.32.12.11:9000/2025-12-11/12/output/gbm/alert.pcap.23.17610986931200.jsonl?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Signature=aafb31127bb97a71231462a9c31fa601e461d62e97da4dd3172440fdb278a3c4&X-Amz-Date=20251211T040058Z&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Expires=604800&X-Amz-SignedHeaders=host"} [2025-12-11 12:00:59.039] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 12:00:59.039] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 12:00:59.039] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 12:00:59.039] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 12:00:59.039] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 12:00:59.040] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 12:00:59.297] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:12/output/gbm/alert.pcap.23.17610986931200.jsonl|result:{"code": 1, "total_count": 21, "alert_count": 21, "abnormal_count": 21, "normal_count": 0, "timestamp": 1765425659040, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50064, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50085, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50514, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.13.104.59", "protocol": "tcp", "src_port": 50627, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9944505609423887, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.158.247.186", "protocol": "tcp", "src_port": 50309, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.994290448467571, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50429, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.122.55", "protocol": "tcp", "src_port": 50498, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9793698927690696, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.194.233", "protocol": "tcp", "src_port": 50126, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9961544144455967, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.25", "protocol": "tcp", "src_port": 50382, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7011351746711142, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50562, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "13.107.246.74", "protocol": "tcp", "src_port": 50506, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9605298901417075, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50037, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.222.152.64", "protocol": "tcp", "src_port": 50638, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9779043168436835, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50149, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50042, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50168, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50260, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50640, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.150.160.206", "protocol": "tcp", "src_port": 50124, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9747845243097288, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.25", "protocol": "tcp", "src_port": 50073, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9992385224413204, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50044, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 12:00:59.297] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 21|max_alert: 1000 [2025-12-11 12:00:59.297] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 12:00:59.297] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 12:00:59.297] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 12:01:02.264] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 25962 key: NULL payload: {"bucket":"2025-12-11","object":"12/output/gbm/alert.pcap.24.17610986931200.jsonl","url":"http://111.32.12.11:9000/2025-12-11/12/output/gbm/alert.pcap.24.17610986931200.jsonl?X-Amz-Expires=604800&X-Amz-Signature=fe8ed5e4ebe941ea4551a7fc69a45f0801c7efcd9dcd70b2c4e17fc5e1696e32&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-SignedHeaders=host&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Date=20251211T040101Z"} [2025-12-11 12:01:02.264] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 12:01:02.264] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 12:01:02.264] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 12:01:02.264] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 12:01:02.264] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 12:01:02.265] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 12:01:02.496] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:12/output/gbm/alert.pcap.24.17610986931200.jsonl|result:{"code": 1, "total_count": 18, "alert_count": 17, "abnormal_count": 17, "normal_count": 1, "timestamp": 1765425662265, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "117.163.59.175", "protocol": "tcp", "src_port": 50478, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.990150959540726, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50594, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50033, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.13.104.59", "protocol": "tcp", "src_port": 50631, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9853386683896556, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.38.119", "protocol": "tcp", "src_port": 50495, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9911306060967026, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.163.59.175", "protocol": "tcp", "src_port": 50011, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9883959426357691, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.13.28.21", "protocol": "tcp", "src_port": 49947, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9999415747476534, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50034, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 50229, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7784157580153467, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50259, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50281, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.4.74", "protocol": "tcp", "src_port": 50319, "dest_port": 9000, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50031, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50603, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.27", "protocol": "tcp", "src_port": 49985, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8652710729389349, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.46.68.203", "protocol": "tcp", "src_port": 50195, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9897633686170296, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50482, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 12:01:02.497] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 17|max_alert: 1000 [2025-12-11 12:01:02.497] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 12:01:02.497] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 12:01:02.497] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 12:01:05.690] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 25963 key: NULL payload: {"bucket":"2025-12-11","object":"12/output/gbm/alert.pcap.25.17610986931200.jsonl","url":"http://111.32.12.11:9000/2025-12-11/12/output/gbm/alert.pcap.25.17610986931200.jsonl?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Signature=c910dcece98075259bb4ff20dd1897ee98b925627900d4f671e3740aeb97a8a7&X-Amz-SignedHeaders=host&X-Amz-Expires=604800&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20251211T040105Z"} [2025-12-11 12:01:05.690] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 12:01:05.690] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 12:01:05.691] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 12:01:05.691] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 12:01:05.691] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 12:01:05.691] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 12:01:05.925] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:12/output/gbm/alert.pcap.25.17610986931200.jsonl|result:{"code": 1, "total_count": 18, "alert_count": 17, "abnormal_count": 17, "normal_count": 1, "timestamp": 1765425665691, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "172.16.92.2", "protocol": "tcp", "src_port": 50125, "dest_port": 8080, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.155.160.140", "protocol": "tcp", "src_port": 49790, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 50013, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "142.250.66.78", "protocol": "tcp", "src_port": 49742, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50062, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4.0, "2_sum": 4, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.232.40.133", "protocol": "tcp", "src_port": 50005, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8427110539814073, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.240.99.58", "protocol": "tcp", "src_port": 50641, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9750652642107684, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50288, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4.0, "2_sum": 4, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.91", "protocol": "tcp", "src_port": 50334, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9530506499197517, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50652, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4.0, "2_sum": 4, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50038, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4.0, "2_sum": 4, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.232.40.133", "protocol": "tcp", "src_port": 49919, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9172603475203133, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50551, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8059095115195145, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.201.232.63", "protocol": "tcp", "src_port": 50419, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.5238760318986195, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.88.223", "protocol": "tcp", "src_port": 50134, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9851867603065232, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.88.223", "protocol": "tcp", "src_port": 50258, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9955188316394289, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "202.89.233.96", "dest_ip": "10.1.131.158", "protocol": "tcp", "src_port": 443, "dest_port": 49847, "y_pred": 1, "y_pred_proba_max": 0.9988023204669473, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 12:01:05.925] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 17|max_alert: 1000 [2025-12-11 12:01:05.925] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 12:01:05.925] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 12:01:05.925] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 12:01:08.935] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[2] at offset 25587 key: NULL payload: {"bucket":"2025-12-11","object":"12/output/gbm/alert.pcap.26.17610986931200.jsonl","url":"http://111.32.12.11:9000/2025-12-11/12/output/gbm/alert.pcap.26.17610986931200.jsonl?X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Signature=592e386b22857806e3b8f06c4e8dfb324af6c740ca455a0fb37d67e15372abd3&X-Amz-SignedHeaders=host&X-Amz-Date=20251211T040108Z&X-Amz-Expires=604800"} [2025-12-11 12:01:08.935] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 12:01:08.935] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 12:01:08.935] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 12:01:08.935] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 12:01:08.935] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 12:01:08.936] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 12:01:09.194] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:12/output/gbm/alert.pcap.26.17610986931200.jsonl|result:{"code": 1, "total_count": 23, "alert_count": 22, "abnormal_count": 22, "normal_count": 1, "timestamp": 1765425668936, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "120.233.3.27", "protocol": "tcp", "src_port": 49986, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9907578643456904, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.253", "protocol": "tcp", "src_port": 50347, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9363461552085169, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50467, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7.0, "2_sum": 7, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.92", "protocol": "tcp", "src_port": 50362, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9737436655985068, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "43.140.12.43", "protocol": "tcp", "src_port": 50318, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9759535265977303, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50521, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7.0, "2_sum": 7, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.13.29.134", "protocol": "tcp", "src_port": 49954, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9940003495439546, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.165.120", "protocol": "tcp", "src_port": 50314, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.998447736613844, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50040, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7.0, "2_sum": 7, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 50230, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9601621867432435, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.163.59.175", "protocol": "tcp", "src_port": 49930, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9813722275948225, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.114.80", "protocol": "tcp", "src_port": 50375, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50593, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7.0, "2_sum": 7, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.13.29.202", "protocol": "tcp", "src_port": 49897, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.99989131645703, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.45", "protocol": "tcp", "src_port": 50445, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9894949279716366, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50463, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7.0, "2_sum": 7, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.9", "protocol": "tcp", "src_port": 50353, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9248568229582469, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.253", "protocol": "tcp", "src_port": 50117, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9786811180845782, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50512, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7.0, "2_sum": 7, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "151.101.1.229", "protocol": "tcp", "src_port": 50316, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.5882853156839113, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.194.233", "protocol": "tcp", "src_port": 50439, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9853373018252618, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50322, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7.0, "2_sum": 7, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 12:01:09.194] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 22|max_alert: 1000 [2025-12-11 12:01:09.194] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 12:01:09.194] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 12:01:09.194] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 12:01:12.160] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[2] at offset 25588 key: NULL payload: {"bucket":"2025-12-11","object":"12/output/gbm/alert.pcap.3.17610986931200.jsonl","url":"http://111.32.12.11:9000/2025-12-11/12/output/gbm/alert.pcap.3.17610986931200.jsonl?X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Signature=c2144151a318da12a5d474b9fc223a170a9c19f8f5dc641445b70cf7f0b348e4&X-Amz-Date=20251211T040111Z&X-Amz-SignedHeaders=host&X-Amz-Expires=604800&X-Amz-Algorithm=AWS4-HMAC-SHA256"} [2025-12-11 12:01:12.160] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 12:01:12.160] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 12:01:12.160] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 12:01:12.160] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 12:01:12.160] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 12:01:12.160] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 12:01:12.414] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:12/output/gbm/alert.pcap.3.17610986931200.jsonl|result:{"code": 1, "total_count": 31, "alert_count": 30, "abnormal_count": 30, "normal_count": 1, "timestamp": 1765425672160, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50468, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.13.104.59", "protocol": "tcp", "src_port": 50639, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.5747755261992421, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50128, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.219.73.130", "protocol": "tcp", "src_port": 49889, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "124.70.62.170", "protocol": "tcp", "src_port": 50093, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9302011994091218, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.27", "protocol": "tcp", "src_port": 49987, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9439550958667982, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.194.189.11", "protocol": "tcp", "src_port": 50307, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9974631042458713, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 50231, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9912641259791639, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.13.104.59", "protocol": "tcp", "src_port": 50630, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9949141468870227, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50560, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9372883613254258, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 50399, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.253.253.233", "protocol": "tcp", "src_port": 50436, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8619378326923961, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50390, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.63.215.47", "protocol": "tcp", "src_port": 49982, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9977918468988228, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 49824, "dest_port": 37527, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.219.73.130", "protocol": "tcp", "src_port": 49890, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.114.80", "protocol": "tcp", "src_port": 50473, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50032, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50041, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.92", "protocol": "tcp", "src_port": 49915, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8858063837145578, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.165.120", "protocol": "tcp", "src_port": 50423, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9079618105919538, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "142.250.66.68", "protocol": "tcp", "src_port": 50437, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50573, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.166.151", "protocol": "tcp", "src_port": 50286, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9998887397093179, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.27", "protocol": "tcp", "src_port": 49983, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9683054451954104, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.29.14.183", "protocol": "tcp", "src_port": 50020, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9995274668813986, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50131, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50579, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.2", "protocol": "tcp", "src_port": 50143, "dest_port": 8080, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.232.40.133", "protocol": "tcp", "src_port": 49922, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7619577796081339, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 12:01:12.414] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 30|max_alert: 1000 [2025-12-11 12:01:12.414] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 12:01:12.414] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 12:01:12.414] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 12:01:15.290] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[1] at offset 24829 key: NULL payload: {"bucket":"2025-12-11","object":"12/output/gbm/alert.pcap.4.17610986931200.jsonl","url":"http://111.32.12.11:9000/2025-12-11/12/output/gbm/alert.pcap.4.17610986931200.jsonl?X-Amz-Signature=b164f3ba4d38d2284ce1b3a43e932718bda3355cc4b9896872baeaa0209da374&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Expires=604800&X-Amz-SignedHeaders=host&X-Amz-Date=20251211T040114Z&X-Amz-Algorithm=AWS4-HMAC-SHA256"} [2025-12-11 12:01:15.290] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 12:01:15.290] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 12:01:15.290] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 12:01:15.290] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 12:01:15.290] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 12:01:15.290] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 12:01:15.510] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:12/output/gbm/alert.pcap.4.17610986931200.jsonl|result:{"code": 1, "total_count": 16, "alert_count": 16, "abnormal_count": 16, "normal_count": 0, "timestamp": 1765425675291, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "120.233.3.25", "protocol": "tcp", "src_port": 50340, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9557360906725153, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50170, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 9, "2_sum": 9, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50664, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 9, "2_sum": 9, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50599, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 9, "2_sum": 9, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "142.250.66.78", "protocol": "tcp", "src_port": 49761, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50268, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 9, "2_sum": 9, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.2", "protocol": "tcp", "src_port": 49815, "dest_port": 8080, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50653, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 9, "2_sum": 9, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.131.128.241", "protocol": "tcp", "src_port": 50461, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9531336479755481, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50428, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 9, "2_sum": 9, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50642, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 9, "2_sum": 9, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "150.171.30.11", "protocol": "tcp", "src_port": 50007, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8576461187690411, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.4.224.113", "protocol": "tcp", "src_port": 49860, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8325953986089363, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50039, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 9, "2_sum": 9, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50271, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 9, "2_sum": 9, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "104.18.38.233", "protocol": "tcp", "src_port": 49696, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 12:01:15.510] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 16|max_alert: 1000 [2025-12-11 12:01:15.510] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 12:01:15.510] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 12:01:15.510] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 12:01:18.781] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 25964 key: NULL payload: {"bucket":"2025-12-11","object":"12/output/gbm/alert.pcap.5.17610986931200.jsonl","url":"http://111.32.12.11:9000/2025-12-11/12/output/gbm/alert.pcap.5.17610986931200.jsonl?X-Amz-SignedHeaders=host&X-Amz-Signature=3e9468d0606b66debb065e49b3334ddcea088944f7f35e72be9bc1a1cbe86e09&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20251211T040118Z&X-Amz-Expires=604800"} [2025-12-11 12:01:18.781] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 12:01:18.781] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 12:01:18.782] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 12:01:18.782] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 12:01:18.782] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 12:01:18.782] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 12:01:19.033] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:12/output/gbm/alert.pcap.5.17610986931200.jsonl|result:{"code": 1, "total_count": 19, "alert_count": 18, "abnormal_count": 18, "normal_count": 1, "timestamp": 1765425678783, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "120.240.51.80", "protocol": "tcp", "src_port": 49902, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50564, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 5.0, "2_sum": 5, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 49924, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8509806284431485, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.4.74", "protocol": "tcp", "src_port": 50320, "dest_port": 9000, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50119, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 5.0, "2_sum": 5, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "112.34.111.235", "protocol": "tcp", "src_port": 50587, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9795590475790195, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50171, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 5.0, "2_sum": 5, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50654, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9423199405388736, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.158.247.186", "protocol": "tcp", "src_port": 50121, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9753820447058325, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.46.72.204", "protocol": "tcp", "src_port": 50136, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.956663066769366, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.91", "protocol": "tcp", "src_port": 50333, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9577733114926612, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50624, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9747306537408316, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 50549, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.163.59.175", "protocol": "tcp", "src_port": 50422, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9849394001481901, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50030, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 5.0, "2_sum": 5, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "13.89.179.10", "protocol": "tcp", "src_port": 49867, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8945460691510866, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50541, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 5.0, "2_sum": 5, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.91", "protocol": "tcp", "src_port": 50242, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9588125203903446, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 12:01:19.033] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 18|max_alert: 1000 [2025-12-11 12:01:19.033] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 12:01:19.033] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 12:01:19.033] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 12:01:21.926] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[2] at offset 25589 key: NULL payload: {"bucket":"2025-12-11","object":"12/output/gbm/alert.pcap.6.17610986931200.jsonl","url":"http://111.32.12.11:9000/2025-12-11/12/output/gbm/alert.pcap.6.17610986931200.jsonl?X-Amz-Date=20251211T040121Z&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Signature=64ba2a7e30c20fc2921a6ef53238537896305caf07990e9ee22e09fcdd876c90&X-Amz-SignedHeaders=host&X-Amz-Expires=604800"} [2025-12-11 12:01:21.926] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 12:01:21.926] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 12:01:21.926] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 12:01:21.926] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 12:01:21.926] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 12:01:21.927] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 12:01:22.194] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:12/output/gbm/alert.pcap.6.17610986931200.jsonl|result:{"code": 1, "total_count": 13, "alert_count": 13, "abnormal_count": 13, "normal_count": 0, "timestamp": 1765425681927, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "121.36.68.44", "protocol": "tcp", "src_port": 50504, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9358189956292381, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.57.94.38", "protocol": "tcp", "src_port": 49892, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9998694918181811, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50515, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.26", "protocol": "tcp", "src_port": 50003, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8694093805364917, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.2.16.16", "protocol": "tcp", "src_port": 49975, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9999376387945121, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.102.211", "protocol": "tcp", "src_port": 50413, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9734791177969814, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50391, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "139.9.117.192", "protocol": "tcp", "src_port": 50372, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8894850327223105, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.91", "protocol": "tcp", "src_port": 50339, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.986405059765616, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "139.9.117.192", "protocol": "tcp", "src_port": 50450, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9837263446909994, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "13.89.179.10", "protocol": "tcp", "src_port": 49883, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9941602682227848, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.13.28.239", "protocol": "tcp", "src_port": 49901, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.938456651589145, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50465, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.5306824619789472, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 12:01:22.194] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 13|max_alert: 1000 [2025-12-11 12:01:22.194] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 12:01:22.194] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 12:01:22.194] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 12:01:25.139] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[2] at offset 25590 key: NULL payload: {"bucket":"2025-12-11","object":"12/output/gbm/alert.pcap.7.17610986931200.jsonl","url":"http://111.32.12.11:9000/2025-12-11/12/output/gbm/alert.pcap.7.17610986931200.jsonl?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Expires=604800&X-Amz-Signature=8e1adb206eb0f6328528036f26b3f62303433d0e58d19a0183a91428e7319c45&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-SignedHeaders=host&X-Amz-Date=20251211T040124Z"} [2025-12-11 12:01:25.139] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 12:01:25.139] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 12:01:25.140] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 12:01:25.140] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 12:01:25.140] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 12:01:25.140] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 12:01:25.371] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:12/output/gbm/alert.pcap.7.17610986931200.jsonl|result:{"code": 1, "total_count": 18, "alert_count": 18, "abnormal_count": 18, "normal_count": 0, "timestamp": 1765425685140, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "223.111.194.233", "protocol": "tcp", "src_port": 50441, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9878625671600126, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.194.233", "protocol": "tcp", "src_port": 50255, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9107155218087142, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50270, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4, "2_sum": 4, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 50172, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9400817611226765, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.240.8.132", "protocol": "tcp", "src_port": 50227, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8897661563929269, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "112.34.111.235", "protocol": "tcp", "src_port": 50411, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.998549290571419, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.4.224.113", "protocol": "tcp", "src_port": 49849, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9532634905214581, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.185.125.188", "protocol": "tcp", "src_port": 49872, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9978759357079158, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.254", "protocol": "tcp", "src_port": 50199, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9600487826290192, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.26", "protocol": "tcp", "src_port": 49994, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9896285535627298, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50581, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4, "2_sum": 4, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.51.80", "protocol": "tcp", "src_port": 50010, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 50116, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.219.73.130", "protocol": "tcp", "src_port": 49885, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50156, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4, "2_sum": 4, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.27", "protocol": "tcp", "src_port": 50100, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8412893359572905, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50083, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4, "2_sum": 4, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50663, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.719260591950917, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 12:01:25.371] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 18|max_alert: 1000 [2025-12-11 12:01:25.371] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 12:01:25.371] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 12:01:25.371] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 12:01:28.328] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 25965 key: NULL payload: {"bucket":"2025-12-11","object":"12/output/gbm/alert.pcap.8.17610986931200.jsonl","url":"http://111.32.12.11:9000/2025-12-11/12/output/gbm/alert.pcap.8.17610986931200.jsonl?X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20251211T040127Z&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Expires=604800&X-Amz-SignedHeaders=host&X-Amz-Signature=f87f2d1b3543f7af86510057ff108d8707442817746092edd4c8d7673c719b50"} [2025-12-11 12:01:28.328] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 12:01:28.328] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 12:01:28.329] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 12:01:28.329] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 12:01:28.329] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 12:01:28.329] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 12:01:28.568] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:12/output/gbm/alert.pcap.8.17610986931200.jsonl|result:{"code": 1, "total_count": 19, "alert_count": 19, "abnormal_count": 19, "normal_count": 0, "timestamp": 1765425688329, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "23.219.73.130", "protocol": "tcp", "src_port": 49891, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.63.215.47", "protocol": "tcp", "src_port": 49980, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9999657034539758, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.201.232.63", "protocol": "tcp", "src_port": 50420, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9757408487177269, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50661, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.647571366572099, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "40.74.78.229", "protocol": "tcp", "src_port": 50370, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9939770881097445, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 50184, "dest_port": 37527, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "202.89.233.96", "protocol": "tcp", "src_port": 49865, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9973910874567038, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50223, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4, "2_sum": 4, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50649, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9766422035502361, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 49923, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.777270406334166, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50388, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4, "2_sum": 4, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "121.36.47.3", "protocol": "tcp", "src_port": 50015, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9995715118177109, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.45", "protocol": "tcp", "src_port": 50408, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9967591338452444, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.131.128.241", "protocol": "tcp", "src_port": 50591, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9050869489117033, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50077, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4, "2_sum": 4, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.26", "protocol": "tcp", "src_port": 49997, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.984269050955257, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50127, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4, "2_sum": 4, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.131.139.241", "protocol": "tcp", "src_port": 50556, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9803786101644398, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.232.40.133", "protocol": "tcp", "src_port": 49920, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9117178716777372, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 12:01:28.568] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 19|max_alert: 1000 [2025-12-11 12:01:28.568] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 12:01:28.568] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 12:01:28.568] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 12:01:31.526] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 25966 key: NULL payload: {"bucket":"2025-12-11","object":"12/output/gbm/alert.pcap.9.17610986931200.jsonl","url":"http://111.32.12.11:9000/2025-12-11/12/output/gbm/alert.pcap.9.17610986931200.jsonl?X-Amz-Date=20251211T040131Z&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-SignedHeaders=host&X-Amz-Signature=95360a58e43907e5339d32b2dd5ab849b395e89042eda8ef542c3237e28fe16f&X-Amz-Expires=604800&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request"} [2025-12-11 12:01:31.526] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 12:01:31.526] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 12:01:31.526] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 12:01:31.526] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 12:01:31.526] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 12:01:31.527] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 12:01:31.764] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:12/output/gbm/alert.pcap.9.17610986931200.jsonl|result:{"code": 1, "total_count": 19, "alert_count": 19, "abnormal_count": 19, "normal_count": 0, "timestamp": 1765425691527, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "157.148.32.174", "protocol": "tcp", "src_port": 50216, "dest_port": 8106, "y_pred": 1, "y_pred_proba_max": 0.7815374741509655, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50279, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.29.14.183", "protocol": "tcp", "src_port": 50403, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9756646950440937, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50387, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50234, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.219.73.130", "protocol": "tcp", "src_port": 49895, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "150.171.30.11", "protocol": "tcp", "src_port": 50434, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.975176941910785, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.26", "protocol": "tcp", "src_port": 49993, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.987471741326815, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50323, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50577, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8828376373447289, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "112.2.102.140", "protocol": "tcp", "src_port": 49880, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8833391308810551, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.163.59.175", "protocol": "tcp", "src_port": 50443, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9947042004868148, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50552, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9460026832017429, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50582, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50047, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 49928, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9931314740190077, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50571, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "124.71.234.74", "protocol": "tcp", "src_port": 50079, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8967653329082704, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.45", "protocol": "tcp", "src_port": 50444, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9975171238915119, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 12:01:31.764] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 19|max_alert: 1000 [2025-12-11 12:01:31.764] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 12:01:31.764] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 12:01:31.764] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 12:10:09.873] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 25967 key: NULL payload: {"bucket":"2025-12-11","object":"12/output/gbm/alert.pcap.10.17610986931210.jsonl","url":"http://111.32.12.11:9000/2025-12-11/12/output/gbm/alert.pcap.10.17610986931210.jsonl?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Expires=604800&X-Amz-SignedHeaders=host&X-Amz-Date=20251211T041009Z&X-Amz-Signature=c72dea8c782a12128dc82831b09b89651e54afd33b38c89e4324dd30e4d598f2"} [2025-12-11 12:10:09.873] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 12:10:09.873] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 12:10:09.873] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 12:10:09.873] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 12:10:09.873] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 12:10:09.874] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 12:10:10.155] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:12/output/gbm/alert.pcap.10.17610986931210.jsonl|result:{"code": 1, "total_count": 18, "alert_count": 18, "abnormal_count": 18, "normal_count": 0, "timestamp": 1765426209875, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50155, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50197, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.162.10.192", "protocol": "tcp", "src_port": 50105, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8497049935950336, "2_count": 3, "2_sum": 3, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50202, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.162.10.192", "protocol": "tcp", "src_port": 50102, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9628606284766527, "2_count": 3, "2_sum": 3, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "124.70.62.170", "protocol": "tcp", "src_port": 50384, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9944584265644585, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "112.34.113.250", "protocol": "tcp", "src_port": 50417, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9871899379387804, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50247, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "124.70.37.167", "protocol": "tcp", "src_port": 50497, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9671327905226952, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.194.233", "protocol": "tcp", "src_port": 50251, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.6458299041355519, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.38.119", "protocol": "tcp", "src_port": 50490, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9986222879414073, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50180, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 49802, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50527, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.240.8.132", "protocol": "tcp", "src_port": 49942, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9833686131374094, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.162.10.192", "protocol": "tcp", "src_port": 50106, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7891251009837256, "2_count": 3, "2_sum": 3, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50510, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.9", "protocol": "tcp", "src_port": 50354, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9266852516381958, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 12:10:10.155] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 18|max_alert: 1000 [2025-12-11 12:10:10.155] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 12:10:10.155] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 12:10:10.155] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 12:10:13.063] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[2] at offset 25591 key: NULL payload: {"bucket":"2025-12-11","object":"12/output/gbm/alert.pcap.11.17610986931210.jsonl","url":"http://111.32.12.11:9000/2025-12-11/12/output/gbm/alert.pcap.11.17610986931210.jsonl?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-SignedHeaders=host&X-Amz-Date=20251211T041012Z&X-Amz-Expires=604800&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Signature=4b8d029a91eb8ab57904a827d31d40c9d3ffbc2c099f94e357cf5d30d9fde89a"} [2025-12-11 12:10:13.063] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 12:10:13.063] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 12:10:13.063] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 12:10:13.064] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 12:10:13.064] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 12:10:13.064] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 12:10:13.251] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:12/output/gbm/alert.pcap.11.17610986931210.jsonl|result:{"code": 1, "total_count": 20, "alert_count": 20, "abnormal_count": 20, "normal_count": 0, "timestamp": 1765426213064, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "106.52.100.183", "protocol": "tcp", "src_port": 50502, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9858931570717602, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50520, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 49811, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.45", "protocol": "tcp", "src_port": 50438, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9837569544664104, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50050, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50519, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50561, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50176, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50179, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.25", "protocol": "tcp", "src_port": 50379, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8940216726975259, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.57.94.38", "protocol": "tcp", "src_port": 49888, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8913583475272854, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.143.199.172", "protocol": "tcp", "src_port": 50142, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9881503019491974, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.45", "protocol": "tcp", "src_port": 50447, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9871209269901958, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.131.139.241", "protocol": "tcp", "src_port": 50546, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8893268365633519, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "13.107.253.49", "protocol": "tcp", "src_port": 50479, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9204671188927631, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.38.119", "protocol": "tcp", "src_port": 50494, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9837251088220053, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.165.120", "protocol": "tcp", "src_port": 50305, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9986466602684037, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "57.155.120.218", "protocol": "tcp", "src_port": 50415, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9227656751828837, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50523, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.122.55", "protocol": "tcp", "src_port": 50503, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9854062911109006, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 12:10:13.251] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 20|max_alert: 1000 [2025-12-11 12:10:13.251] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 12:10:13.251] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 12:10:13.251] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 12:10:16.216] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 25968 key: NULL payload: {"bucket":"2025-12-11","object":"12/output/gbm/alert.pcap.1.17610986931210.jsonl","url":"http://111.32.12.11:9000/2025-12-11/12/output/gbm/alert.pcap.1.17610986931210.jsonl?X-Amz-Expires=604800&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-SignedHeaders=host&X-Amz-Signature=0984b57ea4a8d9a6fdc2ec0b61c72c7dc0557852e219500dbd046b0bf8e01693&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Date=20251211T041015Z"} [2025-12-11 12:10:16.216] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 12:10:16.216] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 12:10:16.216] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 12:10:16.216] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 12:10:16.216] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 12:10:16.216] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 12:10:16.409] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:12/output/gbm/alert.pcap.1.17610986931210.jsonl|result:{"code": 1, "total_count": 23, "alert_count": 22, "abnormal_count": 22, "normal_count": 1, "timestamp": 1765426216216, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "120.241.86.9", "protocol": "tcp", "src_port": 50355, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9178209457268623, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50511, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.9", "protocol": "tcp", "src_port": 50352, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9822856114799795, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50246, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50203, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50154, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "104.18.38.233", "protocol": "tcp", "src_port": 49694, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "123.249.12.207", "protocol": "tcp", "src_port": 50349, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9517653518955267, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.2.16.16", "protocol": "tcp", "src_port": 49978, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9999741330258014, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.166.151", "protocol": "tcp", "src_port": 50297, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.99961990187526, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.114.80", "protocol": "tcp", "src_port": 50380, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.2.16.16", "protocol": "tcp", "src_port": 49977, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9997183616258911, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.254", "protocol": "tcp", "src_port": 50236, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8758576397939718, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.254", "protocol": "tcp", "src_port": 50161, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9861184497791043, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50451, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9935841069204537, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.131.139.241", "protocol": "tcp", "src_port": 50548, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9166098868921807, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.18", "protocol": "tcp", "src_port": 50607, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.38.119", "protocol": "tcp", "src_port": 50487, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9993624819729473, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.18", "protocol": "tcp", "src_port": 50526, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50660, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.5160756214892233, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50635, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50196, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 12:10:16.409] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 22|max_alert: 1000 [2025-12-11 12:10:16.409] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 12:10:16.409] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 12:10:16.409] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 12:10:19.412] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[2] at offset 25592 key: NULL payload: {"bucket":"2025-12-11","object":"12/output/gbm/alert.pcap.12.17610986931210.jsonl","url":"http://111.32.12.11:9000/2025-12-11/12/output/gbm/alert.pcap.12.17610986931210.jsonl?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-SignedHeaders=host&X-Amz-Signature=6de268658c343c21372aca100da47151cc2e49c1acc5cc922f94179dba9494b0&X-Amz-Expires=604800&X-Amz-Date=20251211T041018Z"} [2025-12-11 12:10:19.412] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 12:10:19.412] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 12:10:19.413] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 12:10:19.413] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 12:10:19.413] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 12:10:19.413] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 12:10:19.689] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:12/output/gbm/alert.pcap.12.17610986931210.jsonl|result:{"code": 1, "total_count": 23, "alert_count": 23, "abnormal_count": 23, "normal_count": 0, "timestamp": 1765426219414, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 50446, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.91", "protocol": "tcp", "src_port": 50312, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8775283158754487, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50327, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 10, "2_sum": 10, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "43.132.242.154", "protocol": "tcp", "src_port": 49882, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9890063873624129, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.88.223", "protocol": "tcp", "src_port": 50256, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9952297098413537, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.91", "protocol": "tcp", "src_port": 50325, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9723471895815434, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.88.223", "protocol": "tcp", "src_port": 50135, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9151737736531406, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.253", "protocol": "tcp", "src_port": 50374, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9124107711631884, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.162.10.192", "protocol": "tcp", "src_port": 50115, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9982562146170709, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50036, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 10, "2_sum": 10, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50563, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 10, "2_sum": 10, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 49801, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50289, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 10, "2_sum": 10, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50063, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 10, "2_sum": 10, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50517, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 10, "2_sum": 10, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50524, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 10, "2_sum": 10, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.46.51.20", "protocol": "tcp", "src_port": 50273, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8949209220998952, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50290, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 10, "2_sum": 10, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.32.132.48", "protocol": "tcp", "src_port": 50596, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8736367684939467, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50043, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 10, "2_sum": 10, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50048, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 10, "2_sum": 10, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "150.171.28.10", "protocol": "tcp", "src_port": 50098, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.979476406385797, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.232.40.133", "protocol": "tcp", "src_port": 49918, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9434178651974208, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 12:10:19.689] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 23|max_alert: 1000 [2025-12-11 12:10:19.689] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 12:10:19.689] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 12:10:19.689] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 12:10:22.584] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 25969 key: NULL payload: {"bucket":"2025-12-11","object":"12/output/gbm/alert.pcap.13.17610986931210.jsonl","url":"http://111.32.12.11:9000/2025-12-11/12/output/gbm/alert.pcap.13.17610986931210.jsonl?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Date=20251211T041022Z&X-Amz-Expires=604800&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Signature=4b433aa0df2b5bd01b8f4ff6472d664f642b9ba51f20057dba5ca6df9e3d449d&X-Amz-SignedHeaders=host"} [2025-12-11 12:10:22.584] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 12:10:22.584] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 12:10:22.584] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 12:10:22.584] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 12:10:22.584] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 12:10:22.585] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 12:10:22.832] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:12/output/gbm/alert.pcap.13.17610986931210.jsonl|result:{"code": 1, "total_count": 25, "alert_count": 25, "abnormal_count": 25, "normal_count": 0, "timestamp": 1765426222585, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "111.4.224.113", "protocol": "tcp", "src_port": 49856, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.6505383816340582, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50074, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50283, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50280, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.38.119", "protocol": "tcp", "src_port": 50493, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9895604510076603, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "142.250.66.78", "protocol": "tcp", "src_port": 49939, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "150.171.29.11", "protocol": "tcp", "src_port": 50366, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9811379852086798, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.114.80", "protocol": "tcp", "src_port": 50364, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.185.134", "protocol": "tcp", "src_port": 50405, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9906477192719227, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50167, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 50550, "dest_port": 37527, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "202.89.233.96", "protocol": "tcp", "src_port": 49842, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50029, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50483, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.38.119", "protocol": "tcp", "src_port": 50507, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.992095265861976, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.22.3", "protocol": "tcp", "src_port": 49941, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9027507773608666, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "150.171.30.11", "protocol": "tcp", "src_port": 50629, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9221505003231499, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50150, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50657, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9858390475712154, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50206, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50602, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.163.59.175", "protocol": "tcp", "src_port": 50009, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9898052087615025, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50153, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50276, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50035, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 12:10:22.832] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 25|max_alert: 1000 [2025-12-11 12:10:22.832] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 12:10:22.832] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 12:10:22.832] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 12:10:25.963] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 25970 key: NULL payload: {"bucket":"2025-12-11","object":"12/output/gbm/alert.pcap.14.17610986931210.jsonl","url":"http://111.32.12.11:9000/2025-12-11/12/output/gbm/alert.pcap.14.17610986931210.jsonl?X-Amz-SignedHeaders=host&X-Amz-Date=20251211T041025Z&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Expires=604800&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Signature=6ba8eaa556ddb6c695c541d860f0e1dabc628a1c17f2fc40fa223b14f1367a99"} [2025-12-11 12:10:25.963] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 12:10:25.963] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 12:10:25.963] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 12:10:25.963] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 12:10:25.963] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 12:10:25.964] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 12:10:26.198] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:12/output/gbm/alert.pcap.14.17610986931210.jsonl|result:{"code": 1, "total_count": 22, "alert_count": 22, "abnormal_count": 22, "normal_count": 0, "timestamp": 1765426225964, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50087, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "150.171.28.10", "protocol": "tcp", "src_port": 50547, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9810893334081382, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50481, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50509, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.92", "protocol": "tcp", "src_port": 50350, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9581254078848882, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50148, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50464, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.45", "protocol": "tcp", "src_port": 50232, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8427978520815071, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 50008, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7325211921496005, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50151, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50277, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50282, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50045, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.4.224.113", "protocol": "tcp", "src_port": 49858, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.948833755868132, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.201.232.63", "protocol": "tcp", "src_port": 50185, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8623842237021218, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.114.80", "protocol": "tcp", "src_port": 50462, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50431, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50299, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.201.232.61", "protocol": "tcp", "src_port": 50406, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8074537105643911, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50075, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50488, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.131.128.241", "protocol": "tcp", "src_port": 50628, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.6327220629300937, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 12:10:26.198] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 22|max_alert: 1000 [2025-12-11 12:10:26.198] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 12:10:26.198] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 12:10:26.198] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 12:10:29.087] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[2] at offset 25593 key: NULL payload: {"bucket":"2025-12-11","object":"12/output/gbm/alert.pcap.15.17610986931210.jsonl","url":"http://111.32.12.11:9000/2025-12-11/12/output/gbm/alert.pcap.15.17610986931210.jsonl?X-Amz-Date=20251211T041028Z&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-SignedHeaders=host&X-Amz-Expires=604800&X-Amz-Signature=549c60535df62f1947d2d9e26158cfba1bd1dd647c30b42d019bc02af078e6ea"} [2025-12-11 12:10:29.087] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 12:10:29.087] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 12:10:29.088] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 12:10:29.088] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 12:10:29.088] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 12:10:29.088] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 12:10:29.357] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:12/output/gbm/alert.pcap.15.17610986931210.jsonl|result:{"code": 1, "total_count": 21, "alert_count": 21, "abnormal_count": 21, "normal_count": 0, "timestamp": 1765426229088, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50489, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.175.38.6", "protocol": "tcp", "src_port": 50508, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9251013815505887, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.114.80", "protocol": "tcp", "src_port": 50358, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.51.80", "protocol": "tcp", "src_port": 49914, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.194.233", "protocol": "tcp", "src_port": 50442, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9870391528574759, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "142.250.66.78", "protocol": "tcp", "src_port": 50474, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "124.70.37.167", "protocol": "tcp", "src_port": 50505, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8862503171336631, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50298, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.194.189.11", "protocol": "tcp", "src_port": 50426, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9895428159947536, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50516, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50061, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.165.120", "protocol": "tcp", "src_port": 50427, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9451570018511891, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50452, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50542, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.165.120", "protocol": "tcp", "src_port": 50418, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9596977275034663, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.166.151", "protocol": "tcp", "src_port": 50300, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9931981638327161, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "13.89.179.10", "protocol": "tcp", "src_port": 49878, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9974829953380221, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.13.29.202", "protocol": "tcp", "src_port": 49899, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9319984670207415, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.46.216.189", "protocol": "tcp", "src_port": 50192, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9854409930237161, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.241.198", "protocol": "tcp", "src_port": 49881, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9908791961625715, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "13.107.213.50", "protocol": "tcp", "src_port": 50090, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9195643673584233, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 12:10:29.357] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 21|max_alert: 1000 [2025-12-11 12:10:29.357] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 12:10:29.357] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 12:10:29.357] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 12:10:32.431] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[1] at offset 24830 key: NULL payload: {"bucket":"2025-12-11","object":"12/output/gbm/alert.pcap.16.17610986931210.jsonl","url":"http://111.32.12.11:9000/2025-12-11/12/output/gbm/alert.pcap.16.17610986931210.jsonl?X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Expires=604800&X-Amz-Date=20251211T041031Z&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Signature=4e42d5e6495795882d023d6e37ef5d2c5cef8efd5f16c63fc4ebc2425dd0d7b9&X-Amz-SignedHeaders=host"} [2025-12-11 12:10:32.431] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 12:10:32.431] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 12:10:32.431] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 12:10:32.431] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 12:10:32.431] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 12:10:32.433] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 12:10:32.703] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:12/output/gbm/alert.pcap.16.17610986931210.jsonl|result:{"code": 1, "total_count": 26, "alert_count": 26, "abnormal_count": 26, "normal_count": 0, "timestamp": 1765426232433, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50331, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50500, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.29.14.183", "protocol": "tcp", "src_port": 50404, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9858144175177987, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.46.216.189", "protocol": "tcp", "src_port": 50095, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8005313339363406, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.4.224.113", "protocol": "tcp", "src_port": 49857, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.873642452450752, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50496, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7047630891986135, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50177, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.29.14.183", "protocol": "tcp", "src_port": 49861, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9202885873733923, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.2", "protocol": "tcp", "src_port": 49916, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.92", "protocol": "tcp", "src_port": 50344, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.4285159353571787, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.88.223", "protocol": "tcp", "src_port": 50262, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9920454156536166, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.1", "protocol": "tcp", "src_port": 49927, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.219.73.130", "protocol": "tcp", "src_port": 49887, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.165.120", "protocol": "tcp", "src_port": 50304, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9425584919270099, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.26", "protocol": "tcp", "src_port": 50053, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9859420979243508, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.220.77.56", "protocol": "tcp", "src_port": 50313, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9756469161092314, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50051, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.253", "protocol": "tcp", "src_port": 50377, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9228634096625739, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.32.132.48", "protocol": "tcp", "src_port": 50416, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.872489769645985, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.185.134", "protocol": "tcp", "src_port": 50557, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9312191603697401, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50207, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "211.151.19.148", "protocol": "tcp", "src_port": 50239, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9867736940219898, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50522, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.13.25.27", "protocol": "tcp", "src_port": 49953, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9999659947187012, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "13.89.179.10", "protocol": "tcp", "src_port": 49873, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9740054173010114, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50367, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 12:10:32.703] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 26|max_alert: 1000 [2025-12-11 12:10:32.703] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 12:10:32.703] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 12:10:32.703] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 12:10:35.908] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 25971 key: NULL payload: {"bucket":"2025-12-11","object":"12/output/gbm/alert.pcap.17.17610986931210.jsonl","url":"http://111.32.12.11:9000/2025-12-11/12/output/gbm/alert.pcap.17.17610986931210.jsonl?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20251211T041035Z&X-Amz-SignedHeaders=host&X-Amz-Expires=604800&X-Amz-Signature=9cc040a7505c07511599e3adae5f214fd26c8f3d612e185a24fb5e64d42c68e3"} [2025-12-11 12:10:35.908] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 12:10:35.908] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 12:10:35.908] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 12:10:35.908] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 12:10:35.908] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 12:10:35.909] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 12:10:36.165] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:12/output/gbm/alert.pcap.17.17610986931210.jsonl|result:{"code": 1, "total_count": 18, "alert_count": 18, "abnormal_count": 18, "normal_count": 0, "timestamp": 1765426235909, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "111.31.122.55", "protocol": "tcp", "src_port": 50101, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9697454177805649, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.162.10.192", "protocol": "tcp", "src_port": 50114, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.976863610352734, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.27", "protocol": "tcp", "src_port": 49989, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8500557914131911, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.27", "protocol": "tcp", "src_port": 49990, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9979995189937263, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.122.55", "protocol": "tcp", "src_port": 50448, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.5769980707430126, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.194.233", "protocol": "tcp", "src_port": 50435, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9837705668750215, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50606, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9790099228201751, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.2.16.16", "protocol": "tcp", "src_port": 49973, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9993460937257912, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "124.70.62.170", "protocol": "tcp", "src_port": 50395, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.999908459646488, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50499, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "124.70.62.170", "protocol": "tcp", "src_port": 50094, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9999212365720671, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.162.10.192", "protocol": "tcp", "src_port": 50103, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.5419285978798709, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.234.97.89", "protocol": "tcp", "src_port": 50409, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.733240780563495, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.88.223", "protocol": "tcp", "src_port": 50257, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9990492370434219, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.38.151", "protocol": "tcp", "src_port": 49788, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 50225, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9087545563693218, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.9", "protocol": "tcp", "src_port": 50012, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9956502822261911, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.114.80", "protocol": "tcp", "src_port": 50476, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 12:10:36.165] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 18|max_alert: 1000 [2025-12-11 12:10:36.165] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 12:10:36.165] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 12:10:36.165] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 12:10:39.041] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[2] at offset 25594 key: NULL payload: {"bucket":"2025-12-11","object":"12/output/gbm/alert.pcap.18.17610986931210.jsonl","url":"http://111.32.12.11:9000/2025-12-11/12/output/gbm/alert.pcap.18.17610986931210.jsonl?X-Amz-Expires=604800&X-Amz-SignedHeaders=host&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Signature=7f37eaf5ed6fb0cecfa0d1d1736af049f855615f42372abc5de156204fd74da9&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Date=20251211T041038Z"} [2025-12-11 12:10:39.041] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 12:10:39.041] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 12:10:39.041] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 12:10:39.041] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 12:10:39.041] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 12:10:39.042] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 12:10:39.294] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:12/output/gbm/alert.pcap.18.17610986931210.jsonl|result:{"code": 1, "total_count": 19, "alert_count": 18, "abnormal_count": 18, "normal_count": 1, "timestamp": 1765426239042, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "120.253.255.38", "protocol": "tcp", "src_port": 50449, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9496389457889445, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.166.151", "protocol": "tcp", "src_port": 50371, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9989794701501156, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50553, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9263918774338468, "2_count": 4.0, "2_sum": 4, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.232.40.133", "protocol": "tcp", "src_port": 49929, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9272505117395095, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50132, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50141, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 50169, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50475, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9477100345633777, "2_count": 4.0, "2_sum": 4, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.92", "protocol": "tcp", "src_port": 50383, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7481021796885889, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.232.40.133", "protocol": "tcp", "src_port": 49935, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8955605067471277, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50046, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.219.73.130", "protocol": "tcp", "src_port": 49893, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50386, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50650, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9941374340185456, "2_count": 4.0, "2_sum": 4, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.113.130.85", "protocol": "tcp", "src_port": 50373, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50220, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50088, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50554, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9489417371813754, "2_count": 4.0, "2_sum": 4, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 12:10:39.294] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 18|max_alert: 1000 [2025-12-11 12:10:39.294] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 12:10:39.294] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 12:10:39.294] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 12:10:42.178] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[1] at offset 24831 key: NULL payload: {"bucket":"2025-12-11","object":"12/output/gbm/alert.pcap.19.17610986931210.jsonl","url":"http://111.32.12.11:9000/2025-12-11/12/output/gbm/alert.pcap.19.17610986931210.jsonl?X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Expires=604800&X-Amz-Date=20251211T041041Z&X-Amz-SignedHeaders=host&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Signature=a14be6cafa01078d3858aa10600ada28cd3ab9cfd65b9cc47829f563fb33e234"} [2025-12-11 12:10:42.178] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 12:10:42.178] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 12:10:42.179] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 12:10:42.179] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 12:10:42.179] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 12:10:42.179] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 12:10:42.441] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:12/output/gbm/alert.pcap.19.17610986931210.jsonl|result:{"code": 1, "total_count": 17, "alert_count": 17, "abnormal_count": 17, "normal_count": 0, "timestamp": 1765426242179, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "150.171.30.11", "protocol": "tcp", "src_port": 50623, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9724127917525347, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.26", "protocol": "tcp", "src_port": 49999, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9723690262017185, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "211.151.19.148", "protocol": "tcp", "src_port": 50321, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9840336453751718, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50221, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 5, "2_sum": 5, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.61.248", "protocol": "tcp", "src_port": 50006, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9986048917384169, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "124.70.62.170", "protocol": "tcp", "src_port": 50385, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9998863446143573, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50140, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 5, "2_sum": 5, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "106.13.244.95", "protocol": "tcp", "src_port": 50626, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.991571871695044, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50651, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9127998696423738, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.131.128.241", "protocol": "tcp", "src_port": 50589, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9358989909907683, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.25", "protocol": "tcp", "src_port": 50345, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9053165640648995, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 50183, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9671683755020176, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50267, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 5, "2_sum": 5, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "13.89.179.10", "protocol": "tcp", "src_port": 49870, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9985463831905574, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50432, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 5, "2_sum": 5, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50222, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 5, "2_sum": 5, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.158.247.186", "protocol": "tcp", "src_port": 50254, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9923373572362969, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 12:10:42.441] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 17|max_alert: 1000 [2025-12-11 12:10:42.441] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 12:10:42.441] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 12:10:42.441] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 12:10:45.369] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[1] at offset 24832 key: NULL payload: {"bucket":"2025-12-11","object":"12/output/gbm/alert.pcap.20.17610986931210.jsonl","url":"http://111.32.12.11:9000/2025-12-11/12/output/gbm/alert.pcap.20.17610986931210.jsonl?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Date=20251211T041044Z&X-Amz-Expires=604800&X-Amz-SignedHeaders=host&X-Amz-Signature=c1228dac3674a4af73b656a3986d02edf58ffc14b659c39929d6871758588813&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request"} [2025-12-11 12:10:45.370] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 12:10:45.370] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 12:10:45.370] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 12:10:45.370] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 12:10:45.370] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 12:10:45.371] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 12:10:45.628] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:12/output/gbm/alert.pcap.20.17610986931210.jsonl|result:{"code": 1, "total_count": 17, "alert_count": 17, "abnormal_count": 17, "normal_count": 0, "timestamp": 1765426245371, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "183.220.151.49", "protocol": "tcp", "src_port": 49991, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9681277345350449, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50082, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50616, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.981431987646444, "2_count": 3, "2_sum": 3, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.2.16.16", "protocol": "tcp", "src_port": 49970, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9999655776123294, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.166.151", "protocol": "tcp", "src_port": 50378, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.996645095315891, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.48.172.241", "protocol": "tcp", "src_port": 50129, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9417868802887015, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.219.73.130", "protocol": "tcp", "src_port": 49894, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "142.250.66.78", "protocol": "tcp", "src_port": 49773, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "124.71.234.74", "protocol": "tcp", "src_port": 50189, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8094812727311573, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50453, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50598, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.972751885055052, "2_count": 3, "2_sum": 3, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50622, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9949329167991451, "2_count": 3, "2_sum": 3, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.253.253.233", "protocol": "tcp", "src_port": 50317, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.4786736570096651, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.9", "protocol": "tcp", "src_port": 50356, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9753376675463165, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "124.71.236.98", "protocol": "tcp", "src_port": 50400, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9777942042208041, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.62.174.243", "protocol": "tcp", "src_port": 50555, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9719451686850884, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.46.68.203", "protocol": "tcp", "src_port": 50096, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9610043927222635, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 12:10:45.628] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 17|max_alert: 1000 [2025-12-11 12:10:45.628] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 12:10:45.628] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 12:10:45.628] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 12:10:48.509] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 25972 key: NULL payload: {"bucket":"2025-12-11","object":"12/output/gbm/alert.pcap.21.17610986931210.jsonl","url":"http://111.32.12.11:9000/2025-12-11/12/output/gbm/alert.pcap.21.17610986931210.jsonl?X-Amz-Date=20251211T041048Z&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-SignedHeaders=host&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Expires=604800&X-Amz-Signature=81ed2fe7b2761c7d4f2917f8c2eea1166f4790524736c33725e8e8a9c40e73ec"} [2025-12-11 12:10:48.510] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 12:10:48.510] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 12:10:48.510] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 12:10:48.510] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 12:10:48.510] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 12:10:48.510] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 12:10:48.771] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:12/output/gbm/alert.pcap.21.17610986931210.jsonl|result:{"code": 1, "total_count": 20, "alert_count": 20, "abnormal_count": 20, "normal_count": 0, "timestamp": 1765426248510, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "223.111.194.233", "protocol": "tcp", "src_port": 50315, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9974657537062649, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 50211, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9942232611378077, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "150.171.27.10", "protocol": "tcp", "src_port": 49871, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9792783921980416, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50330, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50407, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9700577356238725, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.232.40.133", "protocol": "tcp", "src_port": 49921, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9758065422065172, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.27", "protocol": "tcp", "src_port": 50014, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7728545617685111, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.234.97.89", "protocol": "tcp", "src_port": 50477, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7967743601421772, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50076, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50574, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50086, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 49933, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.983522767485445, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.254", "protocol": "tcp", "src_port": 50018, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9989742169573105, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.26", "protocol": "tcp", "src_port": 50027, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8630319401034162, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50233, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50389, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50633, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9961574170482782, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.18", "protocol": "tcp", "src_port": 50191, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.25", "protocol": "tcp", "src_port": 50346, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7253580536479742, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.253", "protocol": "tcp", "src_port": 50348, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9663875797170431, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 12:10:48.771] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 20|max_alert: 1000 [2025-12-11 12:10:48.771] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 12:10:48.771] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 12:10:48.771] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 12:10:51.699] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[1] at offset 24833 key: NULL payload: {"bucket":"2025-12-11","object":"12/output/gbm/alert.pcap.2.17610986931210.jsonl","url":"http://111.32.12.11:9000/2025-12-11/12/output/gbm/alert.pcap.2.17610986931210.jsonl?X-Amz-Signature=88041b87e267fb52168ec0fd1629632926b77442ee01aa1b47c5df5791a58fe9&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Expires=604800&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Date=20251211T041051Z&X-Amz-SignedHeaders=host"} [2025-12-11 12:10:51.699] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 12:10:51.699] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 12:10:51.699] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 12:10:51.699] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 12:10:51.699] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 12:10:51.700] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 12:10:51.966] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:12/output/gbm/alert.pcap.2.17610986931210.jsonl|result:{"code": 1, "total_count": 27, "alert_count": 26, "abnormal_count": 26, "normal_count": 1, "timestamp": 1765426251700, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "120.241.86.254", "protocol": "tcp", "src_port": 50237, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8347470129747349, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.166.151", "protocol": "tcp", "src_port": 50296, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9998741851816862, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.165.120", "protocol": "tcp", "src_port": 50414, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9781294486115352, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.2", "protocol": "tcp", "src_port": 49821, "dest_port": 8080, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.240.99.58", "protocol": "tcp", "src_port": 50480, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9758749087809037, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50459, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8818531237715439, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50484, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50580, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.222.152.64", "protocol": "tcp", "src_port": 50658, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7337989747885654, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50287, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.29.14.183", "protocol": "tcp", "src_port": 50402, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9766503916105866, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "118.89.204.198", "protocol": "tcp", "src_port": 50648, "dest_port": 443, "y_pred": 2, "y_pred_proba_max": 0.539671673599211, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "Behinder"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50634, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.114.80", "protocol": "tcp", "src_port": 50381, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.63.215.47", "protocol": "tcp", "src_port": 49943, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9542007136130981, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.26", "protocol": "tcp", "src_port": 49995, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9973271032011077, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50328, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.29.14.183", "protocol": "tcp", "src_port": 50401, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9944651374268547, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50471, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9971823306211751, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50278, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.185.134", "protocol": "tcp", "src_port": 50337, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9998485770667981, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.92", "protocol": "tcp", "src_port": 50398, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9866180027435798, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.232.40.133", "protocol": "tcp", "src_port": 50004, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9448851526818528, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50528, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50570, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.105", "protocol": "tcp", "src_port": 50625, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9825246278129468, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 12:10:51.966] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 26|max_alert: 1000 [2025-12-11 12:10:51.966] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 12:10:51.966] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 12:10:51.966] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 12:10:55.201] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[1] at offset 24834 key: NULL payload: {"bucket":"2025-12-11","object":"12/output/gbm/alert.pcap.22.17610986931210.jsonl","url":"http://111.32.12.11:9000/2025-12-11/12/output/gbm/alert.pcap.22.17610986931210.jsonl?X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Signature=1272ea80d1276454ac20ef03553a022115f42616ab8184fc78c94a02fbd321c8&X-Amz-Expires=604800&X-Amz-SignedHeaders=host&X-Amz-Date=20251211T041054Z&X-Amz-Algorithm=AWS4-HMAC-SHA256"} [2025-12-11 12:10:55.201] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 12:10:55.201] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 12:10:55.201] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 12:10:55.201] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 12:10:55.201] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 12:10:55.202] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 12:10:55.465] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:12/output/gbm/alert.pcap.22.17610986931210.jsonl|result:{"code": 1, "total_count": 18, "alert_count": 17, "abnormal_count": 17, "normal_count": 1, "timestamp": 1765426255202, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50118, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 3.0, "2_sum": 3, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.165.120", "protocol": "tcp", "src_port": 50357, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9389862274330749, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 49925, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.5747671805046822, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.29.14.183", "protocol": "tcp", "src_port": 50026, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9986473928200259, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.92", "protocol": "tcp", "src_port": 50397, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9107999416750001, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.63.215.47", "protocol": "tcp", "src_port": 49944, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9869387818080411, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.62.174.243", "protocol": "tcp", "src_port": 50545, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9624252679015631, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.4.224.113", "protocol": "tcp", "src_port": 49854, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.5786036795604459, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50368, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 3.0, "2_sum": 3, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.194.233", "protocol": "tcp", "src_port": 50440, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9902328849146982, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50028, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 3.0, "2_sum": 3, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50662, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8871346318388157, "2_count": 3.0, "2_sum": 3, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.114.80", "protocol": "tcp", "src_port": 50365, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50530, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9024018957960891, "2_count": 3.0, "2_sum": 3, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.131.128.241", "protocol": "tcp", "src_port": 50585, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8249611815657307, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.51.161.66", "protocol": "tcp", "src_port": 50123, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7731938946060795, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50612, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.965275103129727, "2_count": 3.0, "2_sum": 3, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 12:10:55.465] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 17|max_alert: 1000 [2025-12-11 12:10:55.465] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 12:10:55.465] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 12:10:55.465] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 12:10:58.882] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 25973 key: NULL payload: {"bucket":"2025-12-11","object":"12/output/gbm/alert.pcap.23.17610986931210.jsonl","url":"http://111.32.12.11:9000/2025-12-11/12/output/gbm/alert.pcap.23.17610986931210.jsonl?X-Amz-Expires=604800&X-Amz-Signature=8e64974789ae9b4fa220c60c85ab5db6ef6feb42e9e9341a9df6dd9c71b20aab&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Date=20251211T041058Z&X-Amz-SignedHeaders=host&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request"} [2025-12-11 12:10:58.882] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 12:10:58.882] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 12:10:58.882] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 12:10:58.882] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 12:10:58.882] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 12:10:58.883] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 12:10:59.118] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:12/output/gbm/alert.pcap.23.17610986931210.jsonl|result:{"code": 1, "total_count": 21, "alert_count": 21, "abnormal_count": 21, "normal_count": 0, "timestamp": 1765426258883, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50042, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.150.160.206", "protocol": "tcp", "src_port": 50124, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9747845243097288, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50429, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50514, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.122.55", "protocol": "tcp", "src_port": 50498, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9793698927690696, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.13.104.59", "protocol": "tcp", "src_port": 50627, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9944505609423887, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.222.152.64", "protocol": "tcp", "src_port": 50638, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9779043168436835, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50037, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.158.247.186", "protocol": "tcp", "src_port": 50309, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.994290448467571, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.25", "protocol": "tcp", "src_port": 50073, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9992385224413204, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50562, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50260, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50064, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50149, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.194.233", "protocol": "tcp", "src_port": 50126, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9961544144455967, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50044, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50085, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "13.107.246.74", "protocol": "tcp", "src_port": 50506, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9605298901417075, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.25", "protocol": "tcp", "src_port": 50382, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7011351746711142, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50168, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50640, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 12:10:59.118] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 21|max_alert: 1000 [2025-12-11 12:10:59.118] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 12:10:59.118] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 12:10:59.118] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 12:11:02.108] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 25974 key: NULL payload: {"bucket":"2025-12-11","object":"12/output/gbm/alert.pcap.24.17610986931210.jsonl","url":"http://111.32.12.11:9000/2025-12-11/12/output/gbm/alert.pcap.24.17610986931210.jsonl?X-Amz-Expires=604800&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Signature=f91acf39cdca16dd715056da6b05a892342f42855cf3a44eb17cf5d7277665f5&X-Amz-SignedHeaders=host&X-Amz-Date=20251211T041101Z&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request"} [2025-12-11 12:11:02.108] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 12:11:02.108] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 12:11:02.108] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 12:11:02.108] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 12:11:02.108] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 12:11:02.109] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 12:11:02.383] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:12/output/gbm/alert.pcap.24.17610986931210.jsonl|result:{"code": 1, "total_count": 18, "alert_count": 17, "abnormal_count": 17, "normal_count": 1, "timestamp": 1765426262109, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "120.233.3.27", "protocol": "tcp", "src_port": 49985, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8652710729389349, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.163.59.175", "protocol": "tcp", "src_port": 50478, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.990150959540726, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.46.68.203", "protocol": "tcp", "src_port": 50195, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9897633686170296, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50259, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.13.28.21", "protocol": "tcp", "src_port": 49947, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9999415747476534, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.38.119", "protocol": "tcp", "src_port": 50495, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9911306060967026, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.13.104.59", "protocol": "tcp", "src_port": 50631, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9853386683896556, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50031, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.4.74", "protocol": "tcp", "src_port": 50319, "dest_port": 9000, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50482, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50603, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50281, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 50229, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7784157580153467, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50594, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50033, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50034, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.163.59.175", "protocol": "tcp", "src_port": 50011, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9883959426357691, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 12:11:02.384] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 17|max_alert: 1000 [2025-12-11 12:11:02.384] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 12:11:02.384] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 12:11:02.384] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 12:11:05.522] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 25975 key: NULL payload: {"bucket":"2025-12-11","object":"12/output/gbm/alert.pcap.25.17610986931210.jsonl","url":"http://111.32.12.11:9000/2025-12-11/12/output/gbm/alert.pcap.25.17610986931210.jsonl?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Expires=604800&X-Amz-Date=20251211T041105Z&X-Amz-Signature=d00fcaaeea241484a9c50a1ae2627166b3f65dfb1049f185492d18ef9e03fb37&X-Amz-SignedHeaders=host&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request"} [2025-12-11 12:11:05.523] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 12:11:05.523] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 12:11:05.523] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 12:11:05.523] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 12:11:05.523] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 12:11:05.524] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 12:11:05.777] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:12/output/gbm/alert.pcap.25.17610986931210.jsonl|result:{"code": 1, "total_count": 18, "alert_count": 17, "abnormal_count": 17, "normal_count": 1, "timestamp": 1765426265524, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "120.232.40.133", "protocol": "tcp", "src_port": 49919, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9172603475203133, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "202.89.233.96", "dest_ip": "10.1.131.158", "protocol": "tcp", "src_port": 443, "dest_port": 49847, "y_pred": 1, "y_pred_proba_max": 0.9988023204669473, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.2", "protocol": "tcp", "src_port": 50125, "dest_port": 8080, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.91", "protocol": "tcp", "src_port": 50334, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9530506499197517, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.88.223", "protocol": "tcp", "src_port": 50134, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9851867603065232, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.232.40.133", "protocol": "tcp", "src_port": 50005, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8427110539814073, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.88.223", "protocol": "tcp", "src_port": 50258, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9955188316394289, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.201.232.63", "protocol": "tcp", "src_port": 50419, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.5238760318986195, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.155.160.140", "protocol": "tcp", "src_port": 49790, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.240.99.58", "protocol": "tcp", "src_port": 50641, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9750652642107684, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "142.250.66.78", "protocol": "tcp", "src_port": 49742, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50062, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4.0, "2_sum": 4, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50288, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4.0, "2_sum": 4, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 50013, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50038, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4.0, "2_sum": 4, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50551, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8059095115195145, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50652, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4.0, "2_sum": 4, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 12:11:05.777] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 17|max_alert: 1000 [2025-12-11 12:11:05.777] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 12:11:05.777] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 12:11:05.777] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 12:11:08.780] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[1] at offset 24835 key: NULL payload: {"bucket":"2025-12-11","object":"12/output/gbm/alert.pcap.26.17610986931210.jsonl","url":"http://111.32.12.11:9000/2025-12-11/12/output/gbm/alert.pcap.26.17610986931210.jsonl?X-Amz-Signature=da0ef439384e3202d088966fbb2ae9492b126a40e9264e06c1bd0c62255fce58&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Date=20251211T041108Z&X-Amz-SignedHeaders=host&X-Amz-Expires=604800&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request"} [2025-12-11 12:11:08.780] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 12:11:08.780] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 12:11:08.780] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 12:11:08.780] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 12:11:08.780] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 12:11:08.781] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 12:11:09.057] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:12/output/gbm/alert.pcap.26.17610986931210.jsonl|result:{"code": 1, "total_count": 23, "alert_count": 22, "abnormal_count": 22, "normal_count": 1, "timestamp": 1765426268782, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "120.226.165.120", "protocol": "tcp", "src_port": 50314, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.998447736613844, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.13.29.202", "protocol": "tcp", "src_port": 49897, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.99989131645703, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.114.80", "protocol": "tcp", "src_port": 50375, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.45", "protocol": "tcp", "src_port": 50445, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9894949279716366, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 50230, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9601621867432435, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50463, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7.0, "2_sum": 7, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50040, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7.0, "2_sum": 7, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50322, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7.0, "2_sum": 7, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.92", "protocol": "tcp", "src_port": 50362, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9737436655985068, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50467, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7.0, "2_sum": 7, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.13.29.134", "protocol": "tcp", "src_port": 49954, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9940003495439546, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50521, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7.0, "2_sum": 7, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.27", "protocol": "tcp", "src_port": 49986, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9907578643456904, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "151.101.1.229", "protocol": "tcp", "src_port": 50316, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.5882853156839113, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.9", "protocol": "tcp", "src_port": 50353, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9248568229582469, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50512, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7.0, "2_sum": 7, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50593, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7.0, "2_sum": 7, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.163.59.175", "protocol": "tcp", "src_port": 49930, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9813722275948225, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.194.233", "protocol": "tcp", "src_port": 50439, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9853373018252618, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.253", "protocol": "tcp", "src_port": 50117, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9786811180845782, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.253", "protocol": "tcp", "src_port": 50347, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9363461552085169, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "43.140.12.43", "protocol": "tcp", "src_port": 50318, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9759535265977303, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 12:11:09.057] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 22|max_alert: 1000 [2025-12-11 12:11:09.057] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 12:11:09.057] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 12:11:09.057] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 12:11:12.009] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 25976 key: NULL payload: {"bucket":"2025-12-11","object":"12/output/gbm/alert.pcap.3.17610986931210.jsonl","url":"http://111.32.12.11:9000/2025-12-11/12/output/gbm/alert.pcap.3.17610986931210.jsonl?X-Amz-Expires=604800&X-Amz-Date=20251211T041111Z&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-SignedHeaders=host&X-Amz-Signature=ad58e1429233805bcf29cac19d99c8d409d4721f4790f92456710d412c773398&X-Amz-Algorithm=AWS4-HMAC-SHA256"} [2025-12-11 12:11:12.009] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 12:11:12.009] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 12:11:12.009] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 12:11:12.009] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 12:11:12.009] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 12:11:12.010] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 12:11:12.276] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:12/output/gbm/alert.pcap.3.17610986931210.jsonl|result:{"code": 1, "total_count": 31, "alert_count": 30, "abnormal_count": 30, "normal_count": 1, "timestamp": 1765426272010, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50579, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50468, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.2", "protocol": "tcp", "src_port": 50143, "dest_port": 8080, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.114.80", "protocol": "tcp", "src_port": 50473, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "124.70.62.170", "protocol": "tcp", "src_port": 50093, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9302011994091218, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.219.73.130", "protocol": "tcp", "src_port": 49889, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50390, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 50399, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.232.40.133", "protocol": "tcp", "src_port": 49922, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7619577796081339, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.166.151", "protocol": "tcp", "src_port": 50286, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9998887397093179, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50032, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.165.120", "protocol": "tcp", "src_port": 50423, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9079618105919538, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.92", "protocol": "tcp", "src_port": 49915, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8858063837145578, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.63.215.47", "protocol": "tcp", "src_port": 49982, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9977918468988228, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.13.104.59", "protocol": "tcp", "src_port": 50639, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.5747755261992421, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.29.14.183", "protocol": "tcp", "src_port": 50020, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9995274668813986, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50560, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9372883613254258, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.219.73.130", "protocol": "tcp", "src_port": 49890, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50041, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 49824, "dest_port": 37527, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.27", "protocol": "tcp", "src_port": 49987, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9439550958667982, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 50231, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9912641259791639, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.253.253.233", "protocol": "tcp", "src_port": 50436, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8619378326923961, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50573, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.194.189.11", "protocol": "tcp", "src_port": 50307, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9974631042458713, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50131, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "142.250.66.68", "protocol": "tcp", "src_port": 50437, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.13.104.59", "protocol": "tcp", "src_port": 50630, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9949141468870227, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50128, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.27", "protocol": "tcp", "src_port": 49983, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9683054451954104, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 12:11:12.276] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 30|max_alert: 1000 [2025-12-11 12:11:12.277] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 12:11:12.277] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 12:11:12.277] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 12:11:15.147] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[2] at offset 25595 key: NULL payload: {"bucket":"2025-12-11","object":"12/output/gbm/alert.pcap.4.17610986931210.jsonl","url":"http://111.32.12.11:9000/2025-12-11/12/output/gbm/alert.pcap.4.17610986931210.jsonl?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Date=20251211T041114Z&X-Amz-Signature=cc5fc71e8ce057399d9e72a8727b6ca40cb0c3023ff4d2040541dbe522bddaac&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Expires=604800&X-Amz-SignedHeaders=host"} [2025-12-11 12:11:15.147] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 12:11:15.147] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 12:11:15.148] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 12:11:15.148] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 12:11:15.148] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 12:11:15.148] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 12:11:15.374] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:12/output/gbm/alert.pcap.4.17610986931210.jsonl|result:{"code": 1, "total_count": 16, "alert_count": 16, "abnormal_count": 16, "normal_count": 0, "timestamp": 1765426275148, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "104.18.38.233", "protocol": "tcp", "src_port": 49696, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50039, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 9, "2_sum": 9, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50268, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 9, "2_sum": 9, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "142.250.66.78", "protocol": "tcp", "src_port": 49761, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50428, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 9, "2_sum": 9, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.4.224.113", "protocol": "tcp", "src_port": 49860, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8325953986089363, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.131.128.241", "protocol": "tcp", "src_port": 50461, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9531336479755481, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50653, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 9, "2_sum": 9, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "150.171.30.11", "protocol": "tcp", "src_port": 50007, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8576461187690411, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50599, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 9, "2_sum": 9, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50271, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 9, "2_sum": 9, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50642, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 9, "2_sum": 9, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.2", "protocol": "tcp", "src_port": 49815, "dest_port": 8080, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50664, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 9, "2_sum": 9, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50170, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 9, "2_sum": 9, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.25", "protocol": "tcp", "src_port": 50340, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9557360906725153, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 12:11:15.375] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 16|max_alert: 1000 [2025-12-11 12:11:15.375] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 12:11:15.375] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 12:11:15.375] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 12:11:18.683] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[1] at offset 24836 key: NULL payload: {"bucket":"2025-12-11","object":"12/output/gbm/alert.pcap.5.17610986931210.jsonl","url":"http://111.32.12.11:9000/2025-12-11/12/output/gbm/alert.pcap.5.17610986931210.jsonl?X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Expires=604800&X-Amz-SignedHeaders=host&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Signature=b69b796132af5ef86e1f5d1410953f5b955763fac586e65dda1624289969f7c1&X-Amz-Date=20251211T041118Z"} [2025-12-11 12:11:18.683] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 12:11:18.683] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 12:11:18.683] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 12:11:18.684] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 12:11:18.684] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 12:11:18.684] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 12:11:18.962] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:12/output/gbm/alert.pcap.5.17610986931210.jsonl|result:{"code": 1, "total_count": 19, "alert_count": 18, "abnormal_count": 18, "normal_count": 1, "timestamp": 1765426278684, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "36.156.39.91", "protocol": "tcp", "src_port": 50333, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9577733114926612, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.51.80", "protocol": "tcp", "src_port": 49902, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 49924, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8509806284431485, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50030, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 5.0, "2_sum": 5, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50171, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 5.0, "2_sum": 5, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.4.74", "protocol": "tcp", "src_port": 50320, "dest_port": 9000, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.163.59.175", "protocol": "tcp", "src_port": 50422, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9849394001481901, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.46.72.204", "protocol": "tcp", "src_port": 50136, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.956663066769366, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50541, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 5.0, "2_sum": 5, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50624, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9747306537408316, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "112.34.111.235", "protocol": "tcp", "src_port": 50587, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9795590475790195, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50119, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 5.0, "2_sum": 5, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "13.89.179.10", "protocol": "tcp", "src_port": 49867, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8945460691510866, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 50549, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.158.247.186", "protocol": "tcp", "src_port": 50121, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9753820447058325, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50654, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9423199405388736, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.91", "protocol": "tcp", "src_port": 50242, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9588125203903446, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50564, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 5.0, "2_sum": 5, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 12:11:18.962] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 18|max_alert: 1000 [2025-12-11 12:11:18.962] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 12:11:18.962] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 12:11:18.962] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 12:11:21.824] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 25977 key: NULL payload: {"bucket":"2025-12-11","object":"12/output/gbm/alert.pcap.6.17610986931210.jsonl","url":"http://111.32.12.11:9000/2025-12-11/12/output/gbm/alert.pcap.6.17610986931210.jsonl?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-SignedHeaders=host&X-Amz-Expires=604800&X-Amz-Signature=f178db51690d63766efd60a935058c043ee11dbf27159c760d87f0395a71ad35&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20251211T041121Z"} [2025-12-11 12:11:21.824] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 12:11:21.824] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 12:11:21.825] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 12:11:21.825] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 12:11:21.825] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 12:11:21.825] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 12:11:22.067] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:12/output/gbm/alert.pcap.6.17610986931210.jsonl|result:{"code": 1, "total_count": 13, "alert_count": 13, "abnormal_count": 13, "normal_count": 0, "timestamp": 1765426281825, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50391, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.57.94.38", "protocol": "tcp", "src_port": 49892, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9998694918181811, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.13.28.239", "protocol": "tcp", "src_port": 49901, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.938456651589145, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.2.16.16", "protocol": "tcp", "src_port": 49975, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9999376387945121, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "121.36.68.44", "protocol": "tcp", "src_port": 50504, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9358189956292381, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "139.9.117.192", "protocol": "tcp", "src_port": 50372, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8894850327223105, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.91", "protocol": "tcp", "src_port": 50339, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.986405059765616, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.26", "protocol": "tcp", "src_port": 50003, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8694093805364917, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "13.89.179.10", "protocol": "tcp", "src_port": 49883, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9941602682227848, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "139.9.117.192", "protocol": "tcp", "src_port": 50450, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9837263446909994, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50465, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.5306824619789472, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50515, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.102.211", "protocol": "tcp", "src_port": 50413, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9734791177969814, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 12:11:22.067] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 13|max_alert: 1000 [2025-12-11 12:11:22.067] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 12:11:22.067] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 12:11:22.067] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 12:11:25.037] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[2] at offset 25596 key: NULL payload: {"bucket":"2025-12-11","object":"12/output/gbm/alert.pcap.7.17610986931210.jsonl","url":"http://111.32.12.11:9000/2025-12-11/12/output/gbm/alert.pcap.7.17610986931210.jsonl?X-Amz-SignedHeaders=host&X-Amz-Date=20251211T041124Z&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Expires=604800&X-Amz-Signature=9f1cf2c46589300fbfed65dc075a630b57e1b57016e3a5d68e0e5e52a72041db"} [2025-12-11 12:11:25.037] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 12:11:25.037] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 12:11:25.037] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 12:11:25.037] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 12:11:25.038] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 12:11:25.038] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 12:11:25.287] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:12/output/gbm/alert.pcap.7.17610986931210.jsonl|result:{"code": 1, "total_count": 18, "alert_count": 18, "abnormal_count": 18, "normal_count": 0, "timestamp": 1765426285039, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50270, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4, "2_sum": 4, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 50116, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50581, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4, "2_sum": 4, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.254", "protocol": "tcp", "src_port": 50199, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9600487826290192, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.185.125.188", "protocol": "tcp", "src_port": 49872, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9978759357079158, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.51.80", "protocol": "tcp", "src_port": 50010, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50083, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4, "2_sum": 4, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.219.73.130", "protocol": "tcp", "src_port": 49885, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.27", "protocol": "tcp", "src_port": 50100, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8412893359572905, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.26", "protocol": "tcp", "src_port": 49994, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9896285535627298, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 50172, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9400817611226765, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.4.224.113", "protocol": "tcp", "src_port": 49849, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9532634905214581, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.194.233", "protocol": "tcp", "src_port": 50441, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9878625671600126, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50663, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.719260591950917, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.240.8.132", "protocol": "tcp", "src_port": 50227, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8897661563929269, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.194.233", "protocol": "tcp", "src_port": 50255, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9107155218087142, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50156, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4, "2_sum": 4, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "112.34.111.235", "protocol": "tcp", "src_port": 50411, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.998549290571419, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 12:11:25.287] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 18|max_alert: 1000 [2025-12-11 12:11:25.287] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 12:11:25.287] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 12:11:25.287] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 12:11:28.230] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[2] at offset 25597 key: NULL payload: {"bucket":"2025-12-11","object":"12/output/gbm/alert.pcap.8.17610986931210.jsonl","url":"http://111.32.12.11:9000/2025-12-11/12/output/gbm/alert.pcap.8.17610986931210.jsonl?X-Amz-Date=20251211T041127Z&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Expires=604800&X-Amz-SignedHeaders=host&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Signature=fff80f6600dafc4c64b44365df54be33b8aef6bed5b470f7255207c5f5433ab7"} [2025-12-11 12:11:28.230] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 12:11:28.230] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 12:11:28.230] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 12:11:28.230] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 12:11:28.230] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 12:11:28.230] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 12:11:28.479] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:12/output/gbm/alert.pcap.8.17610986931210.jsonl|result:{"code": 1, "total_count": 19, "alert_count": 19, "abnormal_count": 19, "normal_count": 0, "timestamp": 1765426288230, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 50184, "dest_port": 37527, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.63.215.47", "protocol": "tcp", "src_port": 49980, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9999657034539758, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50649, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9766422035502361, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "121.36.47.3", "protocol": "tcp", "src_port": 50015, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9995715118177109, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "40.74.78.229", "protocol": "tcp", "src_port": 50370, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9939770881097445, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50388, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4, "2_sum": 4, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 49923, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.777270406334166, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "202.89.233.96", "protocol": "tcp", "src_port": 49865, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9973910874567038, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.232.40.133", "protocol": "tcp", "src_port": 49920, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9117178716777372, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.26", "protocol": "tcp", "src_port": 49997, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.984269050955257, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.201.232.63", "protocol": "tcp", "src_port": 50420, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9757408487177269, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.219.73.130", "protocol": "tcp", "src_port": 49891, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.131.139.241", "protocol": "tcp", "src_port": 50556, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9803786101644398, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50127, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4, "2_sum": 4, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50661, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.647571366572099, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50077, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4, "2_sum": 4, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.45", "protocol": "tcp", "src_port": 50408, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9967591338452444, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50223, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4, "2_sum": 4, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.131.128.241", "protocol": "tcp", "src_port": 50591, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9050869489117033, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 12:11:28.479] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 19|max_alert: 1000 [2025-12-11 12:11:28.479] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 12:11:28.479] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 12:11:28.479] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 12:11:31.423] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 25978 key: NULL payload: {"bucket":"2025-12-11","object":"12/output/gbm/alert.pcap.9.17610986931210.jsonl","url":"http://111.32.12.11:9000/2025-12-11/12/output/gbm/alert.pcap.9.17610986931210.jsonl?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Expires=604800&X-Amz-SignedHeaders=host&X-Amz-Signature=a07592bf4858063b5ae78378358f3a3a7dadc2940577294a8a347f490055aa49&X-Amz-Date=20251211T041131Z"} [2025-12-11 12:11:31.423] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 12:11:31.423] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 12:11:31.423] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 12:11:31.424] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 12:11:31.424] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 12:11:31.424] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 12:11:31.665] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:12/output/gbm/alert.pcap.9.17610986931210.jsonl|result:{"code": 1, "total_count": 19, "alert_count": 19, "abnormal_count": 19, "normal_count": 0, "timestamp": 1765426291425, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50234, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "150.171.30.11", "protocol": "tcp", "src_port": 50434, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.975176941910785, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50552, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9460026832017429, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50047, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50387, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.163.59.175", "protocol": "tcp", "src_port": 50443, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9947042004868148, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.219.73.130", "protocol": "tcp", "src_port": 49895, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "157.148.32.174", "protocol": "tcp", "src_port": 50216, "dest_port": 8106, "y_pred": 1, "y_pred_proba_max": 0.7815374741509655, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "124.71.234.74", "protocol": "tcp", "src_port": 50079, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8967653329082704, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50279, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 49928, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9931314740190077, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "112.2.102.140", "protocol": "tcp", "src_port": 49880, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8833391308810551, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.26", "protocol": "tcp", "src_port": 49993, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.987471741326815, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.45", "protocol": "tcp", "src_port": 50444, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9975171238915119, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.29.14.183", "protocol": "tcp", "src_port": 50403, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9756646950440937, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50323, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50577, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8828376373447289, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50582, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50571, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 12:11:31.665] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 19|max_alert: 1000 [2025-12-11 12:11:31.665] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 12:11:31.665] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 12:11:31.665] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 12:11:34.781] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[1] at offset 24837 key: NULL payload: {"bucket":"2025-12-11","object":"12/output/gbm/alert.pcap.9.1765426242.jsonl","url":"http://111.32.12.11:9000/2025-12-11/12/output/gbm/alert.pcap.9.1765426242.jsonl?X-Amz-Date=20251211T041134Z&X-Amz-Signature=284688c08c92eede89f5116de7244fed69c840f894fb16396bd403d687dab641&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-SignedHeaders=host&X-Amz-Expires=604800&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request"} [2025-12-11 12:11:34.782] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 12:11:34.782] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 12:11:34.782] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 12:11:34.782] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 12:11:34.782] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 12:11:34.783] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 12:11:34.789] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:12/output/gbm/alert.pcap.9.1765426242.jsonl|result:{"code": 0, "total_count": 0, "alert_count": 0, "abnormal_count": 0, "normal_count": 0, "timestamp": 1765426294783, "module": "anquanchu", "alerted": false, "details": []} [2025-12-11 12:11:34.789] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 0|max_alert: 1000 [2025-12-11 12:11:34.789] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 12:20:09.960] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 25979 key: NULL payload: {"bucket":"2025-12-11","object":"12/output/gbm/alert.pcap.10.17610986931220.jsonl","url":"http://111.32.12.11:9000/2025-12-11/12/output/gbm/alert.pcap.10.17610986931220.jsonl?X-Amz-SignedHeaders=host&X-Amz-Expires=604800&X-Amz-Signature=32bc795900c94bded9d48d44bac929ada6c483f979160f9921f246b5ddf244ba&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20251211T042009Z&X-Amz-Algorithm=AWS4-HMAC-SHA256"} [2025-12-11 12:20:09.960] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 12:20:09.960] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 12:20:09.960] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 12:20:09.960] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 12:20:09.960] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 12:20:09.961] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 12:20:10.241] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:12/output/gbm/alert.pcap.10.17610986931220.jsonl|result:{"code": 1, "total_count": 18, "alert_count": 18, "abnormal_count": 18, "normal_count": 0, "timestamp": 1765426809961, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 49802, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.194.233", "protocol": "tcp", "src_port": 50251, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.6458299041355519, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.38.119", "protocol": "tcp", "src_port": 50490, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9986222879414073, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50527, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.162.10.192", "protocol": "tcp", "src_port": 50106, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7891251009837256, "2_count": 3, "2_sum": 3, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.162.10.192", "protocol": "tcp", "src_port": 50105, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8497049935950336, "2_count": 3, "2_sum": 3, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50180, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50202, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.9", "protocol": "tcp", "src_port": 50354, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9266852516381958, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "124.70.62.170", "protocol": "tcp", "src_port": 50384, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9944584265644585, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.240.8.132", "protocol": "tcp", "src_port": 49942, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9833686131374094, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.162.10.192", "protocol": "tcp", "src_port": 50102, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9628606284766527, "2_count": 3, "2_sum": 3, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50247, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50155, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "124.70.37.167", "protocol": "tcp", "src_port": 50497, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9671327905226952, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50197, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50510, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "112.34.113.250", "protocol": "tcp", "src_port": 50417, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9871899379387804, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 12:20:10.241] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 18|max_alert: 1000 [2025-12-11 12:20:10.241] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 12:20:10.241] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 12:20:10.241] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 12:20:13.097] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 25980 key: NULL payload: {"bucket":"2025-12-11","object":"12/output/gbm/alert.pcap.11.17610986931220.jsonl","url":"http://111.32.12.11:9000/2025-12-11/12/output/gbm/alert.pcap.11.17610986931220.jsonl?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-SignedHeaders=host&X-Amz-Signature=b952a6de3f0249f2551721d3ffe42275c653877417e9f923b66b8eb1c4bbfd12&X-Amz-Expires=604800&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20251211T042012Z"} [2025-12-11 12:20:13.097] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 12:20:13.097] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 12:20:13.098] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 12:20:13.098] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 12:20:13.098] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 12:20:13.099] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 12:20:13.368] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:12/output/gbm/alert.pcap.11.17610986931220.jsonl|result:{"code": 1, "total_count": 20, "alert_count": 20, "abnormal_count": 20, "normal_count": 0, "timestamp": 1765426813099, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50520, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.143.199.172", "protocol": "tcp", "src_port": 50142, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9881503019491974, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 49811, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.165.120", "protocol": "tcp", "src_port": 50305, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9986466602684037, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50050, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "13.107.253.49", "protocol": "tcp", "src_port": 50479, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9204671188927631, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.38.119", "protocol": "tcp", "src_port": 50494, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9837251088220053, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.131.139.241", "protocol": "tcp", "src_port": 50546, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8893268365633519, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.45", "protocol": "tcp", "src_port": 50447, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9871209269901958, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "106.52.100.183", "protocol": "tcp", "src_port": 50502, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9858931570717602, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.45", "protocol": "tcp", "src_port": 50438, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9837569544664104, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50523, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50179, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50561, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50519, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.57.94.38", "protocol": "tcp", "src_port": 49888, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8913583475272854, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.122.55", "protocol": "tcp", "src_port": 50503, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9854062911109006, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "57.155.120.218", "protocol": "tcp", "src_port": 50415, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9227656751828837, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.25", "protocol": "tcp", "src_port": 50379, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8940216726975259, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50176, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 12:20:13.368] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 20|max_alert: 1000 [2025-12-11 12:20:13.368] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 12:20:13.368] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 12:20:13.368] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 12:20:16.302] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[1] at offset 24838 key: NULL payload: {"bucket":"2025-12-11","object":"12/output/gbm/alert.pcap.1.17610986931220.jsonl","url":"http://111.32.12.11:9000/2025-12-11/12/output/gbm/alert.pcap.1.17610986931220.jsonl?X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-SignedHeaders=host&X-Amz-Expires=604800&X-Amz-Signature=8370bae85a8273edab74ff826b8ad67846c140db22e6516a3af1328fda5a55c4&X-Amz-Date=20251211T042015Z"} [2025-12-11 12:20:16.302] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 12:20:16.302] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 12:20:16.302] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 12:20:16.302] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 12:20:16.302] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 12:20:16.303] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 12:20:16.542] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:12/output/gbm/alert.pcap.1.17610986931220.jsonl|result:{"code": 1, "total_count": 23, "alert_count": 22, "abnormal_count": 22, "normal_count": 1, "timestamp": 1765426816303, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "120.241.86.254", "protocol": "tcp", "src_port": 50161, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9861184497791043, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50511, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.18", "protocol": "tcp", "src_port": 50526, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50660, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.5160756214892233, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50154, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.9", "protocol": "tcp", "src_port": 50355, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9178209457268623, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.2.16.16", "protocol": "tcp", "src_port": 49977, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9997183616258911, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "104.18.38.233", "protocol": "tcp", "src_port": 49694, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50451, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9935841069204537, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50246, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.114.80", "protocol": "tcp", "src_port": 50380, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50196, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.9", "protocol": "tcp", "src_port": 50352, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9822856114799795, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.38.119", "protocol": "tcp", "src_port": 50487, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9993624819729473, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.131.139.241", "protocol": "tcp", "src_port": 50548, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9166098868921807, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.18", "protocol": "tcp", "src_port": 50607, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "123.249.12.207", "protocol": "tcp", "src_port": 50349, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9517653518955267, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50635, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.254", "protocol": "tcp", "src_port": 50236, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8758576397939718, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.2.16.16", "protocol": "tcp", "src_port": 49978, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9999741330258014, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.166.151", "protocol": "tcp", "src_port": 50297, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.99961990187526, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50203, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 12:20:16.542] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 22|max_alert: 1000 [2025-12-11 12:20:16.542] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 12:20:16.542] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 12:20:16.542] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 12:20:19.501] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[1] at offset 24839 key: NULL payload: {"bucket":"2025-12-11","object":"12/output/gbm/alert.pcap.12.17610986931220.jsonl","url":"http://111.32.12.11:9000/2025-12-11/12/output/gbm/alert.pcap.12.17610986931220.jsonl?X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Expires=604800&X-Amz-Signature=8bcc919c27cf4064a0ae1cb8da8d2be53e6a5eba6ebab67458e0392d3254a6ae&X-Amz-Date=20251211T042019Z&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-SignedHeaders=host"} [2025-12-11 12:20:19.501] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 12:20:19.501] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 12:20:19.501] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 12:20:19.502] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 12:20:19.502] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 12:20:19.502] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 12:20:19.745] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:12/output/gbm/alert.pcap.12.17610986931220.jsonl|result:{"code": 1, "total_count": 23, "alert_count": 23, "abnormal_count": 23, "normal_count": 0, "timestamp": 1765426819502, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50289, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 10, "2_sum": 10, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.91", "protocol": "tcp", "src_port": 50325, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9723471895815434, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50524, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 10, "2_sum": 10, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "150.171.28.10", "protocol": "tcp", "src_port": 50098, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.979476406385797, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 50446, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50327, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 10, "2_sum": 10, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50043, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 10, "2_sum": 10, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.32.132.48", "protocol": "tcp", "src_port": 50596, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8736367684939467, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50063, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 10, "2_sum": 10, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.88.223", "protocol": "tcp", "src_port": 50256, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9952297098413537, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50036, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 10, "2_sum": 10, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.88.223", "protocol": "tcp", "src_port": 50135, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9151737736531406, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50290, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 10, "2_sum": 10, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.253", "protocol": "tcp", "src_port": 50374, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9124107711631884, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.232.40.133", "protocol": "tcp", "src_port": 49918, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9434178651974208, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50048, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 10, "2_sum": 10, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 49801, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.46.51.20", "protocol": "tcp", "src_port": 50273, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8949209220998952, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.91", "protocol": "tcp", "src_port": 50312, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8775283158754487, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "43.132.242.154", "protocol": "tcp", "src_port": 49882, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9890063873624129, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50517, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 10, "2_sum": 10, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50563, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 10, "2_sum": 10, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.162.10.192", "protocol": "tcp", "src_port": 50115, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9982562146170709, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 12:20:19.745] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 23|max_alert: 1000 [2025-12-11 12:20:19.745] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 12:20:19.745] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 12:20:19.745] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 12:20:22.660] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 25981 key: NULL payload: {"bucket":"2025-12-11","object":"12/output/gbm/alert.pcap.13.17610986931220.jsonl","url":"http://111.32.12.11:9000/2025-12-11/12/output/gbm/alert.pcap.13.17610986931220.jsonl?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Date=20251211T042022Z&X-Amz-Expires=604800&X-Amz-SignedHeaders=host&X-Amz-Signature=e496db9af3abd19a01fe81ca74bc7bdf8e2fc69f0c68634e332ba651c270d9f8&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request"} [2025-12-11 12:20:22.660] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 12:20:22.660] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 12:20:22.661] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 12:20:22.661] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 12:20:22.661] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 12:20:22.661] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 12:20:22.900] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:12/output/gbm/alert.pcap.13.17610986931220.jsonl|result:{"code": 1, "total_count": 25, "alert_count": 25, "abnormal_count": 25, "normal_count": 0, "timestamp": 1765426822661, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50483, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "150.171.30.11", "protocol": "tcp", "src_port": 50629, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9221505003231499, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 50550, "dest_port": 37527, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50035, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.163.59.175", "protocol": "tcp", "src_port": 50009, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9898052087615025, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50029, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "202.89.233.96", "protocol": "tcp", "src_port": 49842, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "150.171.29.11", "protocol": "tcp", "src_port": 50366, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9811379852086798, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.38.119", "protocol": "tcp", "src_port": 50493, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9895604510076603, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50276, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50283, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50206, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.22.3", "protocol": "tcp", "src_port": 49941, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9027507773608666, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50602, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50074, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "142.250.66.78", "protocol": "tcp", "src_port": 49939, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50150, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50167, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50280, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50657, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9858390475712154, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.4.224.113", "protocol": "tcp", "src_port": 49856, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.6505383816340582, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.114.80", "protocol": "tcp", "src_port": 50364, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.38.119", "protocol": "tcp", "src_port": 50507, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.992095265861976, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.185.134", "protocol": "tcp", "src_port": 50405, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9906477192719227, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50153, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 12:20:22.900] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 25|max_alert: 1000 [2025-12-11 12:20:22.900] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 12:20:22.900] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 12:20:22.900] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 12:20:26.065] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[1] at offset 24840 key: NULL payload: {"bucket":"2025-12-11","object":"12/output/gbm/alert.pcap.14.17610986931220.jsonl","url":"http://111.32.12.11:9000/2025-12-11/12/output/gbm/alert.pcap.14.17610986931220.jsonl?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Signature=6a0391106eaf53d3650962593ec96837ed9322f06099d284a41d1b662fc4c914&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20251211T042025Z&X-Amz-SignedHeaders=host&X-Amz-Expires=604800"} [2025-12-11 12:20:26.065] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 12:20:26.065] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 12:20:26.065] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 12:20:26.065] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 12:20:26.065] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 12:20:26.066] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 12:20:26.317] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:12/output/gbm/alert.pcap.14.17610986931220.jsonl|result:{"code": 1, "total_count": 22, "alert_count": 22, "abnormal_count": 22, "normal_count": 0, "timestamp": 1765426826066, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50464, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "150.171.28.10", "protocol": "tcp", "src_port": 50547, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9810893334081382, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.114.80", "protocol": "tcp", "src_port": 50462, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.201.232.63", "protocol": "tcp", "src_port": 50185, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8623842237021218, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50277, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.4.224.113", "protocol": "tcp", "src_port": 49858, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.948833755868132, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50045, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.201.232.61", "protocol": "tcp", "src_port": 50406, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8074537105643911, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50148, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50488, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50431, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.131.128.241", "protocol": "tcp", "src_port": 50628, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.6327220629300937, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 50008, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7325211921496005, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50299, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50481, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50151, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50509, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50282, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.92", "protocol": "tcp", "src_port": 50350, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9581254078848882, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50075, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.45", "protocol": "tcp", "src_port": 50232, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8427978520815071, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50087, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 12:20:26.317] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 22|max_alert: 1000 [2025-12-11 12:20:26.317] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 12:20:26.317] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 12:20:26.317] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 12:20:29.188] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[1] at offset 24841 key: NULL payload: {"bucket":"2025-12-11","object":"12/output/gbm/alert.pcap.15.17610986931220.jsonl","url":"http://111.32.12.11:9000/2025-12-11/12/output/gbm/alert.pcap.15.17610986931220.jsonl?X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Signature=76e45f2d85bb60c627510288651f0c30ebae0fa5972c5f74e996feea83c6aa67&X-Amz-Expires=604800&X-Amz-SignedHeaders=host&X-Amz-Date=20251211T042028Z&X-Amz-Algorithm=AWS4-HMAC-SHA256"} [2025-12-11 12:20:29.188] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 12:20:29.188] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 12:20:29.188] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 12:20:29.189] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 12:20:29.189] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 12:20:29.189] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 12:20:29.428] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:12/output/gbm/alert.pcap.15.17610986931220.jsonl|result:{"code": 1, "total_count": 21, "alert_count": 21, "abnormal_count": 21, "normal_count": 0, "timestamp": 1765426829190, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50542, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.165.120", "protocol": "tcp", "src_port": 50418, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9596977275034663, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.166.151", "protocol": "tcp", "src_port": 50300, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9931981638327161, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.114.80", "protocol": "tcp", "src_port": 50358, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.175.38.6", "protocol": "tcp", "src_port": 50508, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9251013815505887, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.51.80", "protocol": "tcp", "src_port": 49914, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.165.120", "protocol": "tcp", "src_port": 50427, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9451570018511891, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50516, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50061, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "13.89.179.10", "protocol": "tcp", "src_port": 49878, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9974829953380221, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.194.189.11", "protocol": "tcp", "src_port": 50426, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9895428159947536, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.194.233", "protocol": "tcp", "src_port": 50442, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9870391528574759, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "13.107.213.50", "protocol": "tcp", "src_port": 50090, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9195643673584233, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50452, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "142.250.66.78", "protocol": "tcp", "src_port": 50474, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50489, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "124.70.37.167", "protocol": "tcp", "src_port": 50505, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8862503171336631, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.46.216.189", "protocol": "tcp", "src_port": 50192, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9854409930237161, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.13.29.202", "protocol": "tcp", "src_port": 49899, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9319984670207415, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50298, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.241.198", "protocol": "tcp", "src_port": 49881, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9908791961625715, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 12:20:29.428] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 21|max_alert: 1000 [2025-12-11 12:20:29.428] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 12:20:29.428] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 12:20:29.428] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 12:20:32.522] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[1] at offset 24842 key: NULL payload: {"bucket":"2025-12-11","object":"12/output/gbm/alert.pcap.16.17610986931220.jsonl","url":"http://111.32.12.11:9000/2025-12-11/12/output/gbm/alert.pcap.16.17610986931220.jsonl?X-Amz-Date=20251211T042032Z&X-Amz-Expires=604800&X-Amz-Signature=668300d71cd9f28f42b05036235da54edcfb50c805b120b2fbeafc838ca4fd4a&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-SignedHeaders=host&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request"} [2025-12-11 12:20:32.523] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 12:20:32.523] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 12:20:32.523] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 12:20:32.523] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 12:20:32.523] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 12:20:32.523] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 12:20:32.789] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:12/output/gbm/alert.pcap.16.17610986931220.jsonl|result:{"code": 1, "total_count": 26, "alert_count": 26, "abnormal_count": 26, "normal_count": 0, "timestamp": 1765426832523, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50367, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.253", "protocol": "tcp", "src_port": 50377, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9228634096625739, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "13.89.179.10", "protocol": "tcp", "src_port": 49873, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9740054173010114, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50500, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.1", "protocol": "tcp", "src_port": 49927, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.32.132.48", "protocol": "tcp", "src_port": 50416, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.872489769645985, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.46.216.189", "protocol": "tcp", "src_port": 50095, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8005313339363406, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.26", "protocol": "tcp", "src_port": 50053, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9859420979243508, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.2", "protocol": "tcp", "src_port": 49916, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50207, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50177, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50331, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50496, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7047630891986135, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.88.223", "protocol": "tcp", "src_port": 50262, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9920454156536166, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.29.14.183", "protocol": "tcp", "src_port": 49861, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9202885873733923, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.165.120", "protocol": "tcp", "src_port": 50304, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9425584919270099, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.92", "protocol": "tcp", "src_port": 50344, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.4285159353571787, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.220.77.56", "protocol": "tcp", "src_port": 50313, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9756469161092314, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.4.224.113", "protocol": "tcp", "src_port": 49857, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.873642452450752, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.29.14.183", "protocol": "tcp", "src_port": 50404, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9858144175177987, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50522, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.185.134", "protocol": "tcp", "src_port": 50557, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9312191603697401, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.219.73.130", "protocol": "tcp", "src_port": 49887, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "211.151.19.148", "protocol": "tcp", "src_port": 50239, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9867736940219898, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50051, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.13.25.27", "protocol": "tcp", "src_port": 49953, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9999659947187012, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 12:20:32.789] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 26|max_alert: 1000 [2025-12-11 12:20:32.789] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 12:20:32.789] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 12:20:32.789] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 12:20:36.028] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[1] at offset 24843 key: NULL payload: {"bucket":"2025-12-11","object":"12/output/gbm/alert.pcap.17.17610986931220.jsonl","url":"http://111.32.12.11:9000/2025-12-11/12/output/gbm/alert.pcap.17.17610986931220.jsonl?X-Amz-Expires=604800&X-Amz-Signature=7db36ecd88e6ea9cbd07b6561d44ab0f24828496122f031025a6fc8c7fcd1093&X-Amz-SignedHeaders=host&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20251211T042035Z"} [2025-12-11 12:20:36.028] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 12:20:36.028] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 12:20:36.028] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 12:20:36.028] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 12:20:36.028] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 12:20:36.028] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 12:20:36.280] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:12/output/gbm/alert.pcap.17.17610986931220.jsonl|result:{"code": 1, "total_count": 18, "alert_count": 18, "abnormal_count": 18, "normal_count": 0, "timestamp": 1765426836029, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "124.70.62.170", "protocol": "tcp", "src_port": 50395, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.999908459646488, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "124.70.62.170", "protocol": "tcp", "src_port": 50094, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9999212365720671, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 50225, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9087545563693218, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.27", "protocol": "tcp", "src_port": 49990, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9979995189937263, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.114.80", "protocol": "tcp", "src_port": 50476, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.27", "protocol": "tcp", "src_port": 49989, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8500557914131911, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.9", "protocol": "tcp", "src_port": 50012, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9956502822261911, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.162.10.192", "protocol": "tcp", "src_port": 50103, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.5419285978798709, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.122.55", "protocol": "tcp", "src_port": 50101, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9697454177805649, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.2.16.16", "protocol": "tcp", "src_port": 49973, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9993460937257912, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.38.151", "protocol": "tcp", "src_port": 49788, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50499, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.162.10.192", "protocol": "tcp", "src_port": 50114, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.976863610352734, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50606, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9790099228201751, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.194.233", "protocol": "tcp", "src_port": 50435, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9837705668750215, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.88.223", "protocol": "tcp", "src_port": 50257, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9990492370434219, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.234.97.89", "protocol": "tcp", "src_port": 50409, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.733240780563495, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.122.55", "protocol": "tcp", "src_port": 50448, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.5769980707430126, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 12:20:36.280] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 18|max_alert: 1000 [2025-12-11 12:20:36.280] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 12:20:36.280] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 12:20:36.280] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 12:20:39.164] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[2] at offset 25598 key: NULL payload: {"bucket":"2025-12-11","object":"12/output/gbm/alert.pcap.18.17610986931220.jsonl","url":"http://111.32.12.11:9000/2025-12-11/12/output/gbm/alert.pcap.18.17610986931220.jsonl?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Signature=92cfcdca4bd81fcd4e7d9adcf1abfe3e2d11f0d2730c313c689ccbab0fa903b0&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20251211T042038Z&X-Amz-Expires=604800&X-Amz-SignedHeaders=host"} [2025-12-11 12:20:39.164] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 12:20:39.164] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 12:20:39.164] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 12:20:39.164] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 12:20:39.164] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 12:20:39.165] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 12:20:39.399] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:12/output/gbm/alert.pcap.18.17610986931220.jsonl|result:{"code": 1, "total_count": 19, "alert_count": 18, "abnormal_count": 18, "normal_count": 1, "timestamp": 1765426839165, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "120.232.40.133", "protocol": "tcp", "src_port": 49929, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9272505117395095, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50088, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50141, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50220, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.253.255.38", "protocol": "tcp", "src_port": 50449, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9496389457889445, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50386, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.166.151", "protocol": "tcp", "src_port": 50371, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9989794701501156, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.113.130.85", "protocol": "tcp", "src_port": 50373, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50475, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9477100345633777, "2_count": 4.0, "2_sum": 4, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50553, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9263918774338468, "2_count": 4.0, "2_sum": 4, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.232.40.133", "protocol": "tcp", "src_port": 49935, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8955605067471277, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50132, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50046, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.92", "protocol": "tcp", "src_port": 50383, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7481021796885889, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.219.73.130", "protocol": "tcp", "src_port": 49893, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 50169, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50554, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9489417371813754, "2_count": 4.0, "2_sum": 4, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50650, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9941374340185456, "2_count": 4.0, "2_sum": 4, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 12:20:39.399] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 18|max_alert: 1000 [2025-12-11 12:20:39.399] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 12:20:39.399] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 12:20:39.399] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 12:20:42.309] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[2] at offset 25599 key: NULL payload: {"bucket":"2025-12-11","object":"12/output/gbm/alert.pcap.19.17610986931220.jsonl","url":"http://111.32.12.11:9000/2025-12-11/12/output/gbm/alert.pcap.19.17610986931220.jsonl?X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Expires=604800&X-Amz-SignedHeaders=host&X-Amz-Signature=72891976ae95891c0ae9e665be2e282b5f74dc712678e17618a8ce3b6919c937&X-Amz-Date=20251211T042041Z&X-Amz-Algorithm=AWS4-HMAC-SHA256"} [2025-12-11 12:20:42.309] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 12:20:42.309] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 12:20:42.310] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 12:20:42.310] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 12:20:42.310] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 12:20:42.311] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 12:20:42.552] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:12/output/gbm/alert.pcap.19.17610986931220.jsonl|result:{"code": 1, "total_count": 17, "alert_count": 17, "abnormal_count": 17, "normal_count": 0, "timestamp": 1765426842311, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50140, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 5, "2_sum": 5, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "150.171.30.11", "protocol": "tcp", "src_port": 50623, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9724127917525347, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50432, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 5, "2_sum": 5, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "13.89.179.10", "protocol": "tcp", "src_port": 49870, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9985463831905574, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.131.128.241", "protocol": "tcp", "src_port": 50589, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9358989909907683, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "124.70.62.170", "protocol": "tcp", "src_port": 50385, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9998863446143573, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.158.247.186", "protocol": "tcp", "src_port": 50254, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9923373572362969, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.26", "protocol": "tcp", "src_port": 49999, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9723690262017185, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.25", "protocol": "tcp", "src_port": 50345, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9053165640648995, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 50183, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9671683755020176, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50651, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9127998696423738, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "106.13.244.95", "protocol": "tcp", "src_port": 50626, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.991571871695044, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.61.248", "protocol": "tcp", "src_port": 50006, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9986048917384169, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50222, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 5, "2_sum": 5, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "211.151.19.148", "protocol": "tcp", "src_port": 50321, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9840336453751718, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50267, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 5, "2_sum": 5, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50221, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 5, "2_sum": 5, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 12:20:42.552] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 17|max_alert: 1000 [2025-12-11 12:20:42.552] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 12:20:42.552] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 12:20:42.552] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 12:20:45.510] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 25982 key: NULL payload: {"bucket":"2025-12-11","object":"12/output/gbm/alert.pcap.20.17610986931220.jsonl","url":"http://111.32.12.11:9000/2025-12-11/12/output/gbm/alert.pcap.20.17610986931220.jsonl?X-Amz-Expires=604800&X-Amz-Date=20251211T042045Z&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-SignedHeaders=host&X-Amz-Signature=6cbf6e67a6965e04864a51de4b4f8f0e03ad30960b9e9ea90a38d35eca4be598&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request"} [2025-12-11 12:20:45.510] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 12:20:45.510] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 12:20:45.510] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 12:20:45.510] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 12:20:45.510] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 12:20:45.511] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 12:20:45.793] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:12/output/gbm/alert.pcap.20.17610986931220.jsonl|result:{"code": 1, "total_count": 17, "alert_count": 17, "abnormal_count": 17, "normal_count": 0, "timestamp": 1765426845511, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "183.220.151.49", "protocol": "tcp", "src_port": 49991, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9681277345350449, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.166.151", "protocol": "tcp", "src_port": 50378, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.996645095315891, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50453, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.253.253.233", "protocol": "tcp", "src_port": 50317, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.4786736570096651, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.219.73.130", "protocol": "tcp", "src_port": 49894, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "124.71.236.98", "protocol": "tcp", "src_port": 50400, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9777942042208041, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.9", "protocol": "tcp", "src_port": 50356, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9753376675463165, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "142.250.66.78", "protocol": "tcp", "src_port": 49773, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.2.16.16", "protocol": "tcp", "src_port": 49970, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9999655776123294, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.48.172.241", "protocol": "tcp", "src_port": 50129, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9417868802887015, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50622, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9949329167991451, "2_count": 3, "2_sum": 3, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50082, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.62.174.243", "protocol": "tcp", "src_port": 50555, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9719451686850884, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50598, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.972751885055052, "2_count": 3, "2_sum": 3, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50616, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.981431987646444, "2_count": 3, "2_sum": 3, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "124.71.234.74", "protocol": "tcp", "src_port": 50189, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8094812727311573, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.46.68.203", "protocol": "tcp", "src_port": 50096, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9610043927222635, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 12:20:45.793] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 17|max_alert: 1000 [2025-12-11 12:20:45.793] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 12:20:45.793] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 12:20:45.793] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 12:20:48.644] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 25983 key: NULL payload: {"bucket":"2025-12-11","object":"12/output/gbm/alert.pcap.21.17610986931220.jsonl","url":"http://111.32.12.11:9000/2025-12-11/12/output/gbm/alert.pcap.21.17610986931220.jsonl?X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Expires=604800&X-Amz-Date=20251211T042048Z&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Signature=7f451155edbfba26f93da71262b11bc30364aae350514608dca53d53f61a2f04&X-Amz-SignedHeaders=host"} [2025-12-11 12:20:48.644] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 12:20:48.644] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 12:20:48.644] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 12:20:48.644] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 12:20:48.644] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 12:20:48.645] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 12:20:48.891] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:12/output/gbm/alert.pcap.21.17610986931220.jsonl|result:{"code": 1, "total_count": 20, "alert_count": 20, "abnormal_count": 20, "normal_count": 0, "timestamp": 1765426848645, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50086, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 50211, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9942232611378077, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50233, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.194.233", "protocol": "tcp", "src_port": 50315, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9974657537062649, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50633, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9961574170482782, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50389, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.253", "protocol": "tcp", "src_port": 50348, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9663875797170431, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 49933, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.983522767485445, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50407, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9700577356238725, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.27", "protocol": "tcp", "src_port": 50014, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7728545617685111, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50330, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50076, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.18", "protocol": "tcp", "src_port": 50191, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50574, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "150.171.27.10", "protocol": "tcp", "src_port": 49871, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9792783921980416, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.254", "protocol": "tcp", "src_port": 50018, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9989742169573105, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.26", "protocol": "tcp", "src_port": 50027, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8630319401034162, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.234.97.89", "protocol": "tcp", "src_port": 50477, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7967743601421772, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.25", "protocol": "tcp", "src_port": 50346, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7253580536479742, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.232.40.133", "protocol": "tcp", "src_port": 49921, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9758065422065172, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 12:20:48.891] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 20|max_alert: 1000 [2025-12-11 12:20:48.891] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 12:20:48.891] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 12:20:48.891] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 12:20:51.841] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[2] at offset 25600 key: NULL payload: {"bucket":"2025-12-11","object":"12/output/gbm/alert.pcap.2.17610986931220.jsonl","url":"http://111.32.12.11:9000/2025-12-11/12/output/gbm/alert.pcap.2.17610986931220.jsonl?X-Amz-Signature=2782fd64e58eb5e1a5b8b24d60831f43c40ac9b1eb0d18f6e232fdeaafac8d60&X-Amz-Expires=604800&X-Amz-SignedHeaders=host&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20251211T042051Z"} [2025-12-11 12:20:51.841] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 12:20:51.841] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 12:20:51.841] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 12:20:51.841] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 12:20:51.841] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 12:20:51.842] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 12:20:52.100] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:12/output/gbm/alert.pcap.2.17610986931220.jsonl|result:{"code": 1, "total_count": 27, "alert_count": 26, "abnormal_count": 26, "normal_count": 1, "timestamp": 1765426851842, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "118.89.204.198", "protocol": "tcp", "src_port": 50648, "dest_port": 443, "y_pred": 2, "y_pred_proba_max": 0.539671673599211, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "Behinder"}, {"src_ip": "10.1.131.158", "dest_ip": "111.29.14.183", "protocol": "tcp", "src_port": 50401, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9944651374268547, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50634, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.185.134", "protocol": "tcp", "src_port": 50337, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9998485770667981, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.26", "protocol": "tcp", "src_port": 49995, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9973271032011077, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50287, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.29.14.183", "protocol": "tcp", "src_port": 50402, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9766503916105866, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50528, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.114.80", "protocol": "tcp", "src_port": 50381, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.92", "protocol": "tcp", "src_port": 50398, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9866180027435798, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.254", "protocol": "tcp", "src_port": 50237, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8347470129747349, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50459, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8818531237715439, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.105", "protocol": "tcp", "src_port": 50625, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9825246278129468, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.2", "protocol": "tcp", "src_port": 49821, "dest_port": 8080, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.166.151", "protocol": "tcp", "src_port": 50296, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9998741851816862, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50580, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50484, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.232.40.133", "protocol": "tcp", "src_port": 50004, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9448851526818528, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50471, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9971823306211751, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50328, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.240.99.58", "protocol": "tcp", "src_port": 50480, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9758749087809037, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.222.152.64", "protocol": "tcp", "src_port": 50658, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7337989747885654, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50278, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.165.120", "protocol": "tcp", "src_port": 50414, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9781294486115352, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50570, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.63.215.47", "protocol": "tcp", "src_port": 49943, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9542007136130981, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 12:20:52.100] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 26|max_alert: 1000 [2025-12-11 12:20:52.100] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 12:20:52.100] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 12:20:52.100] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 12:20:55.348] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[2] at offset 25601 key: NULL payload: {"bucket":"2025-12-11","object":"12/output/gbm/alert.pcap.22.17610986931220.jsonl","url":"http://111.32.12.11:9000/2025-12-11/12/output/gbm/alert.pcap.22.17610986931220.jsonl?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Expires=604800&X-Amz-SignedHeaders=host&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Signature=00ae8b9c1db3a1bf94fac37d2a9af8d9a0ae1bc4cffcb5f8df4a78901dcbd6b7&X-Amz-Date=20251211T042054Z"} [2025-12-11 12:20:55.348] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 12:20:55.348] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 12:20:55.349] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 12:20:55.349] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 12:20:55.349] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 12:20:55.349] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 12:20:55.599] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:12/output/gbm/alert.pcap.22.17610986931220.jsonl|result:{"code": 1, "total_count": 18, "alert_count": 17, "abnormal_count": 17, "normal_count": 1, "timestamp": 1765426855349, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "111.63.215.47", "protocol": "tcp", "src_port": 49944, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9869387818080411, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50662, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8871346318388157, "2_count": 3.0, "2_sum": 3, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50118, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 3.0, "2_sum": 3, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50368, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 3.0, "2_sum": 3, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.92", "protocol": "tcp", "src_port": 50397, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9107999416750001, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.62.174.243", "protocol": "tcp", "src_port": 50545, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9624252679015631, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.131.128.241", "protocol": "tcp", "src_port": 50585, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8249611815657307, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50612, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.965275103129727, "2_count": 3.0, "2_sum": 3, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50530, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9024018957960891, "2_count": 3.0, "2_sum": 3, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.4.224.113", "protocol": "tcp", "src_port": 49854, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.5786036795604459, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.29.14.183", "protocol": "tcp", "src_port": 50026, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9986473928200259, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50028, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 3.0, "2_sum": 3, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.51.161.66", "protocol": "tcp", "src_port": 50123, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7731938946060795, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.114.80", "protocol": "tcp", "src_port": 50365, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 49925, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.5747671805046822, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.194.233", "protocol": "tcp", "src_port": 50440, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9902328849146982, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.165.120", "protocol": "tcp", "src_port": 50357, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9389862274330749, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 12:20:55.599] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 17|max_alert: 1000 [2025-12-11 12:20:55.599] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 12:20:55.599] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 12:20:55.599] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 12:20:59.209] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 25984 key: NULL payload: {"bucket":"2025-12-11","object":"12/output/gbm/alert.pcap.23.17610986931220.jsonl","url":"http://111.32.12.11:9000/2025-12-11/12/output/gbm/alert.pcap.23.17610986931220.jsonl?X-Amz-Expires=604800&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-SignedHeaders=host&X-Amz-Date=20251211T042058Z&X-Amz-Signature=588a32c4c2882653c696c05fe037f851efc3cc3ff858a41ff4a6c78fb8e1878c&X-Amz-Algorithm=AWS4-HMAC-SHA256"} [2025-12-11 12:20:59.209] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 12:20:59.209] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 12:20:59.209] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 12:20:59.209] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 12:20:59.209] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 12:20:59.210] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 12:20:59.459] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:12/output/gbm/alert.pcap.23.17610986931220.jsonl|result:{"code": 1, "total_count": 21, "alert_count": 21, "abnormal_count": 21, "normal_count": 0, "timestamp": 1765426859210, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50064, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50044, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "13.107.246.74", "protocol": "tcp", "src_port": 50506, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9605298901417075, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.25", "protocol": "tcp", "src_port": 50073, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9992385224413204, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50149, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.25", "protocol": "tcp", "src_port": 50382, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7011351746711142, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50429, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.122.55", "protocol": "tcp", "src_port": 50498, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9793698927690696, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50640, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50260, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.13.104.59", "protocol": "tcp", "src_port": 50627, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9944505609423887, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50562, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.150.160.206", "protocol": "tcp", "src_port": 50124, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9747845243097288, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.158.247.186", "protocol": "tcp", "src_port": 50309, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.994290448467571, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.194.233", "protocol": "tcp", "src_port": 50126, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9961544144455967, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50514, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.222.152.64", "protocol": "tcp", "src_port": 50638, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9779043168436835, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50037, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50042, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50168, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50085, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 12:20:59.459] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 21|max_alert: 1000 [2025-12-11 12:20:59.459] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 12:20:59.459] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 12:20:59.459] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 12:21:02.434] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 25985 key: NULL payload: {"bucket":"2025-12-11","object":"12/output/gbm/alert.pcap.24.17610986931220.jsonl","url":"http://111.32.12.11:9000/2025-12-11/12/output/gbm/alert.pcap.24.17610986931220.jsonl?X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-SignedHeaders=host&X-Amz-Signature=b0fbbfddff14ece05dcace63acf34acaff3ffe574433e2e58e75b86611dc9629&X-Amz-Expires=604800&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Date=20251211T042102Z"} [2025-12-11 12:21:02.434] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 12:21:02.434] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 12:21:02.435] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 12:21:02.435] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 12:21:02.435] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 12:21:02.435] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 12:21:02.692] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:12/output/gbm/alert.pcap.24.17610986931220.jsonl|result:{"code": 1, "total_count": 18, "alert_count": 17, "abnormal_count": 17, "normal_count": 1, "timestamp": 1765426862436, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50034, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50031, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 50229, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7784157580153467, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50259, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.163.59.175", "protocol": "tcp", "src_port": 50478, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.990150959540726, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50281, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50594, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.38.119", "protocol": "tcp", "src_port": 50495, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9911306060967026, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.13.104.59", "protocol": "tcp", "src_port": 50631, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9853386683896556, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50482, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.46.68.203", "protocol": "tcp", "src_port": 50195, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9897633686170296, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50603, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.13.28.21", "protocol": "tcp", "src_port": 49947, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9999415747476534, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.163.59.175", "protocol": "tcp", "src_port": 50011, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9883959426357691, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.27", "protocol": "tcp", "src_port": 49985, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8652710729389349, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.4.74", "protocol": "tcp", "src_port": 50319, "dest_port": 9000, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50033, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 12:21:02.692] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 17|max_alert: 1000 [2025-12-11 12:21:02.692] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 12:21:02.692] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 12:21:02.692] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 12:21:05.856] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[2] at offset 25602 key: NULL payload: {"bucket":"2025-12-11","object":"12/output/gbm/alert.pcap.25.17610986931220.jsonl","url":"http://111.32.12.11:9000/2025-12-11/12/output/gbm/alert.pcap.25.17610986931220.jsonl?X-Amz-Date=20251211T042105Z&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-SignedHeaders=host&X-Amz-Signature=6f2f4823f770faa7165cb3b20578d5a37ed90140506994a2f9e4af5652783dbb&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Expires=604800"} [2025-12-11 12:21:05.856] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 12:21:05.856] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 12:21:05.856] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 12:21:05.856] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 12:21:05.856] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 12:21:05.857] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 12:21:06.111] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:12/output/gbm/alert.pcap.25.17610986931220.jsonl|result:{"code": 1, "total_count": 18, "alert_count": 17, "abnormal_count": 17, "normal_count": 1, "timestamp": 1765426865857, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "223.111.88.223", "protocol": "tcp", "src_port": 50134, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9851867603065232, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "202.89.233.96", "dest_ip": "10.1.131.158", "protocol": "tcp", "src_port": 443, "dest_port": 49847, "y_pred": 1, "y_pred_proba_max": 0.9988023204669473, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.232.40.133", "protocol": "tcp", "src_port": 49919, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9172603475203133, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.232.40.133", "protocol": "tcp", "src_port": 50005, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8427110539814073, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50062, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4.0, "2_sum": 4, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.88.223", "protocol": "tcp", "src_port": 50258, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9955188316394289, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "142.250.66.78", "protocol": "tcp", "src_port": 49742, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.91", "protocol": "tcp", "src_port": 50334, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9530506499197517, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.2", "protocol": "tcp", "src_port": 50125, "dest_port": 8080, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50038, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4.0, "2_sum": 4, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50652, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4.0, "2_sum": 4, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50551, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8059095115195145, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50288, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4.0, "2_sum": 4, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.240.99.58", "protocol": "tcp", "src_port": 50641, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9750652642107684, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.201.232.63", "protocol": "tcp", "src_port": 50419, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.5238760318986195, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 50013, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.155.160.140", "protocol": "tcp", "src_port": 49790, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 12:21:06.111] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 17|max_alert: 1000 [2025-12-11 12:21:06.111] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 12:21:06.111] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 12:21:06.111] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 12:21:09.104] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[1] at offset 24844 key: NULL payload: {"bucket":"2025-12-11","object":"12/output/gbm/alert.pcap.26.17610986931220.jsonl","url":"http://111.32.12.11:9000/2025-12-11/12/output/gbm/alert.pcap.26.17610986931220.jsonl?X-Amz-SignedHeaders=host&X-Amz-Expires=604800&X-Amz-Signature=532182e8aafa374771567cd763eb202b13917197252621a8fa81b5bc4e6fffa1&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Date=20251211T042108Z&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request"} [2025-12-11 12:21:09.104] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 12:21:09.104] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 12:21:09.104] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 12:21:09.104] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 12:21:09.104] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 12:21:09.104] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 12:21:09.380] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:12/output/gbm/alert.pcap.26.17610986931220.jsonl|result:{"code": 1, "total_count": 23, "alert_count": 22, "abnormal_count": 22, "normal_count": 1, "timestamp": 1765426869104, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50593, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7.0, "2_sum": 7, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.194.233", "protocol": "tcp", "src_port": 50439, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9853373018252618, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.163.59.175", "protocol": "tcp", "src_port": 49930, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9813722275948225, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.165.120", "protocol": "tcp", "src_port": 50314, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.998447736613844, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "43.140.12.43", "protocol": "tcp", "src_port": 50318, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9759535265977303, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50040, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7.0, "2_sum": 7, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.9", "protocol": "tcp", "src_port": 50353, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9248568229582469, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50463, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7.0, "2_sum": 7, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50467, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7.0, "2_sum": 7, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.13.29.202", "protocol": "tcp", "src_port": 49897, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.99989131645703, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 50230, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9601621867432435, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50322, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7.0, "2_sum": 7, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.45", "protocol": "tcp", "src_port": 50445, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9894949279716366, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.253", "protocol": "tcp", "src_port": 50347, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9363461552085169, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.114.80", "protocol": "tcp", "src_port": 50375, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.253", "protocol": "tcp", "src_port": 50117, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9786811180845782, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "151.101.1.229", "protocol": "tcp", "src_port": 50316, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.5882853156839113, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50512, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7.0, "2_sum": 7, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.27", "protocol": "tcp", "src_port": 49986, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9907578643456904, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.92", "protocol": "tcp", "src_port": 50362, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9737436655985068, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50521, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7.0, "2_sum": 7, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.13.29.134", "protocol": "tcp", "src_port": 49954, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9940003495439546, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 12:21:09.380] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 22|max_alert: 1000 [2025-12-11 12:21:09.380] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 12:21:09.380] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 12:21:09.380] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 12:21:12.340] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[1] at offset 24845 key: NULL payload: {"bucket":"2025-12-11","object":"12/output/gbm/alert.pcap.3.17610986931220.jsonl","url":"http://111.32.12.11:9000/2025-12-11/12/output/gbm/alert.pcap.3.17610986931220.jsonl?X-Amz-Signature=c736016be7eedd791304e85f358def09646d94e94fdb70032a9d870752a3bcf7&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Expires=604800&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-SignedHeaders=host&X-Amz-Date=20251211T042111Z"} [2025-12-11 12:21:12.340] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 12:21:12.340] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 12:21:12.341] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 12:21:12.341] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 12:21:12.341] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 12:21:12.341] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 12:21:12.624] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:12/output/gbm/alert.pcap.3.17610986931220.jsonl|result:{"code": 1, "total_count": 31, "alert_count": 30, "abnormal_count": 30, "normal_count": 1, "timestamp": 1765426872341, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 50231, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9912641259791639, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.232.40.133", "protocol": "tcp", "src_port": 49922, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7619577796081339, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.253.253.233", "protocol": "tcp", "src_port": 50436, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8619378326923961, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.63.215.47", "protocol": "tcp", "src_port": 49982, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9977918468988228, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.194.189.11", "protocol": "tcp", "src_port": 50307, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9974631042458713, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.27", "protocol": "tcp", "src_port": 49983, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9683054451954104, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.114.80", "protocol": "tcp", "src_port": 50473, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.92", "protocol": "tcp", "src_port": 49915, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8858063837145578, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "124.70.62.170", "protocol": "tcp", "src_port": 50093, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9302011994091218, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50579, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.27", "protocol": "tcp", "src_port": 49987, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9439550958667982, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.219.73.130", "protocol": "tcp", "src_port": 49889, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.2", "protocol": "tcp", "src_port": 50143, "dest_port": 8080, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.165.120", "protocol": "tcp", "src_port": 50423, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9079618105919538, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50468, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50131, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50032, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50573, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.13.104.59", "protocol": "tcp", "src_port": 50630, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9949141468870227, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50390, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50560, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9372883613254258, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.219.73.130", "protocol": "tcp", "src_port": 49890, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.13.104.59", "protocol": "tcp", "src_port": 50639, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.5747755261992421, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50128, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50041, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 49824, "dest_port": 37527, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "142.250.66.68", "protocol": "tcp", "src_port": 50437, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.166.151", "protocol": "tcp", "src_port": 50286, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9998887397093179, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.29.14.183", "protocol": "tcp", "src_port": 50020, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9995274668813986, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 50399, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 12:21:12.624] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 30|max_alert: 1000 [2025-12-11 12:21:12.624] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 12:21:12.624] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 12:21:12.624] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 12:21:15.470] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[2] at offset 25603 key: NULL payload: {"bucket":"2025-12-11","object":"12/output/gbm/alert.pcap.4.17610986931220.jsonl","url":"http://111.32.12.11:9000/2025-12-11/12/output/gbm/alert.pcap.4.17610986931220.jsonl?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-SignedHeaders=host&X-Amz-Signature=8affaac361cacd4cf32b1631c5c82cb02f8b91b9fc8c9088e24f8e4799e6ff8b&X-Amz-Date=20251211T042114Z&X-Amz-Expires=604800&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request"} [2025-12-11 12:21:15.470] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 12:21:15.470] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 12:21:15.470] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 12:21:15.470] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 12:21:15.470] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 12:21:15.471] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 12:21:15.702] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:12/output/gbm/alert.pcap.4.17610986931220.jsonl|result:{"code": 1, "total_count": 16, "alert_count": 16, "abnormal_count": 16, "normal_count": 0, "timestamp": 1765426875471, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50271, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 9, "2_sum": 9, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50428, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 9, "2_sum": 9, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50268, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 9, "2_sum": 9, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50039, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 9, "2_sum": 9, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.4.224.113", "protocol": "tcp", "src_port": 49860, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8325953986089363, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "150.171.30.11", "protocol": "tcp", "src_port": 50007, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8576461187690411, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.25", "protocol": "tcp", "src_port": 50340, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9557360906725153, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "142.250.66.78", "protocol": "tcp", "src_port": 49761, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.131.128.241", "protocol": "tcp", "src_port": 50461, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9531336479755481, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.2", "protocol": "tcp", "src_port": 49815, "dest_port": 8080, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50599, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 9, "2_sum": 9, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50653, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 9, "2_sum": 9, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "104.18.38.233", "protocol": "tcp", "src_port": 49696, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50170, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 9, "2_sum": 9, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50642, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 9, "2_sum": 9, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50664, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 9, "2_sum": 9, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 12:21:15.702] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 16|max_alert: 1000 [2025-12-11 12:21:15.702] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 12:21:15.702] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 12:21:15.702] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 12:21:19.017] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[1] at offset 24846 key: NULL payload: {"bucket":"2025-12-11","object":"12/output/gbm/alert.pcap.5.17610986931220.jsonl","url":"http://111.32.12.11:9000/2025-12-11/12/output/gbm/alert.pcap.5.17610986931220.jsonl?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20251211T042118Z&X-Amz-SignedHeaders=host&X-Amz-Expires=604800&X-Amz-Signature=7252e438ad1770619a088af64ca803c332b6cd8ed878ec264c1164130c65f8fc"} [2025-12-11 12:21:19.017] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 12:21:19.017] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 12:21:19.017] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 12:21:19.017] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 12:21:19.017] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 12:21:19.018] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 12:21:19.317] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:12/output/gbm/alert.pcap.5.17610986931220.jsonl|result:{"code": 1, "total_count": 19, "alert_count": 18, "abnormal_count": 18, "normal_count": 1, "timestamp": 1765426879018, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50624, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9747306537408316, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50119, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 5.0, "2_sum": 5, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.163.59.175", "protocol": "tcp", "src_port": 50422, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9849394001481901, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50171, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 5.0, "2_sum": 5, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50030, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 5.0, "2_sum": 5, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 49924, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8509806284431485, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50654, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9423199405388736, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.51.80", "protocol": "tcp", "src_port": 49902, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.158.247.186", "protocol": "tcp", "src_port": 50121, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9753820447058325, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.4.74", "protocol": "tcp", "src_port": 50320, "dest_port": 9000, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 50549, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50541, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 5.0, "2_sum": 5, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.46.72.204", "protocol": "tcp", "src_port": 50136, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.956663066769366, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "112.34.111.235", "protocol": "tcp", "src_port": 50587, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9795590475790195, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50564, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 5.0, "2_sum": 5, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.91", "protocol": "tcp", "src_port": 50333, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9577733114926612, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.91", "protocol": "tcp", "src_port": 50242, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9588125203903446, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "13.89.179.10", "protocol": "tcp", "src_port": 49867, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8945460691510866, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 12:21:19.317] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 18|max_alert: 1000 [2025-12-11 12:21:19.317] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 12:21:19.317] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 12:21:19.317] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 12:21:22.159] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 25986 key: NULL payload: {"bucket":"2025-12-11","object":"12/output/gbm/alert.pcap.6.17610986931220.jsonl","url":"http://111.32.12.11:9000/2025-12-11/12/output/gbm/alert.pcap.6.17610986931220.jsonl?X-Amz-Signature=c46e3dc6f438dd9c08aa6fd3ca005d2c0cbcb40f4179907f22538c34924c8ed4&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Expires=604800&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20251211T042121Z&X-Amz-SignedHeaders=host"} [2025-12-11 12:21:22.159] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 12:21:22.159] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 12:21:22.159] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 12:21:22.159] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 12:21:22.159] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 12:21:22.160] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 12:21:22.404] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:12/output/gbm/alert.pcap.6.17610986931220.jsonl|result:{"code": 1, "total_count": 13, "alert_count": 13, "abnormal_count": 13, "normal_count": 0, "timestamp": 1765426882160, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "139.9.117.192", "protocol": "tcp", "src_port": 50372, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8894850327223105, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50465, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.5306824619789472, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.57.94.38", "protocol": "tcp", "src_port": 49892, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9998694918181811, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "121.36.68.44", "protocol": "tcp", "src_port": 50504, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9358189956292381, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.2.16.16", "protocol": "tcp", "src_port": 49975, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9999376387945121, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.91", "protocol": "tcp", "src_port": 50339, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.986405059765616, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "13.89.179.10", "protocol": "tcp", "src_port": 49883, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9941602682227848, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50391, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.26", "protocol": "tcp", "src_port": 50003, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8694093805364917, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.102.211", "protocol": "tcp", "src_port": 50413, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9734791177969814, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "139.9.117.192", "protocol": "tcp", "src_port": 50450, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9837263446909994, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.13.28.239", "protocol": "tcp", "src_port": 49901, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.938456651589145, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50515, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 12:21:22.404] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 13|max_alert: 1000 [2025-12-11 12:21:22.404] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 12:21:22.404] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 12:21:22.404] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 12:21:25.415] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 25987 key: NULL payload: {"bucket":"2025-12-11","object":"12/output/gbm/alert.pcap.7.17610986931220.jsonl","url":"http://111.32.12.11:9000/2025-12-11/12/output/gbm/alert.pcap.7.17610986931220.jsonl?X-Amz-Expires=604800&X-Amz-Signature=dd8b784e8fc21b5546aa1a848135fb37b9bac8849a9c56e1911c0926c058caaf&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Date=20251211T042125Z&X-Amz-SignedHeaders=host&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request"} [2025-12-11 12:21:25.415] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 12:21:25.415] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 12:21:25.415] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 12:21:25.415] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 12:21:25.415] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 12:21:25.416] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 12:21:25.671] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:12/output/gbm/alert.pcap.7.17610986931220.jsonl|result:{"code": 1, "total_count": 18, "alert_count": 18, "abnormal_count": 18, "normal_count": 0, "timestamp": 1765426885416, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50270, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4, "2_sum": 4, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.254", "protocol": "tcp", "src_port": 50199, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9600487826290192, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.219.73.130", "protocol": "tcp", "src_port": 49885, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.185.125.188", "protocol": "tcp", "src_port": 49872, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9978759357079158, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.240.8.132", "protocol": "tcp", "src_port": 50227, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8897661563929269, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.27", "protocol": "tcp", "src_port": 50100, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8412893359572905, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.194.233", "protocol": "tcp", "src_port": 50441, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9878625671600126, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50663, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.719260591950917, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 50172, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9400817611226765, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.4.224.113", "protocol": "tcp", "src_port": 49849, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9532634905214581, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50083, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4, "2_sum": 4, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 50116, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50156, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4, "2_sum": 4, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.194.233", "protocol": "tcp", "src_port": 50255, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9107155218087142, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "112.34.111.235", "protocol": "tcp", "src_port": 50411, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.998549290571419, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50581, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4, "2_sum": 4, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.26", "protocol": "tcp", "src_port": 49994, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9896285535627298, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.51.80", "protocol": "tcp", "src_port": 50010, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 12:21:25.671] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 18|max_alert: 1000 [2025-12-11 12:21:25.671] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 12:21:25.671] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 12:21:25.671] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 12:21:28.610] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[2] at offset 25604 key: NULL payload: {"bucket":"2025-12-11","object":"12/output/gbm/alert.pcap.8.17610986931220.jsonl","url":"http://111.32.12.11:9000/2025-12-11/12/output/gbm/alert.pcap.8.17610986931220.jsonl?X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-SignedHeaders=host&X-Amz-Signature=f067f98db4899db0d4d9e5948932522ec86f76b8ee9f8911b776a55bf12bdd5d&X-Amz-Expires=604800&X-Amz-Date=20251211T042128Z"} [2025-12-11 12:21:28.610] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 12:21:28.610] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 12:21:28.610] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 12:21:28.610] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 12:21:28.610] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 12:21:28.611] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 12:21:28.861] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:12/output/gbm/alert.pcap.8.17610986931220.jsonl|result:{"code": 1, "total_count": 19, "alert_count": 19, "abnormal_count": 19, "normal_count": 0, "timestamp": 1765426888611, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "120.232.40.133", "protocol": "tcp", "src_port": 49920, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9117178716777372, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.45", "protocol": "tcp", "src_port": 50408, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9967591338452444, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "202.89.233.96", "protocol": "tcp", "src_port": 49865, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9973910874567038, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50077, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4, "2_sum": 4, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 50184, "dest_port": 37527, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 49923, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.777270406334166, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.63.215.47", "protocol": "tcp", "src_port": 49980, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9999657034539758, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.201.232.63", "protocol": "tcp", "src_port": 50420, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9757408487177269, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "40.74.78.229", "protocol": "tcp", "src_port": 50370, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9939770881097445, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50223, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4, "2_sum": 4, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50649, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9766422035502361, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.26", "protocol": "tcp", "src_port": 49997, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.984269050955257, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "121.36.47.3", "protocol": "tcp", "src_port": 50015, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9995715118177109, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.131.139.241", "protocol": "tcp", "src_port": 50556, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9803786101644398, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50661, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.647571366572099, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50388, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4, "2_sum": 4, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50127, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4, "2_sum": 4, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.219.73.130", "protocol": "tcp", "src_port": 49891, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.131.128.241", "protocol": "tcp", "src_port": 50591, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9050869489117033, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 12:21:28.861] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 19|max_alert: 1000 [2025-12-11 12:21:28.861] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 12:21:28.861] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 12:21:28.861] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 12:21:31.778] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[2] at offset 25605 key: NULL payload: {"bucket":"2025-12-11","object":"12/output/gbm/alert.pcap.9.17610986931220.jsonl","url":"http://111.32.12.11:9000/2025-12-11/12/output/gbm/alert.pcap.9.17610986931220.jsonl?X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-SignedHeaders=host&X-Amz-Date=20251211T042131Z&X-Amz-Signature=96c562d884e4439a00b62f8e3a29ea7982c6276d727b4ad2b81b5063461b8ef1&X-Amz-Expires=604800"} [2025-12-11 12:21:31.778] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 12:21:31.778] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 12:21:31.779] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 12:21:31.779] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 12:21:31.779] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 12:21:31.779] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 12:21:32.033] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:12/output/gbm/alert.pcap.9.17610986931220.jsonl|result:{"code": 1, "total_count": 19, "alert_count": 19, "abnormal_count": 19, "normal_count": 0, "timestamp": 1765426891779, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 49928, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9931314740190077, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50323, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50234, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "124.71.234.74", "protocol": "tcp", "src_port": 50079, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8967653329082704, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50552, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9460026832017429, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.26", "protocol": "tcp", "src_port": 49993, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.987471741326815, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50047, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.219.73.130", "protocol": "tcp", "src_port": 49895, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "112.2.102.140", "protocol": "tcp", "src_port": 49880, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8833391308810551, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50577, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8828376373447289, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "150.171.30.11", "protocol": "tcp", "src_port": 50434, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.975176941910785, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "157.148.32.174", "protocol": "tcp", "src_port": 50216, "dest_port": 8106, "y_pred": 1, "y_pred_proba_max": 0.7815374741509655, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.163.59.175", "protocol": "tcp", "src_port": 50443, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9947042004868148, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50571, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50387, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.45", "protocol": "tcp", "src_port": 50444, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9975171238915119, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.29.14.183", "protocol": "tcp", "src_port": 50403, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9756646950440937, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50279, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50582, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 12:21:32.033] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 19|max_alert: 1000 [2025-12-11 12:21:32.033] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 12:21:32.033] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 12:21:32.033] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 12:25:51.012] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[2] at offset 25606 key: NULL payload: {"bucket":"2025-12-11","object":"12/output/gbm/alert.pcap.9.1765427143.jsonl","url":"http://111.32.12.11:9000/2025-12-11/12/output/gbm/alert.pcap.9.1765427143.jsonl?X-Amz-Signature=78be274058cfddb38e49455ee69420b587c14979fc7883e59169c81fd6fa00e0&X-Amz-SignedHeaders=host&X-Amz-Expires=604800&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20251211T042550Z"} [2025-12-11 12:25:51.012] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 12:25:51.012] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 12:25:51.012] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 12:25:51.012] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 12:25:51.012] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 12:25:51.013] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 12:25:51.024] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:12/output/gbm/alert.pcap.9.1765427143.jsonl|result:{"code": 0, "total_count": 0, "alert_count": 0, "abnormal_count": 0, "normal_count": 0, "timestamp": 1765427151013, "module": "anquanchu", "alerted": false, "details": []} [2025-12-11 12:25:51.024] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 0|max_alert: 1000 [2025-12-11 12:25:51.024] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 12:30:10.043] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[1] at offset 24847 key: NULL payload: {"bucket":"2025-12-11","object":"12/output/gbm/alert.pcap.10.17610986931230.jsonl","url":"http://111.32.12.11:9000/2025-12-11/12/output/gbm/alert.pcap.10.17610986931230.jsonl?X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Expires=604800&X-Amz-Signature=edaeb7497b2342ffc6d07058e25513ac917bd02502eb584e0ef7bc587c112ac8&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Date=20251211T043009Z&X-Amz-SignedHeaders=host"} [2025-12-11 12:30:10.044] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 12:30:10.044] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 12:30:10.044] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 12:30:10.044] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 12:30:10.044] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 12:30:10.044] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 12:30:10.283] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:12/output/gbm/alert.pcap.10.17610986931230.jsonl|result:{"code": 1, "total_count": 18, "alert_count": 18, "abnormal_count": 18, "normal_count": 0, "timestamp": 1765427410044, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "117.162.10.192", "protocol": "tcp", "src_port": 50106, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7891251009837256, "2_count": 3, "2_sum": 3, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.38.119", "protocol": "tcp", "src_port": 50490, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9986222879414073, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50180, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "124.70.37.167", "protocol": "tcp", "src_port": 50497, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9671327905226952, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.162.10.192", "protocol": "tcp", "src_port": 50102, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9628606284766527, "2_count": 3, "2_sum": 3, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50155, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50527, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.194.233", "protocol": "tcp", "src_port": 50251, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.6458299041355519, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50202, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.9", "protocol": "tcp", "src_port": 50354, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9266852516381958, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50510, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50197, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 49802, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.240.8.132", "protocol": "tcp", "src_port": 49942, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9833686131374094, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "112.34.113.250", "protocol": "tcp", "src_port": 50417, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9871899379387804, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.162.10.192", "protocol": "tcp", "src_port": 50105, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8497049935950336, "2_count": 3, "2_sum": 3, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "124.70.62.170", "protocol": "tcp", "src_port": 50384, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9944584265644585, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50247, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 12:30:10.283] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 18|max_alert: 1000 [2025-12-11 12:30:10.283] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 12:30:10.283] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 12:30:10.283] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 12:30:13.180] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 25988 key: NULL payload: {"bucket":"2025-12-11","object":"12/output/gbm/alert.pcap.11.17610986931230.jsonl","url":"http://111.32.12.11:9000/2025-12-11/12/output/gbm/alert.pcap.11.17610986931230.jsonl?X-Amz-Expires=604800&X-Amz-Signature=4ba53d61bce9bfa096daa1730323c141cf7b10f5a609927b99d2ee5f94a5783b&X-Amz-SignedHeaders=host&X-Amz-Date=20251211T043012Z&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request"} [2025-12-11 12:30:13.180] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 12:30:13.180] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 12:30:13.180] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 12:30:13.180] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 12:30:13.180] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 12:30:13.181] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 12:30:13.427] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:12/output/gbm/alert.pcap.11.17610986931230.jsonl|result:{"code": 1, "total_count": 20, "alert_count": 20, "abnormal_count": 20, "normal_count": 0, "timestamp": 1765427413182, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 49811, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50176, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "57.155.120.218", "protocol": "tcp", "src_port": 50415, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9227656751828837, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50561, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50520, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50179, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.165.120", "protocol": "tcp", "src_port": 50305, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9986466602684037, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50519, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.45", "protocol": "tcp", "src_port": 50438, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9837569544664104, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.45", "protocol": "tcp", "src_port": 50447, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9871209269901958, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50050, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.143.199.172", "protocol": "tcp", "src_port": 50142, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9881503019491974, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "13.107.253.49", "protocol": "tcp", "src_port": 50479, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9204671188927631, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "106.52.100.183", "protocol": "tcp", "src_port": 50502, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9858931570717602, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.122.55", "protocol": "tcp", "src_port": 50503, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9854062911109006, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.57.94.38", "protocol": "tcp", "src_port": 49888, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8913583475272854, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.25", "protocol": "tcp", "src_port": 50379, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8940216726975259, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.38.119", "protocol": "tcp", "src_port": 50494, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9837251088220053, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50523, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.131.139.241", "protocol": "tcp", "src_port": 50546, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8893268365633519, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 12:30:13.428] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 20|max_alert: 1000 [2025-12-11 12:30:13.428] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 12:30:13.428] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 12:30:13.428] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 12:30:16.379] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[1] at offset 24848 key: NULL payload: {"bucket":"2025-12-11","object":"12/output/gbm/alert.pcap.1.17610986931230.jsonl","url":"http://111.32.12.11:9000/2025-12-11/12/output/gbm/alert.pcap.1.17610986931230.jsonl?X-Amz-Expires=604800&X-Amz-SignedHeaders=host&X-Amz-Signature=8a3d5643f0cad54d2e1bf95d0b33255d9658c11c93aa05270ff5771c191b9c32&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Date=20251211T043016Z"} [2025-12-11 12:30:16.380] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 12:30:16.380] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 12:30:16.380] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 12:30:16.380] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 12:30:16.380] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 12:30:16.381] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 12:30:16.624] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:12/output/gbm/alert.pcap.1.17610986931230.jsonl|result:{"code": 1, "total_count": 23, "alert_count": 22, "abnormal_count": 22, "normal_count": 1, "timestamp": 1765427416381, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "23.2.16.16", "protocol": "tcp", "src_port": 49978, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9999741330258014, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50196, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.254", "protocol": "tcp", "src_port": 50236, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8758576397939718, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.166.151", "protocol": "tcp", "src_port": 50297, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.99961990187526, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.9", "protocol": "tcp", "src_port": 50352, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9822856114799795, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.18", "protocol": "tcp", "src_port": 50526, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.131.139.241", "protocol": "tcp", "src_port": 50548, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9166098868921807, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50154, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50203, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.254", "protocol": "tcp", "src_port": 50161, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9861184497791043, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "104.18.38.233", "protocol": "tcp", "src_port": 49694, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.38.119", "protocol": "tcp", "src_port": 50487, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9993624819729473, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.9", "protocol": "tcp", "src_port": 50355, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9178209457268623, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.18", "protocol": "tcp", "src_port": 50607, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50635, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.2.16.16", "protocol": "tcp", "src_port": 49977, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9997183616258911, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50246, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50451, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9935841069204537, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.114.80", "protocol": "tcp", "src_port": 50380, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50511, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50660, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.5160756214892233, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "123.249.12.207", "protocol": "tcp", "src_port": 50349, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9517653518955267, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 12:30:16.624] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 22|max_alert: 1000 [2025-12-11 12:30:16.624] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 12:30:16.624] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 12:30:16.624] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 12:30:19.586] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[1] at offset 24849 key: NULL payload: {"bucket":"2025-12-11","object":"12/output/gbm/alert.pcap.12.17610986931230.jsonl","url":"http://111.32.12.11:9000/2025-12-11/12/output/gbm/alert.pcap.12.17610986931230.jsonl?X-Amz-Signature=03ddb6d6b4a2a3123c44b68d1c1ccfe57a78a9d6c50d03d8acfcbb0891f77866&X-Amz-Expires=604800&X-Amz-SignedHeaders=host&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Date=20251211T043019Z&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request"} [2025-12-11 12:30:19.587] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 12:30:19.587] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 12:30:19.587] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 12:30:19.587] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 12:30:19.587] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 12:30:19.588] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 12:30:19.845] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:12/output/gbm/alert.pcap.12.17610986931230.jsonl|result:{"code": 1, "total_count": 23, "alert_count": 23, "abnormal_count": 23, "normal_count": 0, "timestamp": 1765427419588, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "120.232.40.133", "protocol": "tcp", "src_port": 49918, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9434178651974208, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50036, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 10, "2_sum": 10, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 49801, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.91", "protocol": "tcp", "src_port": 50325, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9723471895815434, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50290, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 10, "2_sum": 10, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50517, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 10, "2_sum": 10, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "150.171.28.10", "protocol": "tcp", "src_port": 50098, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.979476406385797, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.46.51.20", "protocol": "tcp", "src_port": 50273, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8949209220998952, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50063, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 10, "2_sum": 10, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 50446, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50563, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 10, "2_sum": 10, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50524, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 10, "2_sum": 10, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.88.223", "protocol": "tcp", "src_port": 50256, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9952297098413537, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.32.132.48", "protocol": "tcp", "src_port": 50596, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8736367684939467, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.88.223", "protocol": "tcp", "src_port": 50135, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9151737736531406, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.162.10.192", "protocol": "tcp", "src_port": 50115, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9982562146170709, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50289, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 10, "2_sum": 10, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "43.132.242.154", "protocol": "tcp", "src_port": 49882, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9890063873624129, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.253", "protocol": "tcp", "src_port": 50374, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9124107711631884, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50043, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 10, "2_sum": 10, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50048, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 10, "2_sum": 10, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.91", "protocol": "tcp", "src_port": 50312, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8775283158754487, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50327, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 10, "2_sum": 10, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 12:30:19.845] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 23|max_alert: 1000 [2025-12-11 12:30:19.845] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 12:30:19.845] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 12:30:19.845] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 12:30:22.749] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 25989 key: NULL payload: {"bucket":"2025-12-11","object":"12/output/gbm/alert.pcap.13.17610986931230.jsonl","url":"http://111.32.12.11:9000/2025-12-11/12/output/gbm/alert.pcap.13.17610986931230.jsonl?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Expires=604800&X-Amz-Date=20251211T043022Z&X-Amz-Signature=2315d3f403e3f362b432fd6323ade42ef27fad75507b01a1aad440c0a1c438fd&X-Amz-SignedHeaders=host&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request"} [2025-12-11 12:30:22.750] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 12:30:22.750] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 12:30:22.750] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 12:30:22.750] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 12:30:22.750] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 12:30:22.750] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 12:30:22.985] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:12/output/gbm/alert.pcap.13.17610986931230.jsonl|result:{"code": 1, "total_count": 25, "alert_count": 25, "abnormal_count": 25, "normal_count": 0, "timestamp": 1765427422750, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50150, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.22.3", "protocol": "tcp", "src_port": 49941, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9027507773608666, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 50550, "dest_port": 37527, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50029, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50283, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.163.59.175", "protocol": "tcp", "src_port": 50009, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9898052087615025, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50483, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.38.119", "protocol": "tcp", "src_port": 50507, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.992095265861976, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.114.80", "protocol": "tcp", "src_port": 50364, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.4.224.113", "protocol": "tcp", "src_port": 49856, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.6505383816340582, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "150.171.29.11", "protocol": "tcp", "src_port": 50366, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9811379852086798, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50602, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50153, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50074, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50035, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50167, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50276, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50280, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.185.134", "protocol": "tcp", "src_port": 50405, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9906477192719227, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50206, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "142.250.66.78", "protocol": "tcp", "src_port": 49939, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.38.119", "protocol": "tcp", "src_port": 50493, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9895604510076603, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "202.89.233.96", "protocol": "tcp", "src_port": 49842, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "150.171.30.11", "protocol": "tcp", "src_port": 50629, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9221505003231499, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50657, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9858390475712154, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 12:30:22.985] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 25|max_alert: 1000 [2025-12-11 12:30:22.985] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 12:30:22.985] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 12:30:22.985] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 12:30:26.122] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[1] at offset 24850 key: NULL payload: {"bucket":"2025-12-11","object":"12/output/gbm/alert.pcap.14.17610986931230.jsonl","url":"http://111.32.12.11:9000/2025-12-11/12/output/gbm/alert.pcap.14.17610986931230.jsonl?X-Amz-Expires=604800&X-Amz-Date=20251211T043025Z&X-Amz-Signature=bf2468f32ceaf5c54dfd3ebd61d9c2769763062a972d4cdedb8994d7a836b4ce&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-SignedHeaders=host"} [2025-12-11 12:30:26.122] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 12:30:26.122] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 12:30:26.122] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 12:30:26.122] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 12:30:26.122] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 12:30:26.123] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 12:30:26.401] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:12/output/gbm/alert.pcap.14.17610986931230.jsonl|result:{"code": 1, "total_count": 22, "alert_count": 22, "abnormal_count": 22, "normal_count": 0, "timestamp": 1765427426123, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "183.201.232.61", "protocol": "tcp", "src_port": 50406, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8074537105643911, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.201.232.63", "protocol": "tcp", "src_port": 50185, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8623842237021218, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 50008, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7325211921496005, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50045, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50277, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50282, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50087, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50075, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50148, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50481, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.114.80", "protocol": "tcp", "src_port": 50462, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50509, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.4.224.113", "protocol": "tcp", "src_port": 49858, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.948833755868132, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50151, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.131.128.241", "protocol": "tcp", "src_port": 50628, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.6327220629300937, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50299, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.45", "protocol": "tcp", "src_port": 50232, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8427978520815071, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.92", "protocol": "tcp", "src_port": 50350, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9581254078848882, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50464, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50431, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50488, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "150.171.28.10", "protocol": "tcp", "src_port": 50547, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9810893334081382, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 12:30:26.401] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 22|max_alert: 1000 [2025-12-11 12:30:26.401] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 12:30:26.401] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 12:30:26.401] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 12:30:29.259] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 25990 key: NULL payload: {"bucket":"2025-12-11","object":"12/output/gbm/alert.pcap.15.17610986931230.jsonl","url":"http://111.32.12.11:9000/2025-12-11/12/output/gbm/alert.pcap.15.17610986931230.jsonl?X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-SignedHeaders=host&X-Amz-Signature=342ff2f62896f0c494deda641b0bde4e4b46213fd77007b424372772c4d48848&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Expires=604800&X-Amz-Date=20251211T043028Z"} [2025-12-11 12:30:29.259] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 12:30:29.259] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 12:30:29.259] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 12:30:29.259] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 12:30:29.259] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 12:30:29.260] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 12:30:29.502] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:12/output/gbm/alert.pcap.15.17610986931230.jsonl|result:{"code": 1, "total_count": 21, "alert_count": 21, "abnormal_count": 21, "normal_count": 0, "timestamp": 1765427429260, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "183.194.189.11", "protocol": "tcp", "src_port": 50426, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9895428159947536, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50542, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.165.120", "protocol": "tcp", "src_port": 50418, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9596977275034663, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "13.89.179.10", "protocol": "tcp", "src_port": 49878, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9974829953380221, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.175.38.6", "protocol": "tcp", "src_port": 50508, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9251013815505887, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.241.198", "protocol": "tcp", "src_port": 49881, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9908791961625715, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50452, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "142.250.66.78", "protocol": "tcp", "src_port": 50474, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.165.120", "protocol": "tcp", "src_port": 50427, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9451570018511891, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.51.80", "protocol": "tcp", "src_port": 49914, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.46.216.189", "protocol": "tcp", "src_port": 50192, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9854409930237161, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "124.70.37.167", "protocol": "tcp", "src_port": 50505, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8862503171336631, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.13.29.202", "protocol": "tcp", "src_port": 49899, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9319984670207415, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50061, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "13.107.213.50", "protocol": "tcp", "src_port": 50090, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9195643673584233, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50298, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.194.233", "protocol": "tcp", "src_port": 50442, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9870391528574759, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50489, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50516, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.166.151", "protocol": "tcp", "src_port": 50300, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9931981638327161, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.114.80", "protocol": "tcp", "src_port": 50358, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 12:30:29.502] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 21|max_alert: 1000 [2025-12-11 12:30:29.502] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 12:30:29.502] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 12:30:29.502] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 12:30:32.594] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 25991 key: NULL payload: {"bucket":"2025-12-11","object":"12/output/gbm/alert.pcap.16.17610986931230.jsonl","url":"http://111.32.12.11:9000/2025-12-11/12/output/gbm/alert.pcap.16.17610986931230.jsonl?X-Amz-Date=20251211T043032Z&X-Amz-Signature=b058f82bdef73711020edc982c47e738fde97d07e86821f05e1b0f0ea53d9490&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Expires=604800&X-Amz-SignedHeaders=host"} [2025-12-11 12:30:32.594] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 12:30:32.594] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 12:30:32.595] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 12:30:32.595] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 12:30:32.595] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 12:30:32.595] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 12:30:32.859] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:12/output/gbm/alert.pcap.16.17610986931230.jsonl|result:{"code": 1, "total_count": 26, "alert_count": 26, "abnormal_count": 26, "normal_count": 0, "timestamp": 1765427432595, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50496, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7047630891986135, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.26", "protocol": "tcp", "src_port": 50053, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9859420979243508, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.219.73.130", "protocol": "tcp", "src_port": 49887, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50331, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50367, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.253", "protocol": "tcp", "src_port": 50377, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9228634096625739, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50522, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.88.223", "protocol": "tcp", "src_port": 50262, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9920454156536166, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.165.120", "protocol": "tcp", "src_port": 50304, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9425584919270099, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50051, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.46.216.189", "protocol": "tcp", "src_port": 50095, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8005313339363406, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.13.25.27", "protocol": "tcp", "src_port": 49953, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9999659947187012, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.29.14.183", "protocol": "tcp", "src_port": 50404, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9858144175177987, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.2", "protocol": "tcp", "src_port": 49916, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "211.151.19.148", "protocol": "tcp", "src_port": 50239, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9867736940219898, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.4.224.113", "protocol": "tcp", "src_port": 49857, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.873642452450752, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.185.134", "protocol": "tcp", "src_port": 50557, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9312191603697401, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50177, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.29.14.183", "protocol": "tcp", "src_port": 49861, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9202885873733923, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.220.77.56", "protocol": "tcp", "src_port": 50313, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9756469161092314, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50500, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.32.132.48", "protocol": "tcp", "src_port": 50416, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.872489769645985, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "13.89.179.10", "protocol": "tcp", "src_port": 49873, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9740054173010114, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50207, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.1", "protocol": "tcp", "src_port": 49927, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.92", "protocol": "tcp", "src_port": 50344, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.4285159353571787, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 12:30:32.859] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 26|max_alert: 1000 [2025-12-11 12:30:32.859] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 12:30:32.859] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 12:30:32.859] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 12:30:36.083] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[2] at offset 25607 key: NULL payload: {"bucket":"2025-12-11","object":"12/output/gbm/alert.pcap.17.17610986931230.jsonl","url":"http://111.32.12.11:9000/2025-12-11/12/output/gbm/alert.pcap.17.17610986931230.jsonl?X-Amz-Date=20251211T043035Z&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Expires=604800&X-Amz-Signature=5c43a3caf9eb0ebbfc3835a2addc43346232198d403d16ab090e652f6acaa937&X-Amz-SignedHeaders=host&X-Amz-Algorithm=AWS4-HMAC-SHA256"} [2025-12-11 12:30:36.083] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 12:30:36.083] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 12:30:36.083] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 12:30:36.083] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 12:30:36.083] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 12:30:36.084] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 12:30:36.336] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:12/output/gbm/alert.pcap.17.17610986931230.jsonl|result:{"code": 1, "total_count": 18, "alert_count": 18, "abnormal_count": 18, "normal_count": 0, "timestamp": 1765427436084, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "111.31.122.55", "protocol": "tcp", "src_port": 50101, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9697454177805649, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.114.80", "protocol": "tcp", "src_port": 50476, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.162.10.192", "protocol": "tcp", "src_port": 50103, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.5419285978798709, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.27", "protocol": "tcp", "src_port": 49990, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9979995189937263, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.27", "protocol": "tcp", "src_port": 49989, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8500557914131911, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.194.233", "protocol": "tcp", "src_port": 50435, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9837705668750215, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.122.55", "protocol": "tcp", "src_port": 50448, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.5769980707430126, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.2.16.16", "protocol": "tcp", "src_port": 49973, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9993460937257912, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.88.223", "protocol": "tcp", "src_port": 50257, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9990492370434219, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.38.151", "protocol": "tcp", "src_port": 49788, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50606, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9790099228201751, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50499, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.9", "protocol": "tcp", "src_port": 50012, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9956502822261911, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "124.70.62.170", "protocol": "tcp", "src_port": 50395, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.999908459646488, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 50225, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9087545563693218, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "124.70.62.170", "protocol": "tcp", "src_port": 50094, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9999212365720671, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.234.97.89", "protocol": "tcp", "src_port": 50409, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.733240780563495, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.162.10.192", "protocol": "tcp", "src_port": 50114, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.976863610352734, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 12:30:36.336] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 18|max_alert: 1000 [2025-12-11 12:30:36.336] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 12:30:36.336] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 12:30:36.336] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 12:30:39.209] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 25992 key: NULL payload: {"bucket":"2025-12-11","object":"12/output/gbm/alert.pcap.18.17610986931230.jsonl","url":"http://111.32.12.11:9000/2025-12-11/12/output/gbm/alert.pcap.18.17610986931230.jsonl?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Expires=604800&X-Amz-SignedHeaders=host&X-Amz-Signature=a73e2d1fedf34ad717f6ff32c5638111d32f2a4cde9e7cd19f45bb18274a8fae&X-Amz-Date=20251211T043038Z&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request"} [2025-12-11 12:30:39.209] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 12:30:39.209] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 12:30:39.209] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 12:30:39.209] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 12:30:39.209] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 12:30:39.209] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 12:30:39.437] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:12/output/gbm/alert.pcap.18.17610986931230.jsonl|result:{"code": 1, "total_count": 19, "alert_count": 18, "abnormal_count": 18, "normal_count": 1, "timestamp": 1765427439209, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "23.219.73.130", "protocol": "tcp", "src_port": 49893, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.92", "protocol": "tcp", "src_port": 50383, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7481021796885889, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50141, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 50169, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50475, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9477100345633777, "2_count": 4.0, "2_sum": 4, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50220, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.113.130.85", "protocol": "tcp", "src_port": 50373, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50386, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50132, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50650, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9941374340185456, "2_count": 4.0, "2_sum": 4, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50046, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50088, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.166.151", "protocol": "tcp", "src_port": 50371, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9989794701501156, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50553, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9263918774338468, "2_count": 4.0, "2_sum": 4, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50554, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9489417371813754, "2_count": 4.0, "2_sum": 4, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.232.40.133", "protocol": "tcp", "src_port": 49929, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9272505117395095, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.232.40.133", "protocol": "tcp", "src_port": 49935, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8955605067471277, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.253.255.38", "protocol": "tcp", "src_port": 50449, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9496389457889445, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 12:30:39.437] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 18|max_alert: 1000 [2025-12-11 12:30:39.437] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 12:30:39.437] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 12:30:39.437] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 12:30:42.338] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[2] at offset 25608 key: NULL payload: {"bucket":"2025-12-11","object":"12/output/gbm/alert.pcap.19.17610986931230.jsonl","url":"http://111.32.12.11:9000/2025-12-11/12/output/gbm/alert.pcap.19.17610986931230.jsonl?X-Amz-SignedHeaders=host&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Signature=93bb71f86bc54b24fc240af0ae7f36faf9502f136f808edc9145f88254ad3ec3&X-Amz-Date=20251211T043041Z&X-Amz-Expires=604800"} [2025-12-11 12:30:42.338] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 12:30:42.338] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 12:30:42.338] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 12:30:42.338] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 12:30:42.338] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 12:30:42.339] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 12:30:42.578] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:12/output/gbm/alert.pcap.19.17610986931230.jsonl|result:{"code": 1, "total_count": 17, "alert_count": 17, "abnormal_count": 17, "normal_count": 0, "timestamp": 1765427442339, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "13.89.179.10", "protocol": "tcp", "src_port": 49870, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9985463831905574, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.26", "protocol": "tcp", "src_port": 49999, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9723690262017185, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.61.248", "protocol": "tcp", "src_port": 50006, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9986048917384169, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50221, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 5, "2_sum": 5, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "124.70.62.170", "protocol": "tcp", "src_port": 50385, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9998863446143573, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.158.247.186", "protocol": "tcp", "src_port": 50254, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9923373572362969, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50267, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 5, "2_sum": 5, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.131.128.241", "protocol": "tcp", "src_port": 50589, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9358989909907683, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "211.151.19.148", "protocol": "tcp", "src_port": 50321, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9840336453751718, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "150.171.30.11", "protocol": "tcp", "src_port": 50623, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9724127917525347, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "106.13.244.95", "protocol": "tcp", "src_port": 50626, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.991571871695044, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50222, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 5, "2_sum": 5, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50651, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9127998696423738, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50432, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 5, "2_sum": 5, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.25", "protocol": "tcp", "src_port": 50345, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9053165640648995, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 50183, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9671683755020176, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50140, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 5, "2_sum": 5, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 12:30:42.578] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 17|max_alert: 1000 [2025-12-11 12:30:42.578] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 12:30:42.578] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 12:30:42.578] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 12:30:45.568] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[1] at offset 24851 key: NULL payload: {"bucket":"2025-12-11","object":"12/output/gbm/alert.pcap.20.17610986931230.jsonl","url":"http://111.32.12.11:9000/2025-12-11/12/output/gbm/alert.pcap.20.17610986931230.jsonl?X-Amz-SignedHeaders=host&X-Amz-Signature=5fc4eed94d66bbacda653c40219aa2c0aac2b3211d6eb3be1ddee5f97730eedb&X-Amz-Date=20251211T043045Z&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Expires=604800"} [2025-12-11 12:30:45.568] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 12:30:45.568] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 12:30:45.568] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 12:30:45.568] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 12:30:45.568] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 12:30:45.568] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 12:30:45.815] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:12/output/gbm/alert.pcap.20.17610986931230.jsonl|result:{"code": 1, "total_count": 17, "alert_count": 17, "abnormal_count": 17, "normal_count": 0, "timestamp": 1765427445568, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "124.71.236.98", "protocol": "tcp", "src_port": 50400, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9777942042208041, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50453, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.48.172.241", "protocol": "tcp", "src_port": 50129, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9417868802887015, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.9", "protocol": "tcp", "src_port": 50356, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9753376675463165, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.166.151", "protocol": "tcp", "src_port": 50378, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.996645095315891, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.220.151.49", "protocol": "tcp", "src_port": 49991, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9681277345350449, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.2.16.16", "protocol": "tcp", "src_port": 49970, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9999655776123294, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.253.253.233", "protocol": "tcp", "src_port": 50317, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.4786736570096651, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "124.71.234.74", "protocol": "tcp", "src_port": 50189, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8094812727311573, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.46.68.203", "protocol": "tcp", "src_port": 50096, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9610043927222635, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50082, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.62.174.243", "protocol": "tcp", "src_port": 50555, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9719451686850884, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50616, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.981431987646444, "2_count": 3, "2_sum": 3, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50598, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.972751885055052, "2_count": 3, "2_sum": 3, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50622, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9949329167991451, "2_count": 3, "2_sum": 3, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.219.73.130", "protocol": "tcp", "src_port": 49894, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "142.250.66.78", "protocol": "tcp", "src_port": 49773, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 12:30:45.815] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 17|max_alert: 1000 [2025-12-11 12:30:45.815] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 12:30:45.815] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 12:30:45.815] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 12:30:48.703] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 25993 key: NULL payload: {"bucket":"2025-12-11","object":"12/output/gbm/alert.pcap.21.17610986931230.jsonl","url":"http://111.32.12.11:9000/2025-12-11/12/output/gbm/alert.pcap.21.17610986931230.jsonl?X-Amz-SignedHeaders=host&X-Amz-Date=20251211T043048Z&X-Amz-Expires=604800&X-Amz-Signature=efd8ad200b31c2c3f2f2083bb5991a5803f342214c50b98f1c03954bd7933209&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request"} [2025-12-11 12:30:48.703] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 12:30:48.703] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 12:30:48.703] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 12:30:48.703] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 12:30:48.703] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 12:30:48.704] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 12:30:48.946] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:12/output/gbm/alert.pcap.21.17610986931230.jsonl|result:{"code": 1, "total_count": 20, "alert_count": 20, "abnormal_count": 20, "normal_count": 0, "timestamp": 1765427448704, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "10.1.9.18", "protocol": "tcp", "src_port": 50191, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50407, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9700577356238725, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.232.40.133", "protocol": "tcp", "src_port": 49921, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9758065422065172, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.253", "protocol": "tcp", "src_port": 50348, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9663875797170431, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.25", "protocol": "tcp", "src_port": 50346, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7253580536479742, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.26", "protocol": "tcp", "src_port": 50027, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8630319401034162, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 49933, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.983522767485445, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.194.233", "protocol": "tcp", "src_port": 50315, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9974657537062649, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.27", "protocol": "tcp", "src_port": 50014, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7728545617685111, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50086, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50330, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.234.97.89", "protocol": "tcp", "src_port": 50477, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7967743601421772, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50633, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9961574170482782, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50076, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50389, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 50211, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9942232611378077, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "150.171.27.10", "protocol": "tcp", "src_port": 49871, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9792783921980416, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50233, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.254", "protocol": "tcp", "src_port": 50018, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9989742169573105, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50574, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 12:30:48.946] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 20|max_alert: 1000 [2025-12-11 12:30:48.946] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 12:30:48.946] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 12:30:48.946] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 12:30:51.913] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[2] at offset 25609 key: NULL payload: {"bucket":"2025-12-11","object":"12/output/gbm/alert.pcap.2.17610986931230.jsonl","url":"http://111.32.12.11:9000/2025-12-11/12/output/gbm/alert.pcap.2.17610986931230.jsonl?X-Amz-Expires=604800&X-Amz-SignedHeaders=host&X-Amz-Signature=aa252eeef6150afa5869b8041fb331b2e645a3bafdedc271f8d207c13d175707&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Date=20251211T043051Z&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request"} [2025-12-11 12:30:51.913] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 12:30:51.913] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 12:30:51.913] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 12:30:51.913] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 12:30:51.913] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 12:30:51.913] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 12:30:52.162] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:12/output/gbm/alert.pcap.2.17610986931230.jsonl|result:{"code": 1, "total_count": 27, "alert_count": 26, "abnormal_count": 26, "normal_count": 1, "timestamp": 1765427451913, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50570, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50287, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.105", "protocol": "tcp", "src_port": 50625, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9825246278129468, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.254", "protocol": "tcp", "src_port": 50237, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8347470129747349, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.166.151", "protocol": "tcp", "src_port": 50296, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9998741851816862, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.114.80", "protocol": "tcp", "src_port": 50381, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.165.120", "protocol": "tcp", "src_port": 50414, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9781294486115352, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.29.14.183", "protocol": "tcp", "src_port": 50402, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9766503916105866, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50634, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.29.14.183", "protocol": "tcp", "src_port": 50401, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9944651374268547, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "118.89.204.198", "protocol": "tcp", "src_port": 50648, "dest_port": 443, "y_pred": 2, "y_pred_proba_max": 0.539671673599211, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "Behinder"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.2", "protocol": "tcp", "src_port": 49821, "dest_port": 8080, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.232.40.133", "protocol": "tcp", "src_port": 50004, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9448851526818528, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.222.152.64", "protocol": "tcp", "src_port": 50658, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7337989747885654, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.63.215.47", "protocol": "tcp", "src_port": 49943, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9542007136130981, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50580, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50278, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.92", "protocol": "tcp", "src_port": 50398, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9866180027435798, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50459, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8818531237715439, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.26", "protocol": "tcp", "src_port": 49995, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9973271032011077, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.240.99.58", "protocol": "tcp", "src_port": 50480, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9758749087809037, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50528, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.185.134", "protocol": "tcp", "src_port": 50337, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9998485770667981, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50328, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50471, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9971823306211751, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50484, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 12:30:52.162] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 26|max_alert: 1000 [2025-12-11 12:30:52.162] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 12:30:52.162] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 12:30:52.162] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 12:30:55.444] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 25994 key: NULL payload: {"bucket":"2025-12-11","object":"12/output/gbm/alert.pcap.22.17610986931230.jsonl","url":"http://111.32.12.11:9000/2025-12-11/12/output/gbm/alert.pcap.22.17610986931230.jsonl?X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Expires=604800&X-Amz-Signature=a2e03df2d6c5b37d7dad1a3a7233d0a83349888adb296829d9a6f817e32add1d&X-Amz-SignedHeaders=host&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Date=20251211T043054Z"} [2025-12-11 12:30:55.445] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 12:30:55.445] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 12:30:55.445] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 12:30:55.445] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 12:30:55.445] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 12:30:55.445] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 12:30:55.694] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:12/output/gbm/alert.pcap.22.17610986931230.jsonl|result:{"code": 1, "total_count": 18, "alert_count": 17, "abnormal_count": 17, "normal_count": 1, "timestamp": 1765427455445, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "36.156.39.92", "protocol": "tcp", "src_port": 50397, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9107999416750001, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 49925, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.5747671805046822, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.131.128.241", "protocol": "tcp", "src_port": 50585, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8249611815657307, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50118, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 3.0, "2_sum": 3, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.51.161.66", "protocol": "tcp", "src_port": 50123, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7731938946060795, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.29.14.183", "protocol": "tcp", "src_port": 50026, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9986473928200259, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.62.174.243", "protocol": "tcp", "src_port": 50545, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9624252679015631, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.114.80", "protocol": "tcp", "src_port": 50365, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50028, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 3.0, "2_sum": 3, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50662, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8871346318388157, "2_count": 3.0, "2_sum": 3, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50612, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.965275103129727, "2_count": 3.0, "2_sum": 3, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50530, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9024018957960891, "2_count": 3.0, "2_sum": 3, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.165.120", "protocol": "tcp", "src_port": 50357, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9389862274330749, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50368, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 3.0, "2_sum": 3, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.4.224.113", "protocol": "tcp", "src_port": 49854, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.5786036795604459, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.194.233", "protocol": "tcp", "src_port": 50440, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9902328849146982, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.63.215.47", "protocol": "tcp", "src_port": 49944, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9869387818080411, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 12:30:55.694] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 17|max_alert: 1000 [2025-12-11 12:30:55.694] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 12:30:55.694] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 12:30:55.694] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 12:30:59.124] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[2] at offset 25610 key: NULL payload: {"bucket":"2025-12-11","object":"12/output/gbm/alert.pcap.23.17610986931230.jsonl","url":"http://111.32.12.11:9000/2025-12-11/12/output/gbm/alert.pcap.23.17610986931230.jsonl?X-Amz-Signature=8bfd0a35eb8343d7e7e527a82d19ad8282c45c64f987fbfb954b32f134df9694&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Expires=604800&X-Amz-SignedHeaders=host&X-Amz-Date=20251211T043058Z&X-Amz-Algorithm=AWS4-HMAC-SHA256"} [2025-12-11 12:30:59.124] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 12:30:59.124] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 12:30:59.124] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 12:30:59.124] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 12:30:59.124] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 12:30:59.124] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 12:30:59.388] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:12/output/gbm/alert.pcap.23.17610986931230.jsonl|result:{"code": 1, "total_count": 21, "alert_count": 21, "abnormal_count": 21, "normal_count": 0, "timestamp": 1765427459125, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "111.13.104.59", "protocol": "tcp", "src_port": 50627, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9944505609423887, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.222.152.64", "protocol": "tcp", "src_port": 50638, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9779043168436835, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50044, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50260, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.150.160.206", "protocol": "tcp", "src_port": 50124, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9747845243097288, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50149, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.25", "protocol": "tcp", "src_port": 50073, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9992385224413204, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50042, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "13.107.246.74", "protocol": "tcp", "src_port": 50506, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9605298901417075, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50429, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50064, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50168, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50037, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.122.55", "protocol": "tcp", "src_port": 50498, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9793698927690696, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50514, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50562, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50640, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.158.247.186", "protocol": "tcp", "src_port": 50309, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.994290448467571, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.194.233", "protocol": "tcp", "src_port": 50126, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9961544144455967, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.25", "protocol": "tcp", "src_port": 50382, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7011351746711142, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50085, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 12:30:59.388] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 21|max_alert: 1000 [2025-12-11 12:30:59.388] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 12:30:59.388] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 12:30:59.388] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 12:31:02.351] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[2] at offset 25611 key: NULL payload: {"bucket":"2025-12-11","object":"12/output/gbm/alert.pcap.24.17610986931230.jsonl","url":"http://111.32.12.11:9000/2025-12-11/12/output/gbm/alert.pcap.24.17610986931230.jsonl?X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Date=20251211T043101Z&X-Amz-SignedHeaders=host&X-Amz-Signature=1b5a671532b7300d77a746abf3a25f1110278448765c10369899d441c8ba240d&X-Amz-Expires=604800"} [2025-12-11 12:31:02.351] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 12:31:02.351] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 12:31:02.351] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 12:31:02.351] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 12:31:02.351] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 12:31:02.351] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 12:31:02.581] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:12/output/gbm/alert.pcap.24.17610986931230.jsonl|result:{"code": 1, "total_count": 18, "alert_count": 17, "abnormal_count": 17, "normal_count": 1, "timestamp": 1765427462351, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "10.1.4.74", "protocol": "tcp", "src_port": 50319, "dest_port": 9000, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.46.68.203", "protocol": "tcp", "src_port": 50195, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9897633686170296, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50034, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.13.28.21", "protocol": "tcp", "src_port": 49947, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9999415747476534, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50594, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 50229, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7784157580153467, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.27", "protocol": "tcp", "src_port": 49985, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8652710729389349, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50031, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50033, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50259, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50281, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.163.59.175", "protocol": "tcp", "src_port": 50478, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.990150959540726, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.38.119", "protocol": "tcp", "src_port": 50495, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9911306060967026, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50603, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.13.104.59", "protocol": "tcp", "src_port": 50631, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9853386683896556, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.163.59.175", "protocol": "tcp", "src_port": 50011, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9883959426357691, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50482, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 12:31:02.581] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 17|max_alert: 1000 [2025-12-11 12:31:02.581] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 12:31:02.581] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 12:31:02.581] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 12:31:05.777] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 25995 key: NULL payload: {"bucket":"2025-12-11","object":"12/output/gbm/alert.pcap.25.17610986931230.jsonl","url":"http://111.32.12.11:9000/2025-12-11/12/output/gbm/alert.pcap.25.17610986931230.jsonl?X-Amz-SignedHeaders=host&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Signature=eb48a42738a122478d2bfe6db54a1f8b1f0322dc7dc2046178e374b4774cf275&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Expires=604800&X-Amz-Date=20251211T043105Z"} [2025-12-11 12:31:05.777] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 12:31:05.777] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 12:31:05.777] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 12:31:05.777] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 12:31:05.777] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 12:31:05.777] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 12:31:06.015] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:12/output/gbm/alert.pcap.25.17610986931230.jsonl|result:{"code": 1, "total_count": 18, "alert_count": 17, "abnormal_count": 17, "normal_count": 1, "timestamp": 1765427465778, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50551, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8059095115195145, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "142.250.66.78", "protocol": "tcp", "src_port": 49742, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50062, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4.0, "2_sum": 4, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.232.40.133", "protocol": "tcp", "src_port": 50005, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8427110539814073, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "202.89.233.96", "dest_ip": "10.1.131.158", "protocol": "tcp", "src_port": 443, "dest_port": 49847, "y_pred": 1, "y_pred_proba_max": 0.9988023204669473, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.201.232.63", "protocol": "tcp", "src_port": 50419, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.5238760318986195, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.155.160.140", "protocol": "tcp", "src_port": 49790, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 50013, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50038, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4.0, "2_sum": 4, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50652, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4.0, "2_sum": 4, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50288, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4.0, "2_sum": 4, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.91", "protocol": "tcp", "src_port": 50334, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9530506499197517, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.88.223", "protocol": "tcp", "src_port": 50134, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9851867603065232, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.232.40.133", "protocol": "tcp", "src_port": 49919, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9172603475203133, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.2", "protocol": "tcp", "src_port": 50125, "dest_port": 8080, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.240.99.58", "protocol": "tcp", "src_port": 50641, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9750652642107684, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.88.223", "protocol": "tcp", "src_port": 50258, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9955188316394289, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 12:31:06.015] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 17|max_alert: 1000 [2025-12-11 12:31:06.015] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 12:31:06.015] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 12:31:06.015] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 12:31:09.035] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[1] at offset 24852 key: NULL payload: {"bucket":"2025-12-11","object":"12/output/gbm/alert.pcap.26.17610986931230.jsonl","url":"http://111.32.12.11:9000/2025-12-11/12/output/gbm/alert.pcap.26.17610986931230.jsonl?X-Amz-Signature=770bef97c92307edc09a0882b6298f7c512db2019b7c6823cce2cea64046dd9a&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-SignedHeaders=host&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20251211T043108Z&X-Amz-Expires=604800"} [2025-12-11 12:31:09.035] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 12:31:09.035] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 12:31:09.035] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 12:31:09.035] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 12:31:09.035] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 12:31:09.035] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 12:31:09.280] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:12/output/gbm/alert.pcap.26.17610986931230.jsonl|result:{"code": 1, "total_count": 23, "alert_count": 22, "abnormal_count": 22, "normal_count": 1, "timestamp": 1765427469035, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50467, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7.0, "2_sum": 7, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "151.101.1.229", "protocol": "tcp", "src_port": 50316, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.5882853156839113, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.253", "protocol": "tcp", "src_port": 50347, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9363461552085169, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.9", "protocol": "tcp", "src_port": 50353, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9248568229582469, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.27", "protocol": "tcp", "src_port": 49986, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9907578643456904, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50040, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7.0, "2_sum": 7, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.194.233", "protocol": "tcp", "src_port": 50439, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9853373018252618, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50463, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7.0, "2_sum": 7, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50512, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7.0, "2_sum": 7, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.163.59.175", "protocol": "tcp", "src_port": 49930, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9813722275948225, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.45", "protocol": "tcp", "src_port": 50445, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9894949279716366, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50593, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7.0, "2_sum": 7, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 50230, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9601621867432435, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.92", "protocol": "tcp", "src_port": 50362, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9737436655985068, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.165.120", "protocol": "tcp", "src_port": 50314, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.998447736613844, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.13.29.134", "protocol": "tcp", "src_port": 49954, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9940003495439546, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.114.80", "protocol": "tcp", "src_port": 50375, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50322, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7.0, "2_sum": 7, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.13.29.202", "protocol": "tcp", "src_port": 49897, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.99989131645703, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.253", "protocol": "tcp", "src_port": 50117, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9786811180845782, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "43.140.12.43", "protocol": "tcp", "src_port": 50318, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9759535265977303, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50521, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7.0, "2_sum": 7, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 12:31:09.280] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 22|max_alert: 1000 [2025-12-11 12:31:09.280] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 12:31:09.280] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 12:31:09.280] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 12:31:12.259] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[1] at offset 24853 key: NULL payload: {"bucket":"2025-12-11","object":"12/output/gbm/alert.pcap.3.17610986931230.jsonl","url":"http://111.32.12.11:9000/2025-12-11/12/output/gbm/alert.pcap.3.17610986931230.jsonl?X-Amz-Expires=604800&X-Amz-Date=20251211T043111Z&X-Amz-Signature=1599fefb2efe31247467fcf147afc6290a73ea9970e013ed853fc8f404ea8fb7&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-SignedHeaders=host"} [2025-12-11 12:31:12.259] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 12:31:12.259] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 12:31:12.260] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 12:31:12.260] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 12:31:12.260] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 12:31:12.260] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 12:31:12.513] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:12/output/gbm/alert.pcap.3.17610986931230.jsonl|result:{"code": 1, "total_count": 31, "alert_count": 30, "abnormal_count": 30, "normal_count": 1, "timestamp": 1765427472260, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50032, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.2", "protocol": "tcp", "src_port": 50143, "dest_port": 8080, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "142.250.66.68", "protocol": "tcp", "src_port": 50437, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.166.151", "protocol": "tcp", "src_port": 50286, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9998887397093179, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.219.73.130", "protocol": "tcp", "src_port": 49890, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.92", "protocol": "tcp", "src_port": 49915, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8858063837145578, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.29.14.183", "protocol": "tcp", "src_port": 50020, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9995274668813986, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.219.73.130", "protocol": "tcp", "src_port": 49889, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.27", "protocol": "tcp", "src_port": 49983, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9683054451954104, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.165.120", "protocol": "tcp", "src_port": 50423, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9079618105919538, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50131, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.232.40.133", "protocol": "tcp", "src_port": 49922, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7619577796081339, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.63.215.47", "protocol": "tcp", "src_port": 49982, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9977918468988228, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 49824, "dest_port": 37527, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50573, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "124.70.62.170", "protocol": "tcp", "src_port": 50093, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9302011994091218, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50128, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 50399, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50560, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9372883613254258, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.13.104.59", "protocol": "tcp", "src_port": 50639, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.5747755261992421, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50390, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50468, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50041, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.253.253.233", "protocol": "tcp", "src_port": 50436, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8619378326923961, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 50231, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9912641259791639, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.114.80", "protocol": "tcp", "src_port": 50473, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50579, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.13.104.59", "protocol": "tcp", "src_port": 50630, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9949141468870227, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.194.189.11", "protocol": "tcp", "src_port": 50307, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9974631042458713, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.27", "protocol": "tcp", "src_port": 49987, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9439550958667982, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 12:31:12.513] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 30|max_alert: 1000 [2025-12-11 12:31:12.513] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 12:31:12.513] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 12:31:12.513] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 12:31:15.389] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[1] at offset 24854 key: NULL payload: {"bucket":"2025-12-11","object":"12/output/gbm/alert.pcap.4.17610986931230.jsonl","url":"http://111.32.12.11:9000/2025-12-11/12/output/gbm/alert.pcap.4.17610986931230.jsonl?X-Amz-Expires=604800&X-Amz-Date=20251211T043114Z&X-Amz-SignedHeaders=host&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Signature=d12666b71440adb61d5dfd4e7354386655801cf0136ee45d6694a592d89f4de8&X-Amz-Algorithm=AWS4-HMAC-SHA256"} [2025-12-11 12:31:15.389] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 12:31:15.389] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 12:31:15.389] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 12:31:15.389] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 12:31:15.389] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 12:31:15.391] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 12:31:15.624] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:12/output/gbm/alert.pcap.4.17610986931230.jsonl|result:{"code": 1, "total_count": 16, "alert_count": 16, "abnormal_count": 16, "normal_count": 0, "timestamp": 1765427475391, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50642, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 9, "2_sum": 9, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.2", "protocol": "tcp", "src_port": 49815, "dest_port": 8080, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50664, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 9, "2_sum": 9, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.25", "protocol": "tcp", "src_port": 50340, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9557360906725153, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.131.128.241", "protocol": "tcp", "src_port": 50461, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9531336479755481, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50268, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 9, "2_sum": 9, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50170, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 9, "2_sum": 9, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50428, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 9, "2_sum": 9, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "150.171.30.11", "protocol": "tcp", "src_port": 50007, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8576461187690411, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "142.250.66.78", "protocol": "tcp", "src_port": 49761, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50599, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 9, "2_sum": 9, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.4.224.113", "protocol": "tcp", "src_port": 49860, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8325953986089363, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50039, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 9, "2_sum": 9, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50271, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 9, "2_sum": 9, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "104.18.38.233", "protocol": "tcp", "src_port": 49696, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50653, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 9, "2_sum": 9, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 12:31:15.624] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 16|max_alert: 1000 [2025-12-11 12:31:15.624] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 12:31:15.624] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 12:31:15.624] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 12:31:18.915] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[2] at offset 25612 key: NULL payload: {"bucket":"2025-12-11","object":"12/output/gbm/alert.pcap.5.17610986931230.jsonl","url":"http://111.32.12.11:9000/2025-12-11/12/output/gbm/alert.pcap.5.17610986931230.jsonl?X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-SignedHeaders=host&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Expires=604800&X-Amz-Signature=c219329be7607ebe3a6a04ed679d3a53fa713666e809d4877b7889357c5dc092&X-Amz-Date=20251211T043118Z"} [2025-12-11 12:31:18.915] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 12:31:18.915] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 12:31:18.916] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 12:31:18.916] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 12:31:18.916] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 12:31:18.916] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 12:31:19.164] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:12/output/gbm/alert.pcap.5.17610986931230.jsonl|result:{"code": 1, "total_count": 19, "alert_count": 18, "abnormal_count": 18, "normal_count": 1, "timestamp": 1765427478916, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "120.240.51.80", "protocol": "tcp", "src_port": 49902, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.91", "protocol": "tcp", "src_port": 50242, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9588125203903446, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 49924, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8509806284431485, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50541, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 5.0, "2_sum": 5, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50171, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 5.0, "2_sum": 5, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 50549, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50030, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 5.0, "2_sum": 5, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "112.34.111.235", "protocol": "tcp", "src_port": 50587, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9795590475790195, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50624, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9747306537408316, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "13.89.179.10", "protocol": "tcp", "src_port": 49867, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8945460691510866, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50119, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 5.0, "2_sum": 5, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.91", "protocol": "tcp", "src_port": 50333, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9577733114926612, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.163.59.175", "protocol": "tcp", "src_port": 50422, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9849394001481901, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50564, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 5.0, "2_sum": 5, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.4.74", "protocol": "tcp", "src_port": 50320, "dest_port": 9000, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.158.247.186", "protocol": "tcp", "src_port": 50121, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9753820447058325, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.46.72.204", "protocol": "tcp", "src_port": 50136, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.956663066769366, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50654, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9423199405388736, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 12:31:19.164] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 18|max_alert: 1000 [2025-12-11 12:31:19.164] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 12:31:19.164] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 12:31:19.164] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 12:31:22.058] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[2] at offset 25613 key: NULL payload: {"bucket":"2025-12-11","object":"12/output/gbm/alert.pcap.6.17610986931230.jsonl","url":"http://111.32.12.11:9000/2025-12-11/12/output/gbm/alert.pcap.6.17610986931230.jsonl?X-Amz-Signature=a8f3a85a86e8f3338337e3af18ba2b1083f565c9a75becb9ff603d74b427d63c&X-Amz-Expires=604800&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20251211T043121Z&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-SignedHeaders=host"} [2025-12-11 12:31:22.058] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 12:31:22.058] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 12:31:22.059] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 12:31:22.059] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 12:31:22.059] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 12:31:22.060] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 12:31:22.288] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:12/output/gbm/alert.pcap.6.17610986931230.jsonl|result:{"code": 1, "total_count": 13, "alert_count": 13, "abnormal_count": 13, "normal_count": 0, "timestamp": 1765427482060, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "36.156.39.91", "protocol": "tcp", "src_port": 50339, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.986405059765616, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "121.36.68.44", "protocol": "tcp", "src_port": 50504, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9358189956292381, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50465, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.5306824619789472, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.13.28.239", "protocol": "tcp", "src_port": 49901, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.938456651589145, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50391, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.102.211", "protocol": "tcp", "src_port": 50413, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9734791177969814, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50515, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "139.9.117.192", "protocol": "tcp", "src_port": 50450, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9837263446909994, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.2.16.16", "protocol": "tcp", "src_port": 49975, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9999376387945121, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "139.9.117.192", "protocol": "tcp", "src_port": 50372, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8894850327223105, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "13.89.179.10", "protocol": "tcp", "src_port": 49883, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9941602682227848, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.57.94.38", "protocol": "tcp", "src_port": 49892, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9998694918181811, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.26", "protocol": "tcp", "src_port": 50003, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8694093805364917, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 12:31:22.288] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 13|max_alert: 1000 [2025-12-11 12:31:22.288] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 12:31:22.288] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 12:31:22.288] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 12:31:25.272] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 25996 key: NULL payload: {"bucket":"2025-12-11","object":"12/output/gbm/alert.pcap.7.17610986931230.jsonl","url":"http://111.32.12.11:9000/2025-12-11/12/output/gbm/alert.pcap.7.17610986931230.jsonl?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Expires=604800&X-Amz-Signature=693437d91ef5aed5e26f9f5cb9ef71a74e1cb3d123a10f1b4ba727887cb3c9b8&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-SignedHeaders=host&X-Amz-Date=20251211T043124Z"} [2025-12-11 12:31:25.272] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 12:31:25.272] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 12:31:25.272] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 12:31:25.272] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 12:31:25.272] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 12:31:25.273] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 12:31:25.508] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:12/output/gbm/alert.pcap.7.17610986931230.jsonl|result:{"code": 1, "total_count": 18, "alert_count": 18, "abnormal_count": 18, "normal_count": 0, "timestamp": 1765427485273, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 50172, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9400817611226765, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "112.34.111.235", "protocol": "tcp", "src_port": 50411, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.998549290571419, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50270, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4, "2_sum": 4, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50581, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4, "2_sum": 4, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.4.224.113", "protocol": "tcp", "src_port": 49849, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9532634905214581, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.26", "protocol": "tcp", "src_port": 49994, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9896285535627298, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.194.233", "protocol": "tcp", "src_port": 50441, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9878625671600126, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.240.8.132", "protocol": "tcp", "src_port": 50227, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8897661563929269, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.27", "protocol": "tcp", "src_port": 50100, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8412893359572905, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50083, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4, "2_sum": 4, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.219.73.130", "protocol": "tcp", "src_port": 49885, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 50116, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.254", "protocol": "tcp", "src_port": 50199, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9600487826290192, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.194.233", "protocol": "tcp", "src_port": 50255, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9107155218087142, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50156, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4, "2_sum": 4, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.185.125.188", "protocol": "tcp", "src_port": 49872, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9978759357079158, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.51.80", "protocol": "tcp", "src_port": 50010, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50663, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.719260591950917, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 12:31:25.508] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 18|max_alert: 1000 [2025-12-11 12:31:25.508] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 12:31:25.508] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 12:31:25.508] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 12:31:28.461] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[2] at offset 25614 key: NULL payload: {"bucket":"2025-12-11","object":"12/output/gbm/alert.pcap.8.17610986931230.jsonl","url":"http://111.32.12.11:9000/2025-12-11/12/output/gbm/alert.pcap.8.17610986931230.jsonl?X-Amz-Expires=604800&X-Amz-SignedHeaders=host&X-Amz-Date=20251211T043128Z&X-Amz-Signature=598a3b2509e49f6ed4d45e73d45bc0ac56dd85c3405fd09eb9f5bd59187ba56a&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Algorithm=AWS4-HMAC-SHA256"} [2025-12-11 12:31:28.461] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 12:31:28.461] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 12:31:28.461] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 12:31:28.461] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 12:31:28.461] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 12:31:28.462] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 12:31:28.696] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:12/output/gbm/alert.pcap.8.17610986931230.jsonl|result:{"code": 1, "total_count": 19, "alert_count": 19, "abnormal_count": 19, "normal_count": 0, "timestamp": 1765427488462, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50127, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4, "2_sum": 4, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 50184, "dest_port": 37527, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.45", "protocol": "tcp", "src_port": 50408, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9967591338452444, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.63.215.47", "protocol": "tcp", "src_port": 49980, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9999657034539758, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.201.232.63", "protocol": "tcp", "src_port": 50420, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9757408487177269, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.26", "protocol": "tcp", "src_port": 49997, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.984269050955257, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.131.139.241", "protocol": "tcp", "src_port": 50556, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9803786101644398, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.131.128.241", "protocol": "tcp", "src_port": 50591, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9050869489117033, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50649, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9766422035502361, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "202.89.233.96", "protocol": "tcp", "src_port": 49865, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9973910874567038, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50223, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4, "2_sum": 4, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "121.36.47.3", "protocol": "tcp", "src_port": 50015, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9995715118177109, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.219.73.130", "protocol": "tcp", "src_port": 49891, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 49923, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.777270406334166, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "40.74.78.229", "protocol": "tcp", "src_port": 50370, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9939770881097445, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50661, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.647571366572099, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50077, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4, "2_sum": 4, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.232.40.133", "protocol": "tcp", "src_port": 49920, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9117178716777372, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50388, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4, "2_sum": 4, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 12:31:28.696] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 19|max_alert: 1000 [2025-12-11 12:31:28.696] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 12:31:28.696] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 12:31:28.696] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 12:31:31.649] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[1] at offset 24855 key: NULL payload: {"bucket":"2025-12-11","object":"12/output/gbm/alert.pcap.9.17610986931230.jsonl","url":"http://111.32.12.11:9000/2025-12-11/12/output/gbm/alert.pcap.9.17610986931230.jsonl?X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20251211T043131Z&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-SignedHeaders=host&X-Amz-Signature=ff53257c785a2f95621f255d94f7beba7e565579e38c5d4dd84923948b3587bf&X-Amz-Expires=604800"} [2025-12-11 12:31:31.649] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 12:31:31.649] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 12:31:31.649] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 12:31:31.649] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 12:31:31.649] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 12:31:31.650] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 12:31:31.886] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:12/output/gbm/alert.pcap.9.17610986931230.jsonl|result:{"code": 1, "total_count": 19, "alert_count": 19, "abnormal_count": 19, "normal_count": 0, "timestamp": 1765427491650, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50571, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50323, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50047, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "157.148.32.174", "protocol": "tcp", "src_port": 50216, "dest_port": 8106, "y_pred": 1, "y_pred_proba_max": 0.7815374741509655, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50552, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9460026832017429, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50279, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50387, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.219.73.130", "protocol": "tcp", "src_port": 49895, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.29.14.183", "protocol": "tcp", "src_port": 50403, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9756646950440937, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50234, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.163.59.175", "protocol": "tcp", "src_port": 50443, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9947042004868148, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50582, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "112.2.102.140", "protocol": "tcp", "src_port": 49880, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8833391308810551, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "150.171.30.11", "protocol": "tcp", "src_port": 50434, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.975176941910785, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 49928, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9931314740190077, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "124.71.234.74", "protocol": "tcp", "src_port": 50079, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8967653329082704, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.45", "protocol": "tcp", "src_port": 50444, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9975171238915119, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50577, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8828376373447289, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.26", "protocol": "tcp", "src_port": 49993, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.987471741326815, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 12:31:31.886] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 19|max_alert: 1000 [2025-12-11 12:31:31.886] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 12:31:31.886] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 12:31:31.886] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 12:40:10.130] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 25997 key: NULL payload: {"bucket":"2025-12-11","object":"12/output/gbm/alert.pcap.10.17610986931240.jsonl","url":"http://111.32.12.11:9000/2025-12-11/12/output/gbm/alert.pcap.10.17610986931240.jsonl?X-Amz-Signature=3dbe64b4f105e6179fe8245ae43ab0a8e08996170e16709b2222661740a4cab1&X-Amz-Expires=604800&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Date=20251211T044009Z&X-Amz-SignedHeaders=host"} [2025-12-11 12:40:10.130] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 12:40:10.130] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 12:40:10.130] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 12:40:10.130] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 12:40:10.131] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 12:40:10.131] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 12:40:10.439] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:12/output/gbm/alert.pcap.10.17610986931240.jsonl|result:{"code": 1, "total_count": 18, "alert_count": 18, "abnormal_count": 18, "normal_count": 0, "timestamp": 1765428010132, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "183.240.8.132", "protocol": "tcp", "src_port": 49942, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9833686131374094, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.162.10.192", "protocol": "tcp", "src_port": 50102, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9628606284766527, "2_count": 3, "2_sum": 3, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50202, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 49802, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "112.34.113.250", "protocol": "tcp", "src_port": 50417, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9871899379387804, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50180, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50197, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.9", "protocol": "tcp", "src_port": 50354, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9266852516381958, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.162.10.192", "protocol": "tcp", "src_port": 50105, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8497049935950336, "2_count": 3, "2_sum": 3, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.38.119", "protocol": "tcp", "src_port": 50490, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9986222879414073, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "124.70.37.167", "protocol": "tcp", "src_port": 50497, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9671327905226952, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50247, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.162.10.192", "protocol": "tcp", "src_port": 50106, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7891251009837256, "2_count": 3, "2_sum": 3, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50527, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50155, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.194.233", "protocol": "tcp", "src_port": 50251, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.6458299041355519, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "124.70.62.170", "protocol": "tcp", "src_port": 50384, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9944584265644585, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50510, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 12:40:10.439] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 18|max_alert: 1000 [2025-12-11 12:40:10.439] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 12:40:10.439] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 12:40:10.439] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 12:40:13.267] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[2] at offset 25615 key: NULL payload: {"bucket":"2025-12-11","object":"12/output/gbm/alert.pcap.11.17610986931240.jsonl","url":"http://111.32.12.11:9000/2025-12-11/12/output/gbm/alert.pcap.11.17610986931240.jsonl?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Signature=80ded58b91af28a72de79bc6a7506af73c6099f28f09e47948363acd50d4028c&X-Amz-Expires=604800&X-Amz-Date=20251211T044012Z&X-Amz-SignedHeaders=host&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request"} [2025-12-11 12:40:13.267] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 12:40:13.267] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 12:40:13.267] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 12:40:13.267] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 12:40:13.267] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 12:40:13.268] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 12:40:13.502] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:12/output/gbm/alert.pcap.11.17610986931240.jsonl|result:{"code": 1, "total_count": 20, "alert_count": 20, "abnormal_count": 20, "normal_count": 0, "timestamp": 1765428013268, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "57.155.120.218", "protocol": "tcp", "src_port": 50415, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9227656751828837, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50050, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50523, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.45", "protocol": "tcp", "src_port": 50438, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9837569544664104, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.143.199.172", "protocol": "tcp", "src_port": 50142, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9881503019491974, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.45", "protocol": "tcp", "src_port": 50447, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9871209269901958, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 49811, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.57.94.38", "protocol": "tcp", "src_port": 49888, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8913583475272854, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50176, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.25", "protocol": "tcp", "src_port": 50379, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8940216726975259, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50179, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50520, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "13.107.253.49", "protocol": "tcp", "src_port": 50479, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9204671188927631, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.165.120", "protocol": "tcp", "src_port": 50305, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9986466602684037, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "106.52.100.183", "protocol": "tcp", "src_port": 50502, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9858931570717602, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.38.119", "protocol": "tcp", "src_port": 50494, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9837251088220053, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.122.55", "protocol": "tcp", "src_port": 50503, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9854062911109006, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.131.139.241", "protocol": "tcp", "src_port": 50546, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8893268365633519, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50561, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50519, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 12:40:13.502] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 20|max_alert: 1000 [2025-12-11 12:40:13.502] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 12:40:13.502] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 12:40:13.502] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 12:40:16.430] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[2] at offset 25616 key: NULL payload: {"bucket":"2025-12-11","object":"12/output/gbm/alert.pcap.1.17610986931240.jsonl","url":"http://111.32.12.11:9000/2025-12-11/12/output/gbm/alert.pcap.1.17610986931240.jsonl?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Date=20251211T044016Z&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Expires=604800&X-Amz-Signature=85e694326451863f5777fcec4af30147b6ba16476eb04432c36a6dfeee334251&X-Amz-SignedHeaders=host"} [2025-12-11 12:40:16.430] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 12:40:16.430] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 12:40:16.430] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 12:40:16.430] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 12:40:16.430] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 12:40:16.431] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 12:40:16.677] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:12/output/gbm/alert.pcap.1.17610986931240.jsonl|result:{"code": 1, "total_count": 23, "alert_count": 22, "abnormal_count": 22, "normal_count": 1, "timestamp": 1765428016431, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50511, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.9", "protocol": "tcp", "src_port": 50355, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9178209457268623, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50660, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.5160756214892233, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50154, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.254", "protocol": "tcp", "src_port": 50161, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9861184497791043, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.114.80", "protocol": "tcp", "src_port": 50380, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "104.18.38.233", "protocol": "tcp", "src_port": 49694, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50451, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9935841069204537, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.38.119", "protocol": "tcp", "src_port": 50487, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9993624819729473, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50246, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50203, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.9", "protocol": "tcp", "src_port": 50352, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9822856114799795, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.18", "protocol": "tcp", "src_port": 50526, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.254", "protocol": "tcp", "src_port": 50236, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8758576397939718, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50196, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.166.151", "protocol": "tcp", "src_port": 50297, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.99961990187526, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.2.16.16", "protocol": "tcp", "src_port": 49977, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9997183616258911, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "123.249.12.207", "protocol": "tcp", "src_port": 50349, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9517653518955267, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.131.139.241", "protocol": "tcp", "src_port": 50548, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9166098868921807, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.2.16.16", "protocol": "tcp", "src_port": 49978, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9999741330258014, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.18", "protocol": "tcp", "src_port": 50607, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50635, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 12:40:16.677] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 22|max_alert: 1000 [2025-12-11 12:40:16.677] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 12:40:16.677] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 12:40:16.677] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 12:40:19.644] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 25998 key: NULL payload: {"bucket":"2025-12-11","object":"12/output/gbm/alert.pcap.12.17610986931240.jsonl","url":"http://111.32.12.11:9000/2025-12-11/12/output/gbm/alert.pcap.12.17610986931240.jsonl?X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Expires=604800&X-Amz-SignedHeaders=host&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Date=20251211T044019Z&X-Amz-Signature=cd5ea2c9e8eb737b984b78c3c9dc636796d5ea1c41cc68234be8c060c09a9cd2"} [2025-12-11 12:40:19.644] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 12:40:19.644] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 12:40:19.644] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 12:40:19.644] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 12:40:19.644] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 12:40:19.645] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 12:40:19.884] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:12/output/gbm/alert.pcap.12.17610986931240.jsonl|result:{"code": 1, "total_count": 23, "alert_count": 23, "abnormal_count": 23, "normal_count": 0, "timestamp": 1765428019645, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50048, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 10, "2_sum": 10, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 50446, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50517, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 10, "2_sum": 10, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50043, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 10, "2_sum": 10, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.46.51.20", "protocol": "tcp", "src_port": 50273, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8949209220998952, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 49801, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.88.223", "protocol": "tcp", "src_port": 50135, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9151737736531406, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.91", "protocol": "tcp", "src_port": 50325, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9723471895815434, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50327, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 10, "2_sum": 10, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.162.10.192", "protocol": "tcp", "src_port": 50115, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9982562146170709, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "150.171.28.10", "protocol": "tcp", "src_port": 50098, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.979476406385797, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50063, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 10, "2_sum": 10, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50036, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 10, "2_sum": 10, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.88.223", "protocol": "tcp", "src_port": 50256, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9952297098413537, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50290, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 10, "2_sum": 10, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.253", "protocol": "tcp", "src_port": 50374, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9124107711631884, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50524, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 10, "2_sum": 10, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50563, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 10, "2_sum": 10, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.32.132.48", "protocol": "tcp", "src_port": 50596, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8736367684939467, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.91", "protocol": "tcp", "src_port": 50312, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8775283158754487, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.232.40.133", "protocol": "tcp", "src_port": 49918, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9434178651974208, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50289, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 10, "2_sum": 10, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "43.132.242.154", "protocol": "tcp", "src_port": 49882, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9890063873624129, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 12:40:19.884] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 23|max_alert: 1000 [2025-12-11 12:40:19.884] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 12:40:19.884] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 12:40:19.884] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 12:40:22.811] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[2] at offset 25617 key: NULL payload: {"bucket":"2025-12-11","object":"12/output/gbm/alert.pcap.13.17610986931240.jsonl","url":"http://111.32.12.11:9000/2025-12-11/12/output/gbm/alert.pcap.13.17610986931240.jsonl?X-Amz-Expires=604800&X-Amz-SignedHeaders=host&X-Amz-Signature=3e40680779214eee8043962cd7802895cff6897e1d5f908341eb6db6604aba4d&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Date=20251211T044022Z&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request"} [2025-12-11 12:40:22.811] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 12:40:22.811] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 12:40:22.811] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 12:40:22.811] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 12:40:22.811] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 12:40:22.812] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 12:40:23.052] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:12/output/gbm/alert.pcap.13.17610986931240.jsonl|result:{"code": 1, "total_count": 25, "alert_count": 25, "abnormal_count": 25, "normal_count": 0, "timestamp": 1765428022812, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "120.233.185.134", "protocol": "tcp", "src_port": 50405, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9906477192719227, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.38.119", "protocol": "tcp", "src_port": 50493, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9895604510076603, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 50550, "dest_port": 37527, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50602, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "150.171.30.11", "protocol": "tcp", "src_port": 50629, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9221505003231499, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.114.80", "protocol": "tcp", "src_port": 50364, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50657, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9858390475712154, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.22.3", "protocol": "tcp", "src_port": 49941, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9027507773608666, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "202.89.233.96", "protocol": "tcp", "src_port": 49842, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50167, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50035, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50280, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50483, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50206, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.38.119", "protocol": "tcp", "src_port": 50507, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.992095265861976, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50153, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50283, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50150, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50074, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50029, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50276, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.4.224.113", "protocol": "tcp", "src_port": 49856, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.6505383816340582, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "142.250.66.78", "protocol": "tcp", "src_port": 49939, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.163.59.175", "protocol": "tcp", "src_port": 50009, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9898052087615025, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "150.171.29.11", "protocol": "tcp", "src_port": 50366, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9811379852086798, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 12:40:23.052] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 25|max_alert: 1000 [2025-12-11 12:40:23.052] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 12:40:23.052] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 12:40:23.052] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 12:40:26.187] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[1] at offset 24856 key: NULL payload: {"bucket":"2025-12-11","object":"12/output/gbm/alert.pcap.14.17610986931240.jsonl","url":"http://111.32.12.11:9000/2025-12-11/12/output/gbm/alert.pcap.14.17610986931240.jsonl?X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-SignedHeaders=host&X-Amz-Signature=56ac06556121348558f623d4ad07b1eec55d70f811eae9355b074909a1d9e305&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Date=20251211T044025Z&X-Amz-Expires=604800"} [2025-12-11 12:40:26.187] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 12:40:26.187] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 12:40:26.188] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 12:40:26.188] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 12:40:26.188] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 12:40:26.188] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 12:40:26.440] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:12/output/gbm/alert.pcap.14.17610986931240.jsonl|result:{"code": 1, "total_count": 22, "alert_count": 22, "abnormal_count": 22, "normal_count": 0, "timestamp": 1765428026188, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50299, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50509, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.92", "protocol": "tcp", "src_port": 50350, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9581254078848882, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.4.224.113", "protocol": "tcp", "src_port": 49858, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.948833755868132, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50488, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.131.128.241", "protocol": "tcp", "src_port": 50628, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.6327220629300937, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50277, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50481, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50087, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50464, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50075, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.114.80", "protocol": "tcp", "src_port": 50462, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50148, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 50008, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7325211921496005, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.201.232.63", "protocol": "tcp", "src_port": 50185, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8623842237021218, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "150.171.28.10", "protocol": "tcp", "src_port": 50547, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9810893334081382, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50282, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.45", "protocol": "tcp", "src_port": 50232, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8427978520815071, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.201.232.61", "protocol": "tcp", "src_port": 50406, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8074537105643911, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50151, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50431, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50045, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 12:40:26.440] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 22|max_alert: 1000 [2025-12-11 12:40:26.440] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 12:40:26.440] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 12:40:26.440] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 12:40:29.311] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[1] at offset 24857 key: NULL payload: {"bucket":"2025-12-11","object":"12/output/gbm/alert.pcap.15.17610986931240.jsonl","url":"http://111.32.12.11:9000/2025-12-11/12/output/gbm/alert.pcap.15.17610986931240.jsonl?X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-SignedHeaders=host&X-Amz-Signature=78ee9da22f128a6d63f1980651ba9fadd22001407a0091db355b820b75233a34&X-Amz-Expires=604800&X-Amz-Date=20251211T044028Z&X-Amz-Algorithm=AWS4-HMAC-SHA256"} [2025-12-11 12:40:29.312] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 12:40:29.312] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 12:40:29.312] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 12:40:29.312] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 12:40:29.312] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 12:40:29.312] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 12:40:29.550] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:12/output/gbm/alert.pcap.15.17610986931240.jsonl|result:{"code": 1, "total_count": 21, "alert_count": 21, "abnormal_count": 21, "normal_count": 0, "timestamp": 1765428029312, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50298, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.194.233", "protocol": "tcp", "src_port": 50442, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9870391528574759, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "13.107.213.50", "protocol": "tcp", "src_port": 50090, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9195643673584233, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "13.89.179.10", "protocol": "tcp", "src_port": 49878, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9974829953380221, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50516, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.13.29.202", "protocol": "tcp", "src_port": 49899, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9319984670207415, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.175.38.6", "protocol": "tcp", "src_port": 50508, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9251013815505887, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "124.70.37.167", "protocol": "tcp", "src_port": 50505, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8862503171336631, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50452, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.165.120", "protocol": "tcp", "src_port": 50427, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9451570018511891, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50061, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.194.189.11", "protocol": "tcp", "src_port": 50426, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9895428159947536, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50542, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.165.120", "protocol": "tcp", "src_port": 50418, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9596977275034663, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "142.250.66.78", "protocol": "tcp", "src_port": 50474, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.51.80", "protocol": "tcp", "src_port": 49914, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.46.216.189", "protocol": "tcp", "src_port": 50192, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9854409930237161, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.114.80", "protocol": "tcp", "src_port": 50358, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.241.198", "protocol": "tcp", "src_port": 49881, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9908791961625715, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.166.151", "protocol": "tcp", "src_port": 50300, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9931981638327161, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50489, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 12:40:29.550] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 21|max_alert: 1000 [2025-12-11 12:40:29.550] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 12:40:29.550] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 12:40:29.550] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 12:40:32.642] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 25999 key: NULL payload: {"bucket":"2025-12-11","object":"12/output/gbm/alert.pcap.16.17610986931240.jsonl","url":"http://111.32.12.11:9000/2025-12-11/12/output/gbm/alert.pcap.16.17610986931240.jsonl?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Expires=604800&X-Amz-SignedHeaders=host&X-Amz-Date=20251211T044032Z&X-Amz-Signature=8f8ac0bdad3ed132d1e5bc7afd03ec65c4f1f7914fae1e7b493d35139eafb713"} [2025-12-11 12:40:32.642] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 12:40:32.642] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 12:40:32.642] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 12:40:32.642] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 12:40:32.642] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 12:40:32.642] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 12:40:32.893] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:12/output/gbm/alert.pcap.16.17610986931240.jsonl|result:{"code": 1, "total_count": 26, "alert_count": 26, "abnormal_count": 26, "normal_count": 0, "timestamp": 1765428032642, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50051, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.1", "protocol": "tcp", "src_port": 49927, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.29.14.183", "protocol": "tcp", "src_port": 49861, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9202885873733923, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50207, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "211.151.19.148", "protocol": "tcp", "src_port": 50239, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9867736940219898, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.4.224.113", "protocol": "tcp", "src_port": 49857, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.873642452450752, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.219.73.130", "protocol": "tcp", "src_port": 49887, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.220.77.56", "protocol": "tcp", "src_port": 50313, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9756469161092314, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.165.120", "protocol": "tcp", "src_port": 50304, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9425584919270099, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50331, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.92", "protocol": "tcp", "src_port": 50344, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.4285159353571787, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.253", "protocol": "tcp", "src_port": 50377, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9228634096625739, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.29.14.183", "protocol": "tcp", "src_port": 50404, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9858144175177987, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.32.132.48", "protocol": "tcp", "src_port": 50416, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.872489769645985, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.26", "protocol": "tcp", "src_port": 50053, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9859420979243508, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50367, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50496, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7047630891986135, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50500, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50522, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.13.25.27", "protocol": "tcp", "src_port": 49953, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9999659947187012, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.185.134", "protocol": "tcp", "src_port": 50557, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9312191603697401, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50177, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "13.89.179.10", "protocol": "tcp", "src_port": 49873, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9740054173010114, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.46.216.189", "protocol": "tcp", "src_port": 50095, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8005313339363406, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.88.223", "protocol": "tcp", "src_port": 50262, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9920454156536166, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.2", "protocol": "tcp", "src_port": 49916, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 12:40:32.893] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 26|max_alert: 1000 [2025-12-11 12:40:32.893] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 12:40:32.893] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 12:40:32.893] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 12:40:36.160] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[2] at offset 25618 key: NULL payload: {"bucket":"2025-12-11","object":"12/output/gbm/alert.pcap.17.17610986931240.jsonl","url":"http://111.32.12.11:9000/2025-12-11/12/output/gbm/alert.pcap.17.17610986931240.jsonl?X-Amz-Date=20251211T044035Z&X-Amz-Signature=e451e4a0f01fbe2f78ad299f649cfd47c0f669ca03105a3f2fbeb2306522ae47&X-Amz-SignedHeaders=host&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Expires=604800"} [2025-12-11 12:40:36.160] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 12:40:36.160] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 12:40:36.160] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 12:40:36.161] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 12:40:36.161] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 12:40:36.161] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 12:40:36.412] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:12/output/gbm/alert.pcap.17.17610986931240.jsonl|result:{"code": 1, "total_count": 18, "alert_count": 18, "abnormal_count": 18, "normal_count": 0, "timestamp": 1765428036162, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "117.162.10.192", "protocol": "tcp", "src_port": 50103, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.5419285978798709, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.122.55", "protocol": "tcp", "src_port": 50448, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.5769980707430126, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.88.223", "protocol": "tcp", "src_port": 50257, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9990492370434219, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.2.16.16", "protocol": "tcp", "src_port": 49973, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9993460937257912, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.114.80", "protocol": "tcp", "src_port": 50476, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.38.151", "protocol": "tcp", "src_port": 49788, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.9", "protocol": "tcp", "src_port": 50012, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9956502822261911, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.234.97.89", "protocol": "tcp", "src_port": 50409, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.733240780563495, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.122.55", "protocol": "tcp", "src_port": 50101, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9697454177805649, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "124.70.62.170", "protocol": "tcp", "src_port": 50395, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.999908459646488, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50606, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9790099228201751, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 50225, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9087545563693218, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.27", "protocol": "tcp", "src_port": 49989, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8500557914131911, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.162.10.192", "protocol": "tcp", "src_port": 50114, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.976863610352734, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.27", "protocol": "tcp", "src_port": 49990, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9979995189937263, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "124.70.62.170", "protocol": "tcp", "src_port": 50094, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9999212365720671, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50499, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.194.233", "protocol": "tcp", "src_port": 50435, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9837705668750215, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 12:40:36.412] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 18|max_alert: 1000 [2025-12-11 12:40:36.412] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 12:40:36.413] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 12:40:36.413] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 12:40:39.302] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[1] at offset 24858 key: NULL payload: {"bucket":"2025-12-11","object":"12/output/gbm/alert.pcap.18.17610986931240.jsonl","url":"http://111.32.12.11:9000/2025-12-11/12/output/gbm/alert.pcap.18.17610986931240.jsonl?X-Amz-Signature=f18385dd4081c9215e9134f167dc122e15afcc02c72e42962686c2333b2a479d&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20251211T044038Z&X-Amz-Expires=604800&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-SignedHeaders=host"} [2025-12-11 12:40:39.302] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 12:40:39.302] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 12:40:39.302] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 12:40:39.302] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 12:40:39.302] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 12:40:39.303] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 12:40:39.603] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:12/output/gbm/alert.pcap.18.17610986931240.jsonl|result:{"code": 1, "total_count": 19, "alert_count": 18, "abnormal_count": 18, "normal_count": 1, "timestamp": 1765428039303, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50650, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9941374340185456, "2_count": 4.0, "2_sum": 4, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.92", "protocol": "tcp", "src_port": 50383, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7481021796885889, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.232.40.133", "protocol": "tcp", "src_port": 49929, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9272505117395095, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50046, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50386, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.219.73.130", "protocol": "tcp", "src_port": 49893, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.253.255.38", "protocol": "tcp", "src_port": 50449, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9496389457889445, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50088, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50554, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9489417371813754, "2_count": 4.0, "2_sum": 4, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.232.40.133", "protocol": "tcp", "src_port": 49935, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8955605067471277, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.166.151", "protocol": "tcp", "src_port": 50371, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9989794701501156, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.113.130.85", "protocol": "tcp", "src_port": 50373, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 50169, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50475, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9477100345633777, "2_count": 4.0, "2_sum": 4, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50141, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50220, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50132, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50553, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9263918774338468, "2_count": 4.0, "2_sum": 4, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 12:40:39.604] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 18|max_alert: 1000 [2025-12-11 12:40:39.604] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 12:40:39.604] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 12:40:39.604] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 12:40:42.439] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[2] at offset 25619 key: NULL payload: {"bucket":"2025-12-11","object":"12/output/gbm/alert.pcap.19.17610986931240.jsonl","url":"http://111.32.12.11:9000/2025-12-11/12/output/gbm/alert.pcap.19.17610986931240.jsonl?X-Amz-Date=20251211T044041Z&X-Amz-Expires=604800&X-Amz-SignedHeaders=host&X-Amz-Signature=423d0e8b56ce619d72ffaf9e9937ce85604b6394614a6f596d24d11055d14980&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request"} [2025-12-11 12:40:42.440] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 12:40:42.440] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 12:40:42.440] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 12:40:42.440] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 12:40:42.440] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 12:40:42.440] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 12:40:42.700] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:12/output/gbm/alert.pcap.19.17610986931240.jsonl|result:{"code": 1, "total_count": 17, "alert_count": 17, "abnormal_count": 17, "normal_count": 0, "timestamp": 1765428042440, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50651, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9127998696423738, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "106.13.244.95", "protocol": "tcp", "src_port": 50626, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.991571871695044, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 50183, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9671683755020176, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.158.247.186", "protocol": "tcp", "src_port": 50254, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9923373572362969, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50432, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 5, "2_sum": 5, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "124.70.62.170", "protocol": "tcp", "src_port": 50385, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9998863446143573, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.131.128.241", "protocol": "tcp", "src_port": 50589, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9358989909907683, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "150.171.30.11", "protocol": "tcp", "src_port": 50623, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9724127917525347, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.25", "protocol": "tcp", "src_port": 50345, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9053165640648995, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50140, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 5, "2_sum": 5, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50267, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 5, "2_sum": 5, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50222, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 5, "2_sum": 5, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "13.89.179.10", "protocol": "tcp", "src_port": 49870, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9985463831905574, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "211.151.19.148", "protocol": "tcp", "src_port": 50321, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9840336453751718, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50221, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 5, "2_sum": 5, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.61.248", "protocol": "tcp", "src_port": 50006, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9986048917384169, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.26", "protocol": "tcp", "src_port": 49999, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9723690262017185, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 12:40:42.700] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 17|max_alert: 1000 [2025-12-11 12:40:42.700] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 12:40:42.700] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 12:40:42.700] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 12:40:45.660] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 26000 key: NULL payload: {"bucket":"2025-12-11","object":"12/output/gbm/alert.pcap.20.17610986931240.jsonl","url":"http://111.32.12.11:9000/2025-12-11/12/output/gbm/alert.pcap.20.17610986931240.jsonl?X-Amz-Expires=604800&X-Amz-Date=20251211T044045Z&X-Amz-SignedHeaders=host&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Signature=9f5bccf101c21ae8805c12a6ac1da93e953508dafa72b570072d763b38a24874"} [2025-12-11 12:40:45.660] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 12:40:45.660] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 12:40:45.660] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 12:40:45.660] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 12:40:45.660] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 12:40:45.660] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 12:40:45.902] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:12/output/gbm/alert.pcap.20.17610986931240.jsonl|result:{"code": 1, "total_count": 17, "alert_count": 17, "abnormal_count": 17, "normal_count": 0, "timestamp": 1765428045660, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "120.46.68.203", "protocol": "tcp", "src_port": 50096, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9610043927222635, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.48.172.241", "protocol": "tcp", "src_port": 50129, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9417868802887015, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50616, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.981431987646444, "2_count": 3, "2_sum": 3, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "124.71.234.74", "protocol": "tcp", "src_port": 50189, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8094812727311573, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "124.71.236.98", "protocol": "tcp", "src_port": 50400, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9777942042208041, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.166.151", "protocol": "tcp", "src_port": 50378, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.996645095315891, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.9", "protocol": "tcp", "src_port": 50356, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9753376675463165, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.2.16.16", "protocol": "tcp", "src_port": 49970, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9999655776123294, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50082, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.62.174.243", "protocol": "tcp", "src_port": 50555, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9719451686850884, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50622, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9949329167991451, "2_count": 3, "2_sum": 3, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "142.250.66.78", "protocol": "tcp", "src_port": 49773, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.219.73.130", "protocol": "tcp", "src_port": 49894, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50453, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.253.253.233", "protocol": "tcp", "src_port": 50317, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.4786736570096651, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.220.151.49", "protocol": "tcp", "src_port": 49991, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9681277345350449, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50598, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.972751885055052, "2_count": 3, "2_sum": 3, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 12:40:45.903] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 17|max_alert: 1000 [2025-12-11 12:40:45.903] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 12:40:45.903] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 12:40:45.903] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 12:40:48.794] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[2] at offset 25620 key: NULL payload: {"bucket":"2025-12-11","object":"12/output/gbm/alert.pcap.21.17610986931240.jsonl","url":"http://111.32.12.11:9000/2025-12-11/12/output/gbm/alert.pcap.21.17610986931240.jsonl?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-SignedHeaders=host&X-Amz-Signature=76d816dfc6c5a27250678e8a6940b47e44fe411d575d1c3aacfa7800b5c73a35&X-Amz-Date=20251211T044048Z&X-Amz-Expires=604800"} [2025-12-11 12:40:48.794] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 12:40:48.794] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 12:40:48.794] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 12:40:48.794] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 12:40:48.794] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 12:40:48.795] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 12:40:49.032] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:12/output/gbm/alert.pcap.21.17610986931240.jsonl|result:{"code": 1, "total_count": 20, "alert_count": 20, "abnormal_count": 20, "normal_count": 0, "timestamp": 1765428048795, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50389, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.254", "protocol": "tcp", "src_port": 50018, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9989742169573105, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50633, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9961574170482782, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.27", "protocol": "tcp", "src_port": 50014, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7728545617685111, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50086, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.26", "protocol": "tcp", "src_port": 50027, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8630319401034162, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.194.233", "protocol": "tcp", "src_port": 50315, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9974657537062649, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 50211, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9942232611378077, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50076, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 49933, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.983522767485445, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "150.171.27.10", "protocol": "tcp", "src_port": 49871, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9792783921980416, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50233, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.25", "protocol": "tcp", "src_port": 50346, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7253580536479742, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.234.97.89", "protocol": "tcp", "src_port": 50477, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7967743601421772, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.232.40.133", "protocol": "tcp", "src_port": 49921, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9758065422065172, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50574, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.18", "protocol": "tcp", "src_port": 50191, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.253", "protocol": "tcp", "src_port": 50348, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9663875797170431, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50407, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9700577356238725, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50330, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 12:40:49.032] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 20|max_alert: 1000 [2025-12-11 12:40:49.032] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 12:40:49.032] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 12:40:49.032] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 12:40:51.983] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[2] at offset 25621 key: NULL payload: {"bucket":"2025-12-11","object":"12/output/gbm/alert.pcap.2.17610986931240.jsonl","url":"http://111.32.12.11:9000/2025-12-11/12/output/gbm/alert.pcap.2.17610986931240.jsonl?X-Amz-Expires=604800&X-Amz-Signature=894393e8c4dbf20eb6240eacacb08a733b6deddeb8246fc53afd1d31c7dddeef&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-SignedHeaders=host&X-Amz-Date=20251211T044051Z"} [2025-12-11 12:40:51.984] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 12:40:51.984] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 12:40:51.984] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 12:40:51.984] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 12:40:51.984] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 12:40:51.984] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 12:40:52.241] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:12/output/gbm/alert.pcap.2.17610986931240.jsonl|result:{"code": 1, "total_count": 27, "alert_count": 26, "abnormal_count": 26, "normal_count": 1, "timestamp": 1765428051984, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "120.233.3.26", "protocol": "tcp", "src_port": 49995, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9973271032011077, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50278, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50328, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.114.80", "protocol": "tcp", "src_port": 50381, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50528, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.29.14.183", "protocol": "tcp", "src_port": 50402, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9766503916105866, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50634, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.29.14.183", "protocol": "tcp", "src_port": 50401, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9944651374268547, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.92", "protocol": "tcp", "src_port": 50398, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9866180027435798, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50484, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.232.40.133", "protocol": "tcp", "src_port": 50004, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9448851526818528, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.63.215.47", "protocol": "tcp", "src_port": 49943, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9542007136130981, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.165.120", "protocol": "tcp", "src_port": 50414, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9781294486115352, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.185.134", "protocol": "tcp", "src_port": 50337, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9998485770667981, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50459, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8818531237715439, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.222.152.64", "protocol": "tcp", "src_port": 50658, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7337989747885654, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.166.151", "protocol": "tcp", "src_port": 50296, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9998741851816862, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50570, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.254", "protocol": "tcp", "src_port": 50237, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8347470129747349, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50287, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.240.99.58", "protocol": "tcp", "src_port": 50480, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9758749087809037, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.2", "protocol": "tcp", "src_port": 49821, "dest_port": 8080, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.105", "protocol": "tcp", "src_port": 50625, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9825246278129468, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50580, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "118.89.204.198", "protocol": "tcp", "src_port": 50648, "dest_port": 443, "y_pred": 2, "y_pred_proba_max": 0.539671673599211, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "Behinder"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50471, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9971823306211751, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 12:40:52.241] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 26|max_alert: 1000 [2025-12-11 12:40:52.241] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 12:40:52.241] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 12:40:52.241] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 12:40:55.493] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[2] at offset 25622 key: NULL payload: {"bucket":"2025-12-11","object":"12/output/gbm/alert.pcap.22.17610986931240.jsonl","url":"http://111.32.12.11:9000/2025-12-11/12/output/gbm/alert.pcap.22.17610986931240.jsonl?X-Amz-SignedHeaders=host&X-Amz-Date=20251211T044054Z&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Signature=f57f4608e1e53b5c9ce94f592ca12f6330ba096c95cab8f678a656416ac19753&X-Amz-Expires=604800&X-Amz-Algorithm=AWS4-HMAC-SHA256"} [2025-12-11 12:40:55.493] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 12:40:55.493] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 12:40:55.493] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 12:40:55.493] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 12:40:55.494] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 12:40:55.494] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 12:40:55.743] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:12/output/gbm/alert.pcap.22.17610986931240.jsonl|result:{"code": 1, "total_count": 18, "alert_count": 17, "abnormal_count": 17, "normal_count": 1, "timestamp": 1765428055494, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50662, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8871346318388157, "2_count": 3.0, "2_sum": 3, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.114.80", "protocol": "tcp", "src_port": 50365, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.165.120", "protocol": "tcp", "src_port": 50357, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9389862274330749, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50530, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9024018957960891, "2_count": 3.0, "2_sum": 3, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.51.161.66", "protocol": "tcp", "src_port": 50123, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7731938946060795, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50368, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 3.0, "2_sum": 3, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.92", "protocol": "tcp", "src_port": 50397, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9107999416750001, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.194.233", "protocol": "tcp", "src_port": 50440, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9902328849146982, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 49925, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.5747671805046822, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50028, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 3.0, "2_sum": 3, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.29.14.183", "protocol": "tcp", "src_port": 50026, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9986473928200259, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.4.224.113", "protocol": "tcp", "src_port": 49854, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.5786036795604459, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50118, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 3.0, "2_sum": 3, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.62.174.243", "protocol": "tcp", "src_port": 50545, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9624252679015631, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.63.215.47", "protocol": "tcp", "src_port": 49944, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9869387818080411, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.131.128.241", "protocol": "tcp", "src_port": 50585, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8249611815657307, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50612, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.965275103129727, "2_count": 3.0, "2_sum": 3, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 12:40:55.743] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 17|max_alert: 1000 [2025-12-11 12:40:55.743] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 12:40:55.743] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 12:40:55.743] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 12:40:59.346] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[2] at offset 25623 key: NULL payload: {"bucket":"2025-12-11","object":"12/output/gbm/alert.pcap.23.17610986931240.jsonl","url":"http://111.32.12.11:9000/2025-12-11/12/output/gbm/alert.pcap.23.17610986931240.jsonl?X-Amz-Expires=604800&X-Amz-Date=20251211T044058Z&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-SignedHeaders=host&X-Amz-Signature=d97a50e48e5d830858aa8b4865ac63d8a5348c6d5f0714a269eb537367e26bc4"} [2025-12-11 12:40:59.346] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 12:40:59.346] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 12:40:59.346] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 12:40:59.347] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 12:40:59.347] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 12:40:59.347] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 12:40:59.585] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:12/output/gbm/alert.pcap.23.17610986931240.jsonl|result:{"code": 1, "total_count": 21, "alert_count": 21, "abnormal_count": 21, "normal_count": 0, "timestamp": 1765428059348, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "120.233.3.25", "protocol": "tcp", "src_port": 50073, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9992385224413204, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50085, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.158.247.186", "protocol": "tcp", "src_port": 50309, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.994290448467571, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.25", "protocol": "tcp", "src_port": 50382, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7011351746711142, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50044, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50064, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.194.233", "protocol": "tcp", "src_port": 50126, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9961544144455967, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50514, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.122.55", "protocol": "tcp", "src_port": 50498, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9793698927690696, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.150.160.206", "protocol": "tcp", "src_port": 50124, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9747845243097288, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "13.107.246.74", "protocol": "tcp", "src_port": 50506, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9605298901417075, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50037, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50042, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50260, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.222.152.64", "protocol": "tcp", "src_port": 50638, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9779043168436835, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50640, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50168, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50149, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.13.104.59", "protocol": "tcp", "src_port": 50627, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9944505609423887, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50429, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50562, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 12:40:59.585] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 21|max_alert: 1000 [2025-12-11 12:40:59.585] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 12:40:59.585] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 12:40:59.585] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 12:41:02.571] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[1] at offset 24859 key: NULL payload: {"bucket":"2025-12-11","object":"12/output/gbm/alert.pcap.24.17610986931240.jsonl","url":"http://111.32.12.11:9000/2025-12-11/12/output/gbm/alert.pcap.24.17610986931240.jsonl?X-Amz-SignedHeaders=host&X-Amz-Expires=604800&X-Amz-Date=20251211T044102Z&X-Amz-Signature=7ef8ebcf68d029a49f21df3a315977a8ebd5fa0e9cb61a9a7dfc41e2cbe97594&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Algorithm=AWS4-HMAC-SHA256"} [2025-12-11 12:41:02.571] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 12:41:02.571] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 12:41:02.572] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 12:41:02.572] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 12:41:02.572] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 12:41:02.572] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 12:41:02.819] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:12/output/gbm/alert.pcap.24.17610986931240.jsonl|result:{"code": 1, "total_count": 18, "alert_count": 17, "abnormal_count": 17, "normal_count": 1, "timestamp": 1765428062573, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50259, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.13.28.21", "protocol": "tcp", "src_port": 49947, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9999415747476534, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50031, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50033, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.4.74", "protocol": "tcp", "src_port": 50319, "dest_port": 9000, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50594, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.13.104.59", "protocol": "tcp", "src_port": 50631, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9853386683896556, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50281, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.27", "protocol": "tcp", "src_port": 49985, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8652710729389349, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50034, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 50229, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7784157580153467, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.163.59.175", "protocol": "tcp", "src_port": 50011, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9883959426357691, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.46.68.203", "protocol": "tcp", "src_port": 50195, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9897633686170296, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.38.119", "protocol": "tcp", "src_port": 50495, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9911306060967026, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.163.59.175", "protocol": "tcp", "src_port": 50478, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.990150959540726, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50482, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50603, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 12:41:02.819] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 17|max_alert: 1000 [2025-12-11 12:41:02.819] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 12:41:02.819] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 12:41:02.820] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 12:41:06.008] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 26001 key: NULL payload: {"bucket":"2025-12-11","object":"12/output/gbm/alert.pcap.25.17610986931240.jsonl","url":"http://111.32.12.11:9000/2025-12-11/12/output/gbm/alert.pcap.25.17610986931240.jsonl?X-Amz-Expires=604800&X-Amz-Signature=2e86147c99a5815cb66a99ca8ca5675bb6c258361ae193104c2e26d48a02dce1&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-SignedHeaders=host&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Date=20251211T044105Z"} [2025-12-11 12:41:06.008] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 12:41:06.008] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 12:41:06.008] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 12:41:06.008] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 12:41:06.008] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 12:41:06.009] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 12:41:06.250] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:12/output/gbm/alert.pcap.25.17610986931240.jsonl|result:{"code": 1, "total_count": 18, "alert_count": 17, "abnormal_count": 17, "normal_count": 1, "timestamp": 1765428066009, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50652, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4.0, "2_sum": 4, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.232.40.133", "protocol": "tcp", "src_port": 49919, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9172603475203133, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50551, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8059095115195145, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.232.40.133", "protocol": "tcp", "src_port": 50005, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8427110539814073, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50062, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4.0, "2_sum": 4, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.88.223", "protocol": "tcp", "src_port": 50134, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9851867603065232, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.2", "protocol": "tcp", "src_port": 50125, "dest_port": 8080, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.240.99.58", "protocol": "tcp", "src_port": 50641, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9750652642107684, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 50013, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.91", "protocol": "tcp", "src_port": 50334, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9530506499197517, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "142.250.66.78", "protocol": "tcp", "src_port": 49742, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "202.89.233.96", "dest_ip": "10.1.131.158", "protocol": "tcp", "src_port": 443, "dest_port": 49847, "y_pred": 1, "y_pred_proba_max": 0.9988023204669473, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.155.160.140", "protocol": "tcp", "src_port": 49790, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.201.232.63", "protocol": "tcp", "src_port": 50419, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.5238760318986195, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50288, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4.0, "2_sum": 4, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.88.223", "protocol": "tcp", "src_port": 50258, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9955188316394289, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50038, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4.0, "2_sum": 4, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 12:41:06.250] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 17|max_alert: 1000 [2025-12-11 12:41:06.250] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 12:41:06.250] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 12:41:06.250] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 12:41:09.244] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 26002 key: NULL payload: {"bucket":"2025-12-11","object":"12/output/gbm/alert.pcap.26.17610986931240.jsonl","url":"http://111.32.12.11:9000/2025-12-11/12/output/gbm/alert.pcap.26.17610986931240.jsonl?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Signature=00859379029def4cbaf47c98c89bcab3a5188bc1fd8986b4a83688e8803f9857&X-Amz-Date=20251211T044108Z&X-Amz-SignedHeaders=host&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Expires=604800"} [2025-12-11 12:41:09.245] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 12:41:09.245] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 12:41:09.245] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 12:41:09.245] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 12:41:09.245] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 12:41:09.246] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 12:41:09.493] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:12/output/gbm/alert.pcap.26.17610986931240.jsonl|result:{"code": 1, "total_count": 23, "alert_count": 22, "abnormal_count": 22, "normal_count": 1, "timestamp": 1765428069246, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "111.31.114.80", "protocol": "tcp", "src_port": 50375, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50512, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7.0, "2_sum": 7, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50521, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7.0, "2_sum": 7, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.165.120", "protocol": "tcp", "src_port": 50314, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.998447736613844, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50593, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7.0, "2_sum": 7, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.253", "protocol": "tcp", "src_port": 50117, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9786811180845782, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50467, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7.0, "2_sum": 7, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.194.233", "protocol": "tcp", "src_port": 50439, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9853373018252618, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50040, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7.0, "2_sum": 7, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.13.29.202", "protocol": "tcp", "src_port": 49897, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.99989131645703, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.45", "protocol": "tcp", "src_port": 50445, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9894949279716366, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "43.140.12.43", "protocol": "tcp", "src_port": 50318, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9759535265977303, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.27", "protocol": "tcp", "src_port": 49986, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9907578643456904, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 50230, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9601621867432435, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "151.101.1.229", "protocol": "tcp", "src_port": 50316, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.5882853156839113, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.13.29.134", "protocol": "tcp", "src_port": 49954, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9940003495439546, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.9", "protocol": "tcp", "src_port": 50353, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9248568229582469, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50322, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7.0, "2_sum": 7, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.253", "protocol": "tcp", "src_port": 50347, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9363461552085169, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.92", "protocol": "tcp", "src_port": 50362, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9737436655985068, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.163.59.175", "protocol": "tcp", "src_port": 49930, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9813722275948225, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50463, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7.0, "2_sum": 7, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 12:41:09.493] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 22|max_alert: 1000 [2025-12-11 12:41:09.493] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 12:41:09.493] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 12:41:09.493] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 12:41:12.464] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[2] at offset 25624 key: NULL payload: {"bucket":"2025-12-11","object":"12/output/gbm/alert.pcap.3.17610986931240.jsonl","url":"http://111.32.12.11:9000/2025-12-11/12/output/gbm/alert.pcap.3.17610986931240.jsonl?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Signature=1335829856bb190130950a5a7a970dce4e05e15d498dd5021d23287f0a18e215&X-Amz-Date=20251211T044112Z&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Expires=604800&X-Amz-SignedHeaders=host"} [2025-12-11 12:41:12.464] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 12:41:12.464] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 12:41:12.464] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 12:41:12.464] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 12:41:12.464] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 12:41:12.465] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 12:41:12.720] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:12/output/gbm/alert.pcap.3.17610986931240.jsonl|result:{"code": 1, "total_count": 31, "alert_count": 30, "abnormal_count": 30, "normal_count": 1, "timestamp": 1765428072465, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50032, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50128, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 50231, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9912641259791639, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50468, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50573, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 50399, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.27", "protocol": "tcp", "src_port": 49987, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9439550958667982, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50560, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9372883613254258, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.27", "protocol": "tcp", "src_port": 49983, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9683054451954104, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.13.104.59", "protocol": "tcp", "src_port": 50630, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9949141468870227, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "142.250.66.68", "protocol": "tcp", "src_port": 50437, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 49824, "dest_port": 37527, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "124.70.62.170", "protocol": "tcp", "src_port": 50093, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9302011994091218, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.194.189.11", "protocol": "tcp", "src_port": 50307, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9974631042458713, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50131, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.166.151", "protocol": "tcp", "src_port": 50286, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9998887397093179, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50390, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.29.14.183", "protocol": "tcp", "src_port": 50020, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9995274668813986, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.114.80", "protocol": "tcp", "src_port": 50473, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.165.120", "protocol": "tcp", "src_port": 50423, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9079618105919538, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.232.40.133", "protocol": "tcp", "src_port": 49922, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7619577796081339, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50041, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.219.73.130", "protocol": "tcp", "src_port": 49889, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.92", "protocol": "tcp", "src_port": 49915, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8858063837145578, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.2", "protocol": "tcp", "src_port": 50143, "dest_port": 8080, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.253.253.233", "protocol": "tcp", "src_port": 50436, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8619378326923961, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.219.73.130", "protocol": "tcp", "src_port": 49890, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.13.104.59", "protocol": "tcp", "src_port": 50639, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.5747755261992421, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.63.215.47", "protocol": "tcp", "src_port": 49982, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9977918468988228, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50579, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 12:41:12.720] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 30|max_alert: 1000 [2025-12-11 12:41:12.720] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 12:41:12.720] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 12:41:12.720] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 12:41:15.612] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[1] at offset 24860 key: NULL payload: {"bucket":"2025-12-11","object":"12/output/gbm/alert.pcap.4.17610986931240.jsonl","url":"http://111.32.12.11:9000/2025-12-11/12/output/gbm/alert.pcap.4.17610986931240.jsonl?X-Amz-Signature=44f52e66bb9159a385759569e6f967596411ec224fc397e69a4b0d14198a2813&X-Amz-Date=20251211T044115Z&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-SignedHeaders=host&X-Amz-Expires=604800"} [2025-12-11 12:41:15.612] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 12:41:15.612] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 12:41:15.612] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 12:41:15.612] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 12:41:15.612] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 12:41:15.612] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 12:41:15.855] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:12/output/gbm/alert.pcap.4.17610986931240.jsonl|result:{"code": 1, "total_count": 16, "alert_count": 16, "abnormal_count": 16, "normal_count": 0, "timestamp": 1765428075612, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50268, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 9, "2_sum": 9, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.25", "protocol": "tcp", "src_port": 50340, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9557360906725153, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50428, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 9, "2_sum": 9, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50170, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 9, "2_sum": 9, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50271, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 9, "2_sum": 9, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50664, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 9, "2_sum": 9, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.2", "protocol": "tcp", "src_port": 49815, "dest_port": 8080, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50039, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 9, "2_sum": 9, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.4.224.113", "protocol": "tcp", "src_port": 49860, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8325953986089363, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50653, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 9, "2_sum": 9, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50599, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 9, "2_sum": 9, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.131.128.241", "protocol": "tcp", "src_port": 50461, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9531336479755481, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "150.171.30.11", "protocol": "tcp", "src_port": 50007, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8576461187690411, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50642, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 9, "2_sum": 9, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "104.18.38.233", "protocol": "tcp", "src_port": 49696, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "142.250.66.78", "protocol": "tcp", "src_port": 49761, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 12:41:15.855] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 16|max_alert: 1000 [2025-12-11 12:41:15.855] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 12:41:15.855] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 12:41:15.855] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 12:41:19.152] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 26003 key: NULL payload: {"bucket":"2025-12-11","object":"12/output/gbm/alert.pcap.5.17610986931240.jsonl","url":"http://111.32.12.11:9000/2025-12-11/12/output/gbm/alert.pcap.5.17610986931240.jsonl?X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Signature=a47210788743519b2e4bb38eaf0734aec3e87be5bb1fb491abad6c8a0d324c16&X-Amz-Date=20251211T044118Z&X-Amz-Expires=604800&X-Amz-SignedHeaders=host"} [2025-12-11 12:41:19.152] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 12:41:19.152] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 12:41:19.152] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 12:41:19.152] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 12:41:19.152] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 12:41:19.153] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 12:41:19.394] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:12/output/gbm/alert.pcap.5.17610986931240.jsonl|result:{"code": 1, "total_count": 19, "alert_count": 18, "abnormal_count": 18, "normal_count": 1, "timestamp": 1765428079153, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "36.156.39.91", "protocol": "tcp", "src_port": 50242, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9588125203903446, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50030, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 5.0, "2_sum": 5, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.91", "protocol": "tcp", "src_port": 50333, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9577733114926612, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.4.74", "protocol": "tcp", "src_port": 50320, "dest_port": 9000, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50119, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 5.0, "2_sum": 5, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.51.80", "protocol": "tcp", "src_port": 49902, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.158.247.186", "protocol": "tcp", "src_port": 50121, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9753820447058325, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50624, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9747306537408316, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50541, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 5.0, "2_sum": 5, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 50549, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50654, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9423199405388736, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 49924, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8509806284431485, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "13.89.179.10", "protocol": "tcp", "src_port": 49867, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8945460691510866, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.46.72.204", "protocol": "tcp", "src_port": 50136, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.956663066769366, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50171, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 5.0, "2_sum": 5, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "112.34.111.235", "protocol": "tcp", "src_port": 50587, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9795590475790195, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.163.59.175", "protocol": "tcp", "src_port": 50422, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9849394001481901, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50564, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 5.0, "2_sum": 5, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 12:41:19.394] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 18|max_alert: 1000 [2025-12-11 12:41:19.394] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 12:41:19.394] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 12:41:19.394] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 12:41:22.294] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 26004 key: NULL payload: {"bucket":"2025-12-11","object":"12/output/gbm/alert.pcap.6.17610986931240.jsonl","url":"http://111.32.12.11:9000/2025-12-11/12/output/gbm/alert.pcap.6.17610986931240.jsonl?X-Amz-Expires=604800&X-Amz-Signature=5d73871da5de68cac88e14895268e9273b4d79c5e01a0e16bb301966439d0bbe&X-Amz-SignedHeaders=host&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Date=20251211T044121Z"} [2025-12-11 12:41:22.294] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 12:41:22.294] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 12:41:22.295] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 12:41:22.295] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 12:41:22.295] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 12:41:22.295] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 12:41:22.542] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:12/output/gbm/alert.pcap.6.17610986931240.jsonl|result:{"code": 1, "total_count": 13, "alert_count": 13, "abnormal_count": 13, "normal_count": 0, "timestamp": 1765428082295, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "13.89.179.10", "protocol": "tcp", "src_port": 49883, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9941602682227848, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.26", "protocol": "tcp", "src_port": 50003, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8694093805364917, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50391, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50465, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.5306824619789472, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50515, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "139.9.117.192", "protocol": "tcp", "src_port": 50450, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9837263446909994, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.102.211", "protocol": "tcp", "src_port": 50413, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9734791177969814, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.57.94.38", "protocol": "tcp", "src_port": 49892, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9998694918181811, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "121.36.68.44", "protocol": "tcp", "src_port": 50504, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9358189956292381, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.13.28.239", "protocol": "tcp", "src_port": 49901, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.938456651589145, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.2.16.16", "protocol": "tcp", "src_port": 49975, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9999376387945121, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.91", "protocol": "tcp", "src_port": 50339, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.986405059765616, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "139.9.117.192", "protocol": "tcp", "src_port": 50372, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8894850327223105, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 12:41:22.543] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 13|max_alert: 1000 [2025-12-11 12:41:22.543] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 12:41:22.543] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 12:41:22.543] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 12:41:25.524] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[2] at offset 25625 key: NULL payload: {"bucket":"2025-12-11","object":"12/output/gbm/alert.pcap.7.17610986931240.jsonl","url":"http://111.32.12.11:9000/2025-12-11/12/output/gbm/alert.pcap.7.17610986931240.jsonl?X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Expires=604800&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-SignedHeaders=host&X-Amz-Date=20251211T044125Z&X-Amz-Signature=501373e695d5cfc9025a2e1162e49d909b2f20b3d48f856c7a110bbab2a2a4da"} [2025-12-11 12:41:25.524] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 12:41:25.524] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 12:41:25.524] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 12:41:25.524] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 12:41:25.524] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 12:41:25.524] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 12:41:25.812] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:12/output/gbm/alert.pcap.7.17610986931240.jsonl|result:{"code": 1, "total_count": 18, "alert_count": 18, "abnormal_count": 18, "normal_count": 0, "timestamp": 1765428085524, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "111.4.224.113", "protocol": "tcp", "src_port": 49849, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9532634905214581, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.26", "protocol": "tcp", "src_port": 49994, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9896285535627298, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.254", "protocol": "tcp", "src_port": 50199, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9600487826290192, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50156, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4, "2_sum": 4, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 50172, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9400817611226765, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50663, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.719260591950917, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.219.73.130", "protocol": "tcp", "src_port": 49885, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.185.125.188", "protocol": "tcp", "src_port": 49872, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9978759357079158, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.51.80", "protocol": "tcp", "src_port": 50010, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "112.34.111.235", "protocol": "tcp", "src_port": 50411, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.998549290571419, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.27", "protocol": "tcp", "src_port": 50100, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8412893359572905, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50270, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4, "2_sum": 4, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.194.233", "protocol": "tcp", "src_port": 50255, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9107155218087142, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.194.233", "protocol": "tcp", "src_port": 50441, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9878625671600126, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 50116, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50581, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4, "2_sum": 4, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50083, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4, "2_sum": 4, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.240.8.132", "protocol": "tcp", "src_port": 50227, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8897661563929269, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 12:41:25.812] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 18|max_alert: 1000 [2025-12-11 12:41:25.812] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 12:41:25.812] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 12:41:25.812] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 12:41:28.712] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 26005 key: NULL payload: {"bucket":"2025-12-11","object":"12/output/gbm/alert.pcap.8.17610986931240.jsonl","url":"http://111.32.12.11:9000/2025-12-11/12/output/gbm/alert.pcap.8.17610986931240.jsonl?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Date=20251211T044128Z&X-Amz-SignedHeaders=host&X-Amz-Signature=cea697a0b27b5ea07ca99ec7b57ea049f7c22bdba2c30f33ddf8b736cd2cfc45&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Expires=604800"} [2025-12-11 12:41:28.712] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 12:41:28.712] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 12:41:28.712] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 12:41:28.712] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 12:41:28.712] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 12:41:28.713] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 12:41:28.975] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:12/output/gbm/alert.pcap.8.17610986931240.jsonl|result:{"code": 1, "total_count": 19, "alert_count": 19, "abnormal_count": 19, "normal_count": 0, "timestamp": 1765428088713, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "36.131.128.241", "protocol": "tcp", "src_port": 50591, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9050869489117033, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.232.40.133", "protocol": "tcp", "src_port": 49920, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9117178716777372, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.45", "protocol": "tcp", "src_port": 50408, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9967591338452444, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50077, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4, "2_sum": 4, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.201.232.63", "protocol": "tcp", "src_port": 50420, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9757408487177269, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.63.215.47", "protocol": "tcp", "src_port": 49980, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9999657034539758, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50388, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4, "2_sum": 4, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 49923, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.777270406334166, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 50184, "dest_port": 37527, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50223, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4, "2_sum": 4, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50661, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.647571366572099, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "121.36.47.3", "protocol": "tcp", "src_port": 50015, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9995715118177109, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50649, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9766422035502361, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50127, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4, "2_sum": 4, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.219.73.130", "protocol": "tcp", "src_port": 49891, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.26", "protocol": "tcp", "src_port": 49997, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.984269050955257, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "40.74.78.229", "protocol": "tcp", "src_port": 50370, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9939770881097445, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "202.89.233.96", "protocol": "tcp", "src_port": 49865, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9973910874567038, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.131.139.241", "protocol": "tcp", "src_port": 50556, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9803786101644398, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 12:41:28.975] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 19|max_alert: 1000 [2025-12-11 12:41:28.975] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 12:41:28.975] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 12:41:28.975] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 12:41:31.902] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[2] at offset 25626 key: NULL payload: {"bucket":"2025-12-11","object":"12/output/gbm/alert.pcap.9.17610986931240.jsonl","url":"http://111.32.12.11:9000/2025-12-11/12/output/gbm/alert.pcap.9.17610986931240.jsonl?X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Expires=604800&X-Amz-Date=20251211T044131Z&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-SignedHeaders=host&X-Amz-Signature=0c17407f029426eab639b76992d5459ed2404c8260460f2403b67421265c4214"} [2025-12-11 12:41:31.902] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 12:41:31.902] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 12:41:31.902] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 12:41:31.902] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 12:41:31.902] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 12:41:31.903] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 12:41:32.144] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:12/output/gbm/alert.pcap.9.17610986931240.jsonl|result:{"code": 1, "total_count": 19, "alert_count": 19, "abnormal_count": 19, "normal_count": 0, "timestamp": 1765428091903, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "120.233.3.26", "protocol": "tcp", "src_port": 49993, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.987471741326815, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.29.14.183", "protocol": "tcp", "src_port": 50403, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9756646950440937, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "124.71.234.74", "protocol": "tcp", "src_port": 50079, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8967653329082704, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50387, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "157.148.32.174", "protocol": "tcp", "src_port": 50216, "dest_port": 8106, "y_pred": 1, "y_pred_proba_max": 0.7815374741509655, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50279, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50552, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9460026832017429, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.45", "protocol": "tcp", "src_port": 50444, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9975171238915119, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50571, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50323, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50582, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50047, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "112.2.102.140", "protocol": "tcp", "src_port": 49880, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8833391308810551, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50234, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50577, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8828376373447289, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 49928, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9931314740190077, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "150.171.30.11", "protocol": "tcp", "src_port": 50434, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.975176941910785, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.219.73.130", "protocol": "tcp", "src_port": 49895, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.163.59.175", "protocol": "tcp", "src_port": 50443, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9947042004868148, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 12:41:32.144] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 19|max_alert: 1000 [2025-12-11 12:41:32.144] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 12:41:32.144] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 12:41:32.144] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 12:41:35.219] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[2] at offset 25627 key: NULL payload: {"bucket":"2025-12-11","object":"12/output/gbm/alert.pcap.9.1765428044.jsonl","url":"http://111.32.12.11:9000/2025-12-11/12/output/gbm/alert.pcap.9.1765428044.jsonl?X-Amz-Expires=604800&X-Amz-SignedHeaders=host&X-Amz-Signature=a870723168bb15b19bc14a995054b8395f37b7929ffc18467ea7d2c71166cc7a&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20251211T044134Z"} [2025-12-11 12:41:35.220] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 12:41:35.220] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 12:41:35.220] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 12:41:35.220] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 12:41:35.220] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 12:41:35.220] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 12:41:35.227] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:12/output/gbm/alert.pcap.9.1765428044.jsonl|result:{"code": 0, "total_count": 0, "alert_count": 0, "abnormal_count": 0, "normal_count": 0, "timestamp": 1765428095220, "module": "anquanchu", "alerted": false, "details": []} [2025-12-11 12:41:35.227] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 0|max_alert: 1000 [2025-12-11 12:41:35.227] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 12:50:10.213] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[1] at offset 24861 key: NULL payload: {"bucket":"2025-12-11","object":"12/output/gbm/alert.pcap.10.17610986931250.jsonl","url":"http://111.32.12.11:9000/2025-12-11/12/output/gbm/alert.pcap.10.17610986931250.jsonl?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-SignedHeaders=host&X-Amz-Date=20251211T045009Z&X-Amz-Expires=604800&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Signature=d900023b580aafc6f686361a91a86685cf6b65fe0adcfec8117c3250d27bde01"} [2025-12-11 12:50:10.213] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 12:50:10.213] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 12:50:10.214] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 12:50:10.214] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 12:50:10.214] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 12:50:10.215] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 12:50:10.495] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:12/output/gbm/alert.pcap.10.17610986931250.jsonl|result:{"code": 1, "total_count": 18, "alert_count": 18, "abnormal_count": 18, "normal_count": 0, "timestamp": 1765428610215, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "117.162.10.192", "protocol": "tcp", "src_port": 50106, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7891251009837256, "2_count": 3, "2_sum": 3, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50202, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "124.70.37.167", "protocol": "tcp", "src_port": 50497, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9671327905226952, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "124.70.62.170", "protocol": "tcp", "src_port": 50384, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9944584265644585, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.194.233", "protocol": "tcp", "src_port": 50251, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.6458299041355519, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50155, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.162.10.192", "protocol": "tcp", "src_port": 50105, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8497049935950336, "2_count": 3, "2_sum": 3, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50510, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 49802, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.9", "protocol": "tcp", "src_port": 50354, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9266852516381958, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.38.119", "protocol": "tcp", "src_port": 50490, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9986222879414073, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50527, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.240.8.132", "protocol": "tcp", "src_port": 49942, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9833686131374094, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50180, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.162.10.192", "protocol": "tcp", "src_port": 50102, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9628606284766527, "2_count": 3, "2_sum": 3, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50247, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50197, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "112.34.113.250", "protocol": "tcp", "src_port": 50417, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9871899379387804, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 12:50:10.495] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 18|max_alert: 1000 [2025-12-11 12:50:10.495] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 12:50:10.495] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 12:50:10.495] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 12:50:13.348] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[2] at offset 25628 key: NULL payload: {"bucket":"2025-12-11","object":"12/output/gbm/alert.pcap.11.17610986931250.jsonl","url":"http://111.32.12.11:9000/2025-12-11/12/output/gbm/alert.pcap.11.17610986931250.jsonl?X-Amz-Date=20251211T045012Z&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-SignedHeaders=host&X-Amz-Signature=afacc024e0f1048b132d0c26694181ce2bc97ff344c523294fd091923992d3d6&X-Amz-Expires=604800&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request"} [2025-12-11 12:50:13.348] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 12:50:13.348] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 12:50:13.349] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 12:50:13.349] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 12:50:13.349] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 12:50:13.350] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 12:50:13.661] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:12/output/gbm/alert.pcap.11.17610986931250.jsonl|result:{"code": 1, "total_count": 20, "alert_count": 20, "abnormal_count": 20, "normal_count": 0, "timestamp": 1765428613350, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "120.233.3.25", "protocol": "tcp", "src_port": 50379, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8940216726975259, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50050, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.165.120", "protocol": "tcp", "src_port": 50305, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9986466602684037, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.45", "protocol": "tcp", "src_port": 50447, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9871209269901958, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.143.199.172", "protocol": "tcp", "src_port": 50142, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9881503019491974, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "13.107.253.49", "protocol": "tcp", "src_port": 50479, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9204671188927631, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50519, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50176, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.45", "protocol": "tcp", "src_port": 50438, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9837569544664104, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "106.52.100.183", "protocol": "tcp", "src_port": 50502, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9858931570717602, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50523, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 49811, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.38.119", "protocol": "tcp", "src_port": 50494, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9837251088220053, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50561, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.57.94.38", "protocol": "tcp", "src_port": 49888, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8913583475272854, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50179, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50520, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.131.139.241", "protocol": "tcp", "src_port": 50546, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8893268365633519, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "57.155.120.218", "protocol": "tcp", "src_port": 50415, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9227656751828837, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.122.55", "protocol": "tcp", "src_port": 50503, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9854062911109006, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 12:50:13.661] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 20|max_alert: 1000 [2025-12-11 12:50:13.661] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 12:50:13.661] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 12:50:13.662] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 12:50:16.511] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[1] at offset 24862 key: NULL payload: {"bucket":"2025-12-11","object":"12/output/gbm/alert.pcap.1.17610986931250.jsonl","url":"http://111.32.12.11:9000/2025-12-11/12/output/gbm/alert.pcap.1.17610986931250.jsonl?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20251211T045016Z&X-Amz-Signature=5a2f51a77de72ba65fca4eab59950792083c331e3d491642787ee71160b65a4e&X-Amz-SignedHeaders=host&X-Amz-Expires=604800"} [2025-12-11 12:50:16.511] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 12:50:16.511] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 12:50:16.511] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 12:50:16.511] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 12:50:16.511] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 12:50:16.512] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 12:50:16.763] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:12/output/gbm/alert.pcap.1.17610986931250.jsonl|result:{"code": 1, "total_count": 23, "alert_count": 22, "abnormal_count": 22, "normal_count": 1, "timestamp": 1765428616512, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "120.233.38.119", "protocol": "tcp", "src_port": 50487, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9993624819729473, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50246, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.2.16.16", "protocol": "tcp", "src_port": 49978, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9999741330258014, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "104.18.38.233", "protocol": "tcp", "src_port": 49694, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.18", "protocol": "tcp", "src_port": 50526, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.254", "protocol": "tcp", "src_port": 50161, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9861184497791043, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.9", "protocol": "tcp", "src_port": 50355, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9178209457268623, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50660, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.5160756214892233, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50196, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.254", "protocol": "tcp", "src_port": 50236, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8758576397939718, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50203, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.166.151", "protocol": "tcp", "src_port": 50297, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.99961990187526, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.114.80", "protocol": "tcp", "src_port": 50380, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50451, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9935841069204537, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50511, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50154, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.2.16.16", "protocol": "tcp", "src_port": 49977, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9997183616258911, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.9", "protocol": "tcp", "src_port": 50352, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9822856114799795, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.131.139.241", "protocol": "tcp", "src_port": 50548, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9166098868921807, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "123.249.12.207", "protocol": "tcp", "src_port": 50349, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9517653518955267, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.18", "protocol": "tcp", "src_port": 50607, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50635, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 12:50:16.763] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 22|max_alert: 1000 [2025-12-11 12:50:16.763] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 12:50:16.763] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 12:50:16.764] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 12:50:19.715] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[1] at offset 24863 key: NULL payload: {"bucket":"2025-12-11","object":"12/output/gbm/alert.pcap.12.17610986931250.jsonl","url":"http://111.32.12.11:9000/2025-12-11/12/output/gbm/alert.pcap.12.17610986931250.jsonl?X-Amz-Date=20251211T045019Z&X-Amz-Expires=604800&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-SignedHeaders=host&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Signature=79d24d45ec44940bb15de9148c3b54f2ee4007dff0ffd5ddde200510a039114d"} [2025-12-11 12:50:19.715] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 12:50:19.715] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 12:50:19.715] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 12:50:19.715] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 12:50:19.715] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 12:50:19.716] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 12:50:19.975] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:12/output/gbm/alert.pcap.12.17610986931250.jsonl|result:{"code": 1, "total_count": 23, "alert_count": 23, "abnormal_count": 23, "normal_count": 0, "timestamp": 1765428619716, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "117.162.10.192", "protocol": "tcp", "src_port": 50115, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9982562146170709, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.32.132.48", "protocol": "tcp", "src_port": 50596, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8736367684939467, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 49801, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50043, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 10, "2_sum": 10, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50290, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 10, "2_sum": 10, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.91", "protocol": "tcp", "src_port": 50312, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8775283158754487, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50063, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 10, "2_sum": 10, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50036, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 10, "2_sum": 10, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50048, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 10, "2_sum": 10, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.88.223", "protocol": "tcp", "src_port": 50256, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9952297098413537, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.232.40.133", "protocol": "tcp", "src_port": 49918, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9434178651974208, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.46.51.20", "protocol": "tcp", "src_port": 50273, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8949209220998952, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.91", "protocol": "tcp", "src_port": 50325, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9723471895815434, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.88.223", "protocol": "tcp", "src_port": 50135, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9151737736531406, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.253", "protocol": "tcp", "src_port": 50374, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9124107711631884, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50524, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 10, "2_sum": 10, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50327, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 10, "2_sum": 10, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "43.132.242.154", "protocol": "tcp", "src_port": 49882, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9890063873624129, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50517, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 10, "2_sum": 10, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50563, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 10, "2_sum": 10, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "150.171.28.10", "protocol": "tcp", "src_port": 50098, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.979476406385797, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50289, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 10, "2_sum": 10, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 50446, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 12:50:19.975] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 23|max_alert: 1000 [2025-12-11 12:50:19.975] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 12:50:19.975] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 12:50:19.975] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 12:50:22.901] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[1] at offset 24864 key: NULL payload: {"bucket":"2025-12-11","object":"12/output/gbm/alert.pcap.13.17610986931250.jsonl","url":"http://111.32.12.11:9000/2025-12-11/12/output/gbm/alert.pcap.13.17610986931250.jsonl?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-SignedHeaders=host&X-Amz-Date=20251211T045022Z&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Expires=604800&X-Amz-Signature=a8c74639eadaa9dfbf47031e2a61bdad39115def21973d295f921c986e8f2e65"} [2025-12-11 12:50:22.901] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 12:50:22.901] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 12:50:22.901] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 12:50:22.901] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 12:50:22.901] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 12:50:22.902] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 12:50:23.172] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:12/output/gbm/alert.pcap.13.17610986931250.jsonl|result:{"code": 1, "total_count": 25, "alert_count": 25, "abnormal_count": 25, "normal_count": 0, "timestamp": 1765428622902, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "150.171.30.11", "protocol": "tcp", "src_port": 50629, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9221505003231499, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.38.119", "protocol": "tcp", "src_port": 50507, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.992095265861976, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.22.3", "protocol": "tcp", "src_port": 49941, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9027507773608666, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.38.119", "protocol": "tcp", "src_port": 50493, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9895604510076603, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50035, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.114.80", "protocol": "tcp", "src_port": 50364, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "202.89.233.96", "protocol": "tcp", "src_port": 49842, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.4.224.113", "protocol": "tcp", "src_port": 49856, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.6505383816340582, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50150, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "142.250.66.78", "protocol": "tcp", "src_port": 49939, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50206, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.185.134", "protocol": "tcp", "src_port": 50405, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9906477192719227, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50167, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50283, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50074, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 50550, "dest_port": 37527, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50276, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50657, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9858390475712154, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50029, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50153, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50280, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50483, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "150.171.29.11", "protocol": "tcp", "src_port": 50366, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9811379852086798, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50602, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.163.59.175", "protocol": "tcp", "src_port": 50009, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9898052087615025, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 12:50:23.172] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 25|max_alert: 1000 [2025-12-11 12:50:23.172] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 12:50:23.172] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 12:50:23.172] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 12:50:26.275] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 26006 key: NULL payload: {"bucket":"2025-12-11","object":"12/output/gbm/alert.pcap.14.17610986931250.jsonl","url":"http://111.32.12.11:9000/2025-12-11/12/output/gbm/alert.pcap.14.17610986931250.jsonl?X-Amz-Expires=604800&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Signature=dfedf97533ef73cd3e81c82b9c06f24dd708ffb935bee6a1c3d3a3060e6e9b4d&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20251211T045025Z&X-Amz-SignedHeaders=host"} [2025-12-11 12:50:26.275] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 12:50:26.275] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 12:50:26.275] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 12:50:26.275] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 12:50:26.275] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 12:50:26.276] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 12:50:26.521] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:12/output/gbm/alert.pcap.14.17610986931250.jsonl|result:{"code": 1, "total_count": 22, "alert_count": 22, "abnormal_count": 22, "normal_count": 0, "timestamp": 1765428626276, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50075, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50431, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50299, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.114.80", "protocol": "tcp", "src_port": 50462, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50148, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50481, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 50008, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7325211921496005, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50277, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50509, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.131.128.241", "protocol": "tcp", "src_port": 50628, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.6327220629300937, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50045, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50488, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.201.232.63", "protocol": "tcp", "src_port": 50185, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8623842237021218, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.201.232.61", "protocol": "tcp", "src_port": 50406, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8074537105643911, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.4.224.113", "protocol": "tcp", "src_port": 49858, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.948833755868132, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50087, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50151, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50282, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.92", "protocol": "tcp", "src_port": 50350, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9581254078848882, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.45", "protocol": "tcp", "src_port": 50232, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8427978520815071, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50464, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "150.171.28.10", "protocol": "tcp", "src_port": 50547, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9810893334081382, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 12:50:26.521] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 22|max_alert: 1000 [2025-12-11 12:50:26.521] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 12:50:26.521] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 12:50:26.521] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 12:50:29.400] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 26007 key: NULL payload: {"bucket":"2025-12-11","object":"12/output/gbm/alert.pcap.15.17610986931250.jsonl","url":"http://111.32.12.11:9000/2025-12-11/12/output/gbm/alert.pcap.15.17610986931250.jsonl?X-Amz-SignedHeaders=host&X-Amz-Signature=e97ec59c1633d058f4d9ea474acd8385cf76af63528d6e944bbd4e174bd7df45&X-Amz-Date=20251211T045028Z&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Expires=604800&X-Amz-Algorithm=AWS4-HMAC-SHA256"} [2025-12-11 12:50:29.400] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 12:50:29.400] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 12:50:29.401] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 12:50:29.401] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 12:50:29.401] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 12:50:29.401] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 12:50:29.646] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:12/output/gbm/alert.pcap.15.17610986931250.jsonl|result:{"code": 1, "total_count": 21, "alert_count": 21, "abnormal_count": 21, "normal_count": 0, "timestamp": 1765428629401, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "111.31.241.198", "protocol": "tcp", "src_port": 49881, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9908791961625715, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.46.216.189", "protocol": "tcp", "src_port": 50192, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9854409930237161, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "13.107.213.50", "protocol": "tcp", "src_port": 50090, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9195643673584233, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.175.38.6", "protocol": "tcp", "src_port": 50508, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9251013815505887, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50489, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.194.189.11", "protocol": "tcp", "src_port": 50426, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9895428159947536, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.166.151", "protocol": "tcp", "src_port": 50300, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9931981638327161, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.194.233", "protocol": "tcp", "src_port": 50442, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9870391528574759, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.165.120", "protocol": "tcp", "src_port": 50418, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9596977275034663, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.13.29.202", "protocol": "tcp", "src_port": 49899, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9319984670207415, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "124.70.37.167", "protocol": "tcp", "src_port": 50505, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8862503171336631, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50298, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "13.89.179.10", "protocol": "tcp", "src_port": 49878, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9974829953380221, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "142.250.66.78", "protocol": "tcp", "src_port": 50474, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50452, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50542, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.114.80", "protocol": "tcp", "src_port": 50358, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50516, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.165.120", "protocol": "tcp", "src_port": 50427, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9451570018511891, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50061, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.51.80", "protocol": "tcp", "src_port": 49914, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 12:50:29.646] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 21|max_alert: 1000 [2025-12-11 12:50:29.646] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 12:50:29.646] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 12:50:29.646] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 12:50:32.740] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[2] at offset 25629 key: NULL payload: {"bucket":"2025-12-11","object":"12/output/gbm/alert.pcap.16.17610986931250.jsonl","url":"http://111.32.12.11:9000/2025-12-11/12/output/gbm/alert.pcap.16.17610986931250.jsonl?X-Amz-SignedHeaders=host&X-Amz-Expires=604800&X-Amz-Date=20251211T045032Z&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Signature=bc3c6133589a07a3a03a9a7a135fcdbc304f288c3fba4f9c93b51d24bccfcc75&X-Amz-Algorithm=AWS4-HMAC-SHA256"} [2025-12-11 12:50:32.740] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 12:50:32.740] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 12:50:32.740] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 12:50:32.740] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 12:50:32.740] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 12:50:32.741] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 12:50:33.000] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:12/output/gbm/alert.pcap.16.17610986931250.jsonl|result:{"code": 1, "total_count": 26, "alert_count": 26, "abnormal_count": 26, "normal_count": 0, "timestamp": 1765428632741, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "120.220.77.56", "protocol": "tcp", "src_port": 50313, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9756469161092314, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.253", "protocol": "tcp", "src_port": 50377, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9228634096625739, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.29.14.183", "protocol": "tcp", "src_port": 50404, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9858144175177987, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.32.132.48", "protocol": "tcp", "src_port": 50416, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.872489769645985, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.29.14.183", "protocol": "tcp", "src_port": 49861, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9202885873733923, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.13.25.27", "protocol": "tcp", "src_port": 49953, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9999659947187012, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50500, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.92", "protocol": "tcp", "src_port": 50344, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.4285159353571787, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50522, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.4.224.113", "protocol": "tcp", "src_port": 49857, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.873642452450752, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.1", "protocol": "tcp", "src_port": 49927, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "13.89.179.10", "protocol": "tcp", "src_port": 49873, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9740054173010114, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.46.216.189", "protocol": "tcp", "src_port": 50095, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8005313339363406, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.88.223", "protocol": "tcp", "src_port": 50262, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9920454156536166, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.165.120", "protocol": "tcp", "src_port": 50304, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9425584919270099, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50367, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50331, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50051, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50496, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7047630891986135, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.26", "protocol": "tcp", "src_port": 50053, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9859420979243508, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "211.151.19.148", "protocol": "tcp", "src_port": 50239, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9867736940219898, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.185.134", "protocol": "tcp", "src_port": 50557, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9312191603697401, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.219.73.130", "protocol": "tcp", "src_port": 49887, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50207, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.2", "protocol": "tcp", "src_port": 49916, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50177, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 12:50:33.000] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 26|max_alert: 1000 [2025-12-11 12:50:33.000] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 12:50:33.000] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 12:50:33.000] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 12:50:36.235] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[1] at offset 24865 key: NULL payload: {"bucket":"2025-12-11","object":"12/output/gbm/alert.pcap.17.17610986931250.jsonl","url":"http://111.32.12.11:9000/2025-12-11/12/output/gbm/alert.pcap.17.17610986931250.jsonl?X-Amz-Date=20251211T045035Z&X-Amz-Signature=7ac53f0086dfe153412690297f5260cffc394db05ede41fa77820c79e19603f2&X-Amz-SignedHeaders=host&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Expires=604800"} [2025-12-11 12:50:36.235] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 12:50:36.235] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 12:50:36.235] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 12:50:36.235] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 12:50:36.235] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 12:50:36.236] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 12:50:36.487] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:12/output/gbm/alert.pcap.17.17610986931250.jsonl|result:{"code": 1, "total_count": 18, "alert_count": 18, "abnormal_count": 18, "normal_count": 0, "timestamp": 1765428636236, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "120.241.86.9", "protocol": "tcp", "src_port": 50012, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9956502822261911, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50499, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.27", "protocol": "tcp", "src_port": 49990, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9979995189937263, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.162.10.192", "protocol": "tcp", "src_port": 50103, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.5419285978798709, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.122.55", "protocol": "tcp", "src_port": 50448, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.5769980707430126, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.234.97.89", "protocol": "tcp", "src_port": 50409, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.733240780563495, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50606, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9790099228201751, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.162.10.192", "protocol": "tcp", "src_port": 50114, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.976863610352734, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.38.151", "protocol": "tcp", "src_port": 49788, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.194.233", "protocol": "tcp", "src_port": 50435, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9837705668750215, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.122.55", "protocol": "tcp", "src_port": 50101, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9697454177805649, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.27", "protocol": "tcp", "src_port": 49989, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8500557914131911, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.88.223", "protocol": "tcp", "src_port": 50257, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9990492370434219, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.114.80", "protocol": "tcp", "src_port": 50476, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.2.16.16", "protocol": "tcp", "src_port": 49973, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9993460937257912, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 50225, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9087545563693218, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "124.70.62.170", "protocol": "tcp", "src_port": 50094, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9999212365720671, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "124.70.62.170", "protocol": "tcp", "src_port": 50395, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.999908459646488, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 12:50:36.487] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 18|max_alert: 1000 [2025-12-11 12:50:36.487] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 12:50:36.487] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 12:50:36.487] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 12:50:39.377] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 26008 key: NULL payload: {"bucket":"2025-12-11","object":"12/output/gbm/alert.pcap.18.17610986931250.jsonl","url":"http://111.32.12.11:9000/2025-12-11/12/output/gbm/alert.pcap.18.17610986931250.jsonl?X-Amz-Date=20251211T045038Z&X-Amz-Expires=604800&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Signature=1d5a3693ca7979355fbfaf06766bca8c62141760c0224ab864acc69dbcaa1396&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-SignedHeaders=host"} [2025-12-11 12:50:39.377] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 12:50:39.377] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 12:50:39.377] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 12:50:39.377] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 12:50:39.377] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 12:50:39.378] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 12:50:39.623] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:12/output/gbm/alert.pcap.18.17610986931250.jsonl|result:{"code": 1, "total_count": 19, "alert_count": 18, "abnormal_count": 18, "normal_count": 1, "timestamp": 1765428639378, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "36.156.39.92", "protocol": "tcp", "src_port": 50383, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7481021796885889, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50141, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.219.73.130", "protocol": "tcp", "src_port": 49893, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50088, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 50169, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50220, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.113.130.85", "protocol": "tcp", "src_port": 50373, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50650, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9941374340185456, "2_count": 4.0, "2_sum": 4, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.166.151", "protocol": "tcp", "src_port": 50371, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9989794701501156, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.232.40.133", "protocol": "tcp", "src_port": 49935, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8955605067471277, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.253.255.38", "protocol": "tcp", "src_port": 50449, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9496389457889445, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.232.40.133", "protocol": "tcp", "src_port": 49929, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9272505117395095, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50046, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50386, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50475, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9477100345633777, "2_count": 4.0, "2_sum": 4, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50132, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50553, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9263918774338468, "2_count": 4.0, "2_sum": 4, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50554, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9489417371813754, "2_count": 4.0, "2_sum": 4, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 12:50:39.623] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 18|max_alert: 1000 [2025-12-11 12:50:39.623] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 12:50:39.623] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 12:50:39.623] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 12:50:42.522] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[1] at offset 24866 key: NULL payload: {"bucket":"2025-12-11","object":"12/output/gbm/alert.pcap.19.17610986931250.jsonl","url":"http://111.32.12.11:9000/2025-12-11/12/output/gbm/alert.pcap.19.17610986931250.jsonl?X-Amz-Expires=604800&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Date=20251211T045042Z&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-SignedHeaders=host&X-Amz-Signature=3e347a67e0f46ce344ecdbd5920421075130b79257df31f2cbc57e4b5b696eaa"} [2025-12-11 12:50:42.522] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 12:50:42.522] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 12:50:42.523] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 12:50:42.523] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 12:50:42.523] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 12:50:42.523] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 12:50:42.769] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:12/output/gbm/alert.pcap.19.17610986931250.jsonl|result:{"code": 1, "total_count": 17, "alert_count": 17, "abnormal_count": 17, "normal_count": 0, "timestamp": 1765428642523, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50221, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 5, "2_sum": 5, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.158.247.186", "protocol": "tcp", "src_port": 50254, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9923373572362969, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.26", "protocol": "tcp", "src_port": 49999, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9723690262017185, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.131.128.241", "protocol": "tcp", "src_port": 50589, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9358989909907683, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "13.89.179.10", "protocol": "tcp", "src_port": 49870, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9985463831905574, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50267, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 5, "2_sum": 5, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.61.248", "protocol": "tcp", "src_port": 50006, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9986048917384169, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50651, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9127998696423738, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50222, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 5, "2_sum": 5, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.25", "protocol": "tcp", "src_port": 50345, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9053165640648995, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50432, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 5, "2_sum": 5, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "211.151.19.148", "protocol": "tcp", "src_port": 50321, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9840336453751718, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "150.171.30.11", "protocol": "tcp", "src_port": 50623, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9724127917525347, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "106.13.244.95", "protocol": "tcp", "src_port": 50626, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.991571871695044, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50140, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 5, "2_sum": 5, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "124.70.62.170", "protocol": "tcp", "src_port": 50385, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9998863446143573, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 50183, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9671683755020176, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 12:50:42.769] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 17|max_alert: 1000 [2025-12-11 12:50:42.769] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 12:50:42.769] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 12:50:42.769] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 12:50:45.706] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 26009 key: NULL payload: {"bucket":"2025-12-11","object":"12/output/gbm/alert.pcap.20.17610986931250.jsonl","url":"http://111.32.12.11:9000/2025-12-11/12/output/gbm/alert.pcap.20.17610986931250.jsonl?X-Amz-SignedHeaders=host&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20251211T045045Z&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Expires=604800&X-Amz-Signature=479ef402b08a01e73762db803468f571dbe4003bfe652cbc6bdc6650495f66e0"} [2025-12-11 12:50:45.706] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 12:50:45.706] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 12:50:45.706] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 12:50:45.706] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 12:50:45.706] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 12:50:45.706] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 12:50:45.965] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:12/output/gbm/alert.pcap.20.17610986931250.jsonl|result:{"code": 1, "total_count": 17, "alert_count": 17, "abnormal_count": 17, "normal_count": 0, "timestamp": 1765428645707, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "23.219.73.130", "protocol": "tcp", "src_port": 49894, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50622, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9949329167991451, "2_count": 3, "2_sum": 3, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "124.71.236.98", "protocol": "tcp", "src_port": 50400, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9777942042208041, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.2.16.16", "protocol": "tcp", "src_port": 49970, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9999655776123294, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.166.151", "protocol": "tcp", "src_port": 50378, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.996645095315891, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.46.68.203", "protocol": "tcp", "src_port": 50096, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9610043927222635, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50453, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.220.151.49", "protocol": "tcp", "src_port": 49991, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9681277345350449, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "124.71.234.74", "protocol": "tcp", "src_port": 50189, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8094812727311573, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.62.174.243", "protocol": "tcp", "src_port": 50555, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9719451686850884, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50082, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50598, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.972751885055052, "2_count": 3, "2_sum": 3, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50616, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.981431987646444, "2_count": 3, "2_sum": 3, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.9", "protocol": "tcp", "src_port": 50356, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9753376675463165, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.48.172.241", "protocol": "tcp", "src_port": 50129, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9417868802887015, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "142.250.66.78", "protocol": "tcp", "src_port": 49773, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.253.253.233", "protocol": "tcp", "src_port": 50317, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.4786736570096651, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 12:50:45.965] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 17|max_alert: 1000 [2025-12-11 12:50:45.965] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 12:50:45.965] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 12:50:45.965] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 12:50:48.840] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[1] at offset 24867 key: NULL payload: {"bucket":"2025-12-11","object":"12/output/gbm/alert.pcap.21.17610986931250.jsonl","url":"http://111.32.12.11:9000/2025-12-11/12/output/gbm/alert.pcap.21.17610986931250.jsonl?X-Amz-SignedHeaders=host&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Expires=604800&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Signature=a39e7161c42f128f8d1c1a6a5b0a45a673c7fe6cf61b6f4c7592f530f4da9a90&X-Amz-Date=20251211T045048Z"} [2025-12-11 12:50:48.840] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 12:50:48.840] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 12:50:48.840] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 12:50:48.840] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 12:50:48.840] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 12:50:48.841] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 12:50:49.096] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:12/output/gbm/alert.pcap.21.17610986931250.jsonl|result:{"code": 1, "total_count": 20, "alert_count": 20, "abnormal_count": 20, "normal_count": 0, "timestamp": 1765428648841, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50633, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9961574170482782, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50407, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9700577356238725, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.27", "protocol": "tcp", "src_port": 50014, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7728545617685111, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50076, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50233, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50330, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50574, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 49933, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.983522767485445, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.25", "protocol": "tcp", "src_port": 50346, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7253580536479742, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.253", "protocol": "tcp", "src_port": 50348, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9663875797170431, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.232.40.133", "protocol": "tcp", "src_port": 49921, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9758065422065172, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "150.171.27.10", "protocol": "tcp", "src_port": 49871, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9792783921980416, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.26", "protocol": "tcp", "src_port": 50027, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8630319401034162, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.18", "protocol": "tcp", "src_port": 50191, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.254", "protocol": "tcp", "src_port": 50018, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9989742169573105, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.194.233", "protocol": "tcp", "src_port": 50315, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9974657537062649, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50086, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.234.97.89", "protocol": "tcp", "src_port": 50477, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7967743601421772, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 50211, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9942232611378077, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50389, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 12:50:49.096] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 20|max_alert: 1000 [2025-12-11 12:50:49.096] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 12:50:49.096] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 12:50:49.096] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 12:50:52.068] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[1] at offset 24868 key: NULL payload: {"bucket":"2025-12-11","object":"12/output/gbm/alert.pcap.2.17610986931250.jsonl","url":"http://111.32.12.11:9000/2025-12-11/12/output/gbm/alert.pcap.2.17610986931250.jsonl?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Expires=604800&X-Amz-Date=20251211T045051Z&X-Amz-SignedHeaders=host&X-Amz-Signature=e527c38dd08e0851804dac67822951cb7b09d7a6b879dcc5d943c2ca7979a01d&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request"} [2025-12-11 12:50:52.068] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 12:50:52.068] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 12:50:52.068] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 12:50:52.068] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 12:50:52.068] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 12:50:52.069] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 12:50:52.325] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:12/output/gbm/alert.pcap.2.17610986931250.jsonl|result:{"code": 1, "total_count": 27, "alert_count": 26, "abnormal_count": 26, "normal_count": 1, "timestamp": 1765428652069, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50287, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.29.14.183", "protocol": "tcp", "src_port": 50401, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9944651374268547, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.165.120", "protocol": "tcp", "src_port": 50414, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9781294486115352, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.114.80", "protocol": "tcp", "src_port": 50381, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.63.215.47", "protocol": "tcp", "src_port": 49943, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9542007136130981, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.26", "protocol": "tcp", "src_port": 49995, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9973271032011077, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.232.40.133", "protocol": "tcp", "src_port": 50004, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9448851526818528, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.2", "protocol": "tcp", "src_port": 49821, "dest_port": 8080, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.92", "protocol": "tcp", "src_port": 50398, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9866180027435798, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.240.99.58", "protocol": "tcp", "src_port": 50480, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9758749087809037, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50459, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8818531237715439, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50471, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9971823306211751, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50528, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.254", "protocol": "tcp", "src_port": 50237, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8347470129747349, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.166.151", "protocol": "tcp", "src_port": 50296, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9998741851816862, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.185.134", "protocol": "tcp", "src_port": 50337, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9998485770667981, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.29.14.183", "protocol": "tcp", "src_port": 50402, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9766503916105866, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50278, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50570, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50580, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.105", "protocol": "tcp", "src_port": 50625, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9825246278129468, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50484, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50634, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "118.89.204.198", "protocol": "tcp", "src_port": 50648, "dest_port": 443, "y_pred": 2, "y_pred_proba_max": 0.539671673599211, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "Behinder"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50328, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.222.152.64", "protocol": "tcp", "src_port": 50658, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7337989747885654, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 12:50:52.325] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 26|max_alert: 1000 [2025-12-11 12:50:52.325] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 12:50:52.325] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 12:50:52.325] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 12:50:55.579] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[1] at offset 24869 key: NULL payload: {"bucket":"2025-12-11","object":"12/output/gbm/alert.pcap.22.17610986931250.jsonl","url":"http://111.32.12.11:9000/2025-12-11/12/output/gbm/alert.pcap.22.17610986931250.jsonl?X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Expires=604800&X-Amz-Signature=555c462e93ffbb1264208446225c3f95906f696f8f6662432d06cabce8333505&X-Amz-SignedHeaders=host&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Date=20251211T045055Z"} [2025-12-11 12:50:55.579] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 12:50:55.579] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 12:50:55.579] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 12:50:55.579] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 12:50:55.579] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 12:50:55.580] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 12:50:55.870] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:12/output/gbm/alert.pcap.22.17610986931250.jsonl|result:{"code": 1, "total_count": 18, "alert_count": 17, "abnormal_count": 17, "normal_count": 1, "timestamp": 1765428655580, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "120.226.165.120", "protocol": "tcp", "src_port": 50357, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9389862274330749, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.131.128.241", "protocol": "tcp", "src_port": 50585, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8249611815657307, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50368, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 3.0, "2_sum": 3, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.29.14.183", "protocol": "tcp", "src_port": 50026, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9986473928200259, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.114.80", "protocol": "tcp", "src_port": 50365, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.62.174.243", "protocol": "tcp", "src_port": 50545, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9624252679015631, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.63.215.47", "protocol": "tcp", "src_port": 49944, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9869387818080411, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.4.224.113", "protocol": "tcp", "src_port": 49854, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.5786036795604459, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 49925, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.5747671805046822, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50118, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 3.0, "2_sum": 3, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.92", "protocol": "tcp", "src_port": 50397, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9107999416750001, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.194.233", "protocol": "tcp", "src_port": 50440, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9902328849146982, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50028, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 3.0, "2_sum": 3, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.51.161.66", "protocol": "tcp", "src_port": 50123, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7731938946060795, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50662, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8871346318388157, "2_count": 3.0, "2_sum": 3, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50530, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9024018957960891, "2_count": 3.0, "2_sum": 3, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50612, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.965275103129727, "2_count": 3.0, "2_sum": 3, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 12:50:55.870] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 17|max_alert: 1000 [2025-12-11 12:50:55.870] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 12:50:55.870] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 12:50:55.871] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 12:50:59.430] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[2] at offset 25630 key: NULL payload: {"bucket":"2025-12-11","object":"12/output/gbm/alert.pcap.23.17610986931250.jsonl","url":"http://111.32.12.11:9000/2025-12-11/12/output/gbm/alert.pcap.23.17610986931250.jsonl?X-Amz-SignedHeaders=host&X-Amz-Date=20251211T045059Z&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Expires=604800&X-Amz-Signature=ccf2fbbd2670ca84c174471c8c71ceea7925ab91553d77756508203bb2874f5f&X-Amz-Algorithm=AWS4-HMAC-SHA256"} [2025-12-11 12:50:59.430] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 12:50:59.430] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 12:50:59.430] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 12:50:59.430] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 12:50:59.430] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 12:50:59.431] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 12:50:59.688] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:12/output/gbm/alert.pcap.23.17610986931250.jsonl|result:{"code": 1, "total_count": 21, "alert_count": 21, "abnormal_count": 21, "normal_count": 0, "timestamp": 1765428659431, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50085, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.150.160.206", "protocol": "tcp", "src_port": 50124, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9747845243097288, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.25", "protocol": "tcp", "src_port": 50073, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9992385224413204, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50037, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.222.152.64", "protocol": "tcp", "src_port": 50638, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9779043168436835, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.158.247.186", "protocol": "tcp", "src_port": 50309, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.994290448467571, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50042, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50149, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50168, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50562, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50640, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.13.104.59", "protocol": "tcp", "src_port": 50627, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9944505609423887, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50044, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50429, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.194.233", "protocol": "tcp", "src_port": 50126, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9961544144455967, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50064, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "13.107.246.74", "protocol": "tcp", "src_port": 50506, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9605298901417075, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50514, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50260, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.25", "protocol": "tcp", "src_port": 50382, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7011351746711142, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.122.55", "protocol": "tcp", "src_port": 50498, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9793698927690696, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 12:50:59.688] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 21|max_alert: 1000 [2025-12-11 12:50:59.688] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 12:50:59.688] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 12:50:59.688] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 12:51:02.656] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 26010 key: NULL payload: {"bucket":"2025-12-11","object":"12/output/gbm/alert.pcap.24.17610986931250.jsonl","url":"http://111.32.12.11:9000/2025-12-11/12/output/gbm/alert.pcap.24.17610986931250.jsonl?X-Amz-Date=20251211T045102Z&X-Amz-Expires=604800&X-Amz-SignedHeaders=host&X-Amz-Signature=48606b8e14c35e5e0c9ec9e1a1b3bf92cb3224cae11d5b6abf45ae8208774396&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Algorithm=AWS4-HMAC-SHA256"} [2025-12-11 12:51:02.656] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 12:51:02.656] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 12:51:02.656] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 12:51:02.656] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 12:51:02.656] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 12:51:02.657] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 12:51:02.888] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:12/output/gbm/alert.pcap.24.17610986931250.jsonl|result:{"code": 1, "total_count": 18, "alert_count": 17, "abnormal_count": 17, "normal_count": 1, "timestamp": 1765428662657, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "120.233.3.27", "protocol": "tcp", "src_port": 49985, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8652710729389349, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.13.28.21", "protocol": "tcp", "src_port": 49947, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9999415747476534, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50482, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.13.104.59", "protocol": "tcp", "src_port": 50631, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9853386683896556, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50603, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50281, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.163.59.175", "protocol": "tcp", "src_port": 50011, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9883959426357691, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50033, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50034, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.38.119", "protocol": "tcp", "src_port": 50495, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9911306060967026, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.163.59.175", "protocol": "tcp", "src_port": 50478, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.990150959540726, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 50229, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7784157580153467, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50031, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.4.74", "protocol": "tcp", "src_port": 50319, "dest_port": 9000, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50594, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50259, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.46.68.203", "protocol": "tcp", "src_port": 50195, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9897633686170296, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 12:51:02.888] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 17|max_alert: 1000 [2025-12-11 12:51:02.888] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 12:51:02.888] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 12:51:02.888] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 12:51:06.074] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 26011 key: NULL payload: {"bucket":"2025-12-11","object":"12/output/gbm/alert.pcap.25.17610986931250.jsonl","url":"http://111.32.12.11:9000/2025-12-11/12/output/gbm/alert.pcap.25.17610986931250.jsonl?X-Amz-SignedHeaders=host&X-Amz-Signature=a4ab3e8b68bfb95275ea4ffaca2fd57b93e335988cd3f0c6cb013c4ddbcc035e&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Expires=604800&X-Amz-Date=20251211T045105Z&X-Amz-Algorithm=AWS4-HMAC-SHA256"} [2025-12-11 12:51:06.074] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 12:51:06.074] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 12:51:06.074] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 12:51:06.074] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 12:51:06.074] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 12:51:06.075] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 12:51:06.317] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:12/output/gbm/alert.pcap.25.17610986931250.jsonl|result:{"code": 1, "total_count": 18, "alert_count": 17, "abnormal_count": 17, "normal_count": 1, "timestamp": 1765428666075, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "120.232.40.133", "protocol": "tcp", "src_port": 49919, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9172603475203133, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "202.89.233.96", "dest_ip": "10.1.131.158", "protocol": "tcp", "src_port": 443, "dest_port": 49847, "y_pred": 1, "y_pred_proba_max": 0.9988023204669473, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "142.250.66.78", "protocol": "tcp", "src_port": 49742, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 50013, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.91", "protocol": "tcp", "src_port": 50334, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9530506499197517, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50038, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4.0, "2_sum": 4, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.88.223", "protocol": "tcp", "src_port": 50134, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9851867603065232, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.201.232.63", "protocol": "tcp", "src_port": 50419, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.5238760318986195, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50062, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4.0, "2_sum": 4, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.232.40.133", "protocol": "tcp", "src_port": 50005, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8427110539814073, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.2", "protocol": "tcp", "src_port": 50125, "dest_port": 8080, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.88.223", "protocol": "tcp", "src_port": 50258, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9955188316394289, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50551, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8059095115195145, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.155.160.140", "protocol": "tcp", "src_port": 49790, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50652, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4.0, "2_sum": 4, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.240.99.58", "protocol": "tcp", "src_port": 50641, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9750652642107684, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50288, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4.0, "2_sum": 4, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 12:51:06.317] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 17|max_alert: 1000 [2025-12-11 12:51:06.317] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 12:51:06.317] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 12:51:06.317] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 12:51:09.336] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[1] at offset 24870 key: NULL payload: {"bucket":"2025-12-11","object":"12/output/gbm/alert.pcap.26.17610986931250.jsonl","url":"http://111.32.12.11:9000/2025-12-11/12/output/gbm/alert.pcap.26.17610986931250.jsonl?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Expires=604800&X-Amz-SignedHeaders=host&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20251211T045108Z&X-Amz-Signature=f1263c17125b416b2bf743f04878f934911835d3e6d577490fd0e28872debfee"} [2025-12-11 12:51:09.336] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 12:51:09.336] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 12:51:09.336] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 12:51:09.336] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 12:51:09.336] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 12:51:09.337] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 12:51:09.614] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:12/output/gbm/alert.pcap.26.17610986931250.jsonl|result:{"code": 1, "total_count": 23, "alert_count": 22, "abnormal_count": 22, "normal_count": 1, "timestamp": 1765428669337, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "111.13.29.202", "protocol": "tcp", "src_port": 49897, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.99989131645703, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.253", "protocol": "tcp", "src_port": 50117, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9786811180845782, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.9", "protocol": "tcp", "src_port": 50353, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9248568229582469, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.92", "protocol": "tcp", "src_port": 50362, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9737436655985068, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.114.80", "protocol": "tcp", "src_port": 50375, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.194.233", "protocol": "tcp", "src_port": 50439, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9853373018252618, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50521, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7.0, "2_sum": 7, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.163.59.175", "protocol": "tcp", "src_port": 49930, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9813722275948225, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50593, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7.0, "2_sum": 7, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.253", "protocol": "tcp", "src_port": 50347, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9363461552085169, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50322, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7.0, "2_sum": 7, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50512, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7.0, "2_sum": 7, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.27", "protocol": "tcp", "src_port": 49986, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9907578643456904, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.45", "protocol": "tcp", "src_port": 50445, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9894949279716366, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50467, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7.0, "2_sum": 7, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "43.140.12.43", "protocol": "tcp", "src_port": 50318, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9759535265977303, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50463, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7.0, "2_sum": 7, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.13.29.134", "protocol": "tcp", "src_port": 49954, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9940003495439546, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.165.120", "protocol": "tcp", "src_port": 50314, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.998447736613844, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "151.101.1.229", "protocol": "tcp", "src_port": 50316, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.5882853156839113, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50040, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7.0, "2_sum": 7, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 50230, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9601621867432435, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 12:51:09.614] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 22|max_alert: 1000 [2025-12-11 12:51:09.614] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 12:51:09.614] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 12:51:09.614] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 12:51:12.561] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 26012 key: NULL payload: {"bucket":"2025-12-11","object":"12/output/gbm/alert.pcap.3.17610986931250.jsonl","url":"http://111.32.12.11:9000/2025-12-11/12/output/gbm/alert.pcap.3.17610986931250.jsonl?X-Amz-SignedHeaders=host&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20251211T045112Z&X-Amz-Expires=604800&X-Amz-Signature=b191b7ad7e66d3c17563201bd7baffde66df4b36dddc8cae91f80f42805cc935&X-Amz-Algorithm=AWS4-HMAC-SHA256"} [2025-12-11 12:51:12.561] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 12:51:12.561] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 12:51:12.561] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 12:51:12.561] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 12:51:12.561] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 12:51:12.562] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 12:51:12.826] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:12/output/gbm/alert.pcap.3.17610986931250.jsonl|result:{"code": 1, "total_count": 31, "alert_count": 30, "abnormal_count": 30, "normal_count": 1, "timestamp": 1765428672562, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "124.70.62.170", "protocol": "tcp", "src_port": 50093, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9302011994091218, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.29.14.183", "protocol": "tcp", "src_port": 50020, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9995274668813986, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50131, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.92", "protocol": "tcp", "src_port": 49915, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8858063837145578, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.194.189.11", "protocol": "tcp", "src_port": 50307, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9974631042458713, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 50231, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9912641259791639, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.2", "protocol": "tcp", "src_port": 50143, "dest_port": 8080, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50041, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.219.73.130", "protocol": "tcp", "src_port": 49890, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50468, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50390, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.232.40.133", "protocol": "tcp", "src_port": 49922, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7619577796081339, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50573, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.63.215.47", "protocol": "tcp", "src_port": 49982, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9977918468988228, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.13.104.59", "protocol": "tcp", "src_port": 50639, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.5747755261992421, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.165.120", "protocol": "tcp", "src_port": 50423, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9079618105919538, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "142.250.66.68", "protocol": "tcp", "src_port": 50437, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.219.73.130", "protocol": "tcp", "src_port": 49889, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.27", "protocol": "tcp", "src_port": 49987, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9439550958667982, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.114.80", "protocol": "tcp", "src_port": 50473, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50560, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9372883613254258, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 50399, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50032, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.166.151", "protocol": "tcp", "src_port": 50286, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9998887397093179, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50579, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 49824, "dest_port": 37527, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50128, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.27", "protocol": "tcp", "src_port": 49983, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9683054451954104, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.13.104.59", "protocol": "tcp", "src_port": 50630, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9949141468870227, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.253.253.233", "protocol": "tcp", "src_port": 50436, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8619378326923961, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 12:51:12.826] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 30|max_alert: 1000 [2025-12-11 12:51:12.826] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 12:51:12.826] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 12:51:12.826] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 12:51:15.698] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[1] at offset 24871 key: NULL payload: {"bucket":"2025-12-11","object":"12/output/gbm/alert.pcap.4.17610986931250.jsonl","url":"http://111.32.12.11:9000/2025-12-11/12/output/gbm/alert.pcap.4.17610986931250.jsonl?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Expires=604800&X-Amz-SignedHeaders=host&X-Amz-Date=20251211T045115Z&X-Amz-Signature=415441ca2a7a8d0b38b9d949f6542954a5f8e69b42c561bfbd3988a720f8b1bd"} [2025-12-11 12:51:15.698] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 12:51:15.698] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 12:51:15.698] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 12:51:15.698] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 12:51:15.698] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 12:51:15.698] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 12:51:15.914] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:12/output/gbm/alert.pcap.4.17610986931250.jsonl|result:{"code": 1, "total_count": 16, "alert_count": 16, "abnormal_count": 16, "normal_count": 0, "timestamp": 1765428675698, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50271, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 9, "2_sum": 9, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.2", "protocol": "tcp", "src_port": 49815, "dest_port": 8080, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50599, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 9, "2_sum": 9, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.25", "protocol": "tcp", "src_port": 50340, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9557360906725153, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.131.128.241", "protocol": "tcp", "src_port": 50461, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9531336479755481, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50428, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 9, "2_sum": 9, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50268, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 9, "2_sum": 9, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "104.18.38.233", "protocol": "tcp", "src_port": 49696, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50170, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 9, "2_sum": 9, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50039, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 9, "2_sum": 9, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50642, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 9, "2_sum": 9, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "142.250.66.78", "protocol": "tcp", "src_port": 49761, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50664, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 9, "2_sum": 9, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "150.171.30.11", "protocol": "tcp", "src_port": 50007, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8576461187690411, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.4.224.113", "protocol": "tcp", "src_port": 49860, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8325953986089363, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50653, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 9, "2_sum": 9, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 12:51:15.914] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 16|max_alert: 1000 [2025-12-11 12:51:15.914] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 12:51:15.914] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 12:51:15.914] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 12:51:19.226] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[1] at offset 24872 key: NULL payload: {"bucket":"2025-12-11","object":"12/output/gbm/alert.pcap.5.17610986931250.jsonl","url":"http://111.32.12.11:9000/2025-12-11/12/output/gbm/alert.pcap.5.17610986931250.jsonl?X-Amz-Date=20251211T045118Z&X-Amz-Expires=604800&X-Amz-SignedHeaders=host&X-Amz-Signature=54d71167229c2f96caed05852cbd3a221a1de2ff10dd062a0f26cb9c500370b9&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Algorithm=AWS4-HMAC-SHA256"} [2025-12-11 12:51:19.226] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 12:51:19.226] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 12:51:19.227] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 12:51:19.227] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 12:51:19.227] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 12:51:19.227] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 12:51:19.482] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:12/output/gbm/alert.pcap.5.17610986931250.jsonl|result:{"code": 1, "total_count": 19, "alert_count": 18, "abnormal_count": 18, "normal_count": 1, "timestamp": 1765428679227, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50119, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 5.0, "2_sum": 5, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.46.72.204", "protocol": "tcp", "src_port": 50136, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.956663066769366, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50654, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9423199405388736, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.163.59.175", "protocol": "tcp", "src_port": 50422, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9849394001481901, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 50549, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50564, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 5.0, "2_sum": 5, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.4.74", "protocol": "tcp", "src_port": 50320, "dest_port": 9000, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50624, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9747306537408316, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.51.80", "protocol": "tcp", "src_port": 49902, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.158.247.186", "protocol": "tcp", "src_port": 50121, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9753820447058325, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50171, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 5.0, "2_sum": 5, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.91", "protocol": "tcp", "src_port": 50333, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9577733114926612, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "112.34.111.235", "protocol": "tcp", "src_port": 50587, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9795590475790195, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "13.89.179.10", "protocol": "tcp", "src_port": 49867, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8945460691510866, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50541, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 5.0, "2_sum": 5, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50030, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 5.0, "2_sum": 5, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.91", "protocol": "tcp", "src_port": 50242, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9588125203903446, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 49924, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8509806284431485, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 12:51:19.483] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 18|max_alert: 1000 [2025-12-11 12:51:19.483] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 12:51:19.483] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 12:51:19.483] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 12:51:22.374] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[1] at offset 24873 key: NULL payload: {"bucket":"2025-12-11","object":"12/output/gbm/alert.pcap.6.17610986931250.jsonl","url":"http://111.32.12.11:9000/2025-12-11/12/output/gbm/alert.pcap.6.17610986931250.jsonl?X-Amz-Expires=604800&X-Amz-Signature=cfdd913a94fd49e4834cba89066c6e602f60d315475280c3731f200e157b54c4&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-SignedHeaders=host&X-Amz-Date=20251211T045121Z"} [2025-12-11 12:51:22.374] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 12:51:22.374] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 12:51:22.375] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 12:51:22.375] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 12:51:22.375] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 12:51:22.375] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 12:51:22.606] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:12/output/gbm/alert.pcap.6.17610986931250.jsonl|result:{"code": 1, "total_count": 13, "alert_count": 13, "abnormal_count": 13, "normal_count": 0, "timestamp": 1765428682375, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "139.9.117.192", "protocol": "tcp", "src_port": 50450, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9837263446909994, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50465, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.5306824619789472, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.2.16.16", "protocol": "tcp", "src_port": 49975, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9999376387945121, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "139.9.117.192", "protocol": "tcp", "src_port": 50372, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8894850327223105, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50391, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50515, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.57.94.38", "protocol": "tcp", "src_port": 49892, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9998694918181811, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "121.36.68.44", "protocol": "tcp", "src_port": 50504, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9358189956292381, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.102.211", "protocol": "tcp", "src_port": 50413, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9734791177969814, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.26", "protocol": "tcp", "src_port": 50003, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8694093805364917, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.13.28.239", "protocol": "tcp", "src_port": 49901, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.938456651589145, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.91", "protocol": "tcp", "src_port": 50339, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.986405059765616, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "13.89.179.10", "protocol": "tcp", "src_port": 49883, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9941602682227848, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 12:51:22.606] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 13|max_alert: 1000 [2025-12-11 12:51:22.606] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 12:51:22.606] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 12:51:22.606] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 12:51:25.602] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 26013 key: NULL payload: {"bucket":"2025-12-11","object":"12/output/gbm/alert.pcap.7.17610986931250.jsonl","url":"http://111.32.12.11:9000/2025-12-11/12/output/gbm/alert.pcap.7.17610986931250.jsonl?X-Amz-Date=20251211T045125Z&X-Amz-SignedHeaders=host&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Signature=98e98b59fb5408fe4f38d9f5ea52cfc0586465d7a006a46315515c965c284faf&X-Amz-Expires=604800&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request"} [2025-12-11 12:51:25.602] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 12:51:25.602] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 12:51:25.602] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 12:51:25.602] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 12:51:25.602] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 12:51:25.603] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 12:51:25.846] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:12/output/gbm/alert.pcap.7.17610986931250.jsonl|result:{"code": 1, "total_count": 18, "alert_count": 18, "abnormal_count": 18, "normal_count": 0, "timestamp": 1765428685604, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50581, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4, "2_sum": 4, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50156, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4, "2_sum": 4, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.219.73.130", "protocol": "tcp", "src_port": 49885, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50270, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4, "2_sum": 4, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.185.125.188", "protocol": "tcp", "src_port": 49872, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9978759357079158, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.26", "protocol": "tcp", "src_port": 49994, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9896285535627298, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50083, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4, "2_sum": 4, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.27", "protocol": "tcp", "src_port": 50100, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8412893359572905, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.4.224.113", "protocol": "tcp", "src_port": 49849, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9532634905214581, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 50172, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9400817611226765, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.254", "protocol": "tcp", "src_port": 50199, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9600487826290192, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 50116, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.194.233", "protocol": "tcp", "src_port": 50255, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9107155218087142, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.51.80", "protocol": "tcp", "src_port": 50010, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.194.233", "protocol": "tcp", "src_port": 50441, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9878625671600126, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50663, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.719260591950917, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.240.8.132", "protocol": "tcp", "src_port": 50227, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8897661563929269, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "112.34.111.235", "protocol": "tcp", "src_port": 50411, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.998549290571419, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 12:51:25.846] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 18|max_alert: 1000 [2025-12-11 12:51:25.846] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 12:51:25.846] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 12:51:25.846] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 12:51:28.791] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 26014 key: NULL payload: {"bucket":"2025-12-11","object":"12/output/gbm/alert.pcap.8.17610986931250.jsonl","url":"http://111.32.12.11:9000/2025-12-11/12/output/gbm/alert.pcap.8.17610986931250.jsonl?X-Amz-Signature=dfeeeea483b3d91376105b98ea28c0a508381707675d46eb40721e36cc335375&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20251211T045128Z&X-Amz-Expires=604800&X-Amz-SignedHeaders=host"} [2025-12-11 12:51:28.792] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 12:51:28.792] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 12:51:28.792] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 12:51:28.792] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 12:51:28.792] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 12:51:28.792] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 12:51:29.042] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:12/output/gbm/alert.pcap.8.17610986931250.jsonl|result:{"code": 1, "total_count": 19, "alert_count": 19, "abnormal_count": 19, "normal_count": 0, "timestamp": 1765428688792, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "36.131.128.241", "protocol": "tcp", "src_port": 50591, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9050869489117033, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50649, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9766422035502361, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 49923, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.777270406334166, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "202.89.233.96", "protocol": "tcp", "src_port": 49865, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9973910874567038, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.219.73.130", "protocol": "tcp", "src_port": 49891, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "121.36.47.3", "protocol": "tcp", "src_port": 50015, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9995715118177109, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50388, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4, "2_sum": 4, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50077, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4, "2_sum": 4, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "40.74.78.229", "protocol": "tcp", "src_port": 50370, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9939770881097445, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.63.215.47", "protocol": "tcp", "src_port": 49980, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9999657034539758, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.26", "protocol": "tcp", "src_port": 49997, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.984269050955257, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.201.232.63", "protocol": "tcp", "src_port": 50420, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9757408487177269, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50127, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4, "2_sum": 4, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 50184, "dest_port": 37527, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50661, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.647571366572099, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50223, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4, "2_sum": 4, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.45", "protocol": "tcp", "src_port": 50408, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9967591338452444, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.232.40.133", "protocol": "tcp", "src_port": 49920, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9117178716777372, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.131.139.241", "protocol": "tcp", "src_port": 50556, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9803786101644398, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 12:51:29.042] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 19|max_alert: 1000 [2025-12-11 12:51:29.042] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 12:51:29.042] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 12:51:29.042] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 12:51:31.989] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 26015 key: NULL payload: {"bucket":"2025-12-11","object":"12/output/gbm/alert.pcap.9.17610986931250.jsonl","url":"http://111.32.12.11:9000/2025-12-11/12/output/gbm/alert.pcap.9.17610986931250.jsonl?X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-SignedHeaders=host&X-Amz-Signature=e0a1ae1d69cc3bddb37c2db66007c558a1cd1be6f779b559c99101696d7ed611&X-Amz-Date=20251211T045131Z&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Expires=604800"} [2025-12-11 12:51:31.989] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 12:51:31.989] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 12:51:31.989] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 12:51:31.989] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 12:51:31.989] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 12:51:31.989] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 12:51:32.255] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:12/output/gbm/alert.pcap.9.17610986931250.jsonl|result:{"code": 1, "total_count": 19, "alert_count": 19, "abnormal_count": 19, "normal_count": 0, "timestamp": 1765428691990, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "117.163.59.175", "protocol": "tcp", "src_port": 50443, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9947042004868148, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "112.2.102.140", "protocol": "tcp", "src_port": 49880, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8833391308810551, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50279, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "150.171.30.11", "protocol": "tcp", "src_port": 50434, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.975176941910785, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50387, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.45", "protocol": "tcp", "src_port": 50444, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9975171238915119, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 49928, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9931314740190077, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "157.148.32.174", "protocol": "tcp", "src_port": 50216, "dest_port": 8106, "y_pred": 1, "y_pred_proba_max": 0.7815374741509655, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.219.73.130", "protocol": "tcp", "src_port": 49895, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50234, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50577, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8828376373447289, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50323, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.29.14.183", "protocol": "tcp", "src_port": 50403, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9756646950440937, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50582, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50047, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50571, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "124.71.234.74", "protocol": "tcp", "src_port": 50079, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8967653329082704, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50552, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9460026832017429, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.26", "protocol": "tcp", "src_port": 49993, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.987471741326815, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 12:51:32.255] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 19|max_alert: 1000 [2025-12-11 12:51:32.255] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 12:51:32.255] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 12:51:32.255] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 12:55:52.518] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 26016 key: NULL payload: {"bucket":"2025-12-11","object":"12/output/gbm/alert.pcap.9.1765428945.jsonl","url":"http://111.32.12.11:9000/2025-12-11/12/output/gbm/alert.pcap.9.1765428945.jsonl?X-Amz-Expires=604800&X-Amz-Signature=5317995417f5ddfd17f0543ae321050a8036a105609ad7c6295c33aa4b748369&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Date=20251211T045552Z&X-Amz-SignedHeaders=host&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request"} [2025-12-11 12:55:52.518] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 12:55:52.518] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 12:55:52.518] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 12:55:52.518] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 12:55:52.518] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 12:55:52.519] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 12:55:52.524] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:12/output/gbm/alert.pcap.9.1765428945.jsonl|result:{"code": 0, "total_count": 0, "alert_count": 0, "abnormal_count": 0, "normal_count": 0, "timestamp": 1765428952519, "module": "anquanchu", "alerted": false, "details": []} [2025-12-11 12:55:52.524] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 0|max_alert: 1000 [2025-12-11 12:55:52.524] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 13:00:09.044] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[2] at offset 25631 key: NULL payload: {"bucket":"2025-12-11","object":"13/output/gbm/alert.pcap.10.17610986931300.jsonl","url":"http://111.32.12.11:9000/2025-12-11/13/output/gbm/alert.pcap.10.17610986931300.jsonl?X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Expires=604800&X-Amz-Date=20251211T050008Z&X-Amz-Signature=6eea6492407177c19454ec285e777f94a2c4a6e0e9138ae106e7c4e1cd6558bb&X-Amz-SignedHeaders=host"} [2025-12-11 13:00:09.044] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 13:00:09.044] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 13:00:09.044] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 13:00:09.044] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 13:00:09.044] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 13:00:09.045] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 13:00:09.231] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:13/output/gbm/alert.pcap.10.17610986931300.jsonl|result:{"code": 1, "total_count": 18, "alert_count": 18, "abnormal_count": 18, "normal_count": 0, "timestamp": 1765429209045, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "120.241.86.9", "protocol": "tcp", "src_port": 50354, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9266852516381958, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 49802, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.194.233", "protocol": "tcp", "src_port": 50251, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.6458299041355519, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.162.10.192", "protocol": "tcp", "src_port": 50105, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8497049935950336, "2_count": 3, "2_sum": 3, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50180, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50510, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.162.10.192", "protocol": "tcp", "src_port": 50102, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9628606284766527, "2_count": 3, "2_sum": 3, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50247, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.162.10.192", "protocol": "tcp", "src_port": 50106, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7891251009837256, "2_count": 3, "2_sum": 3, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50202, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "124.70.37.167", "protocol": "tcp", "src_port": 50497, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9671327905226952, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.240.8.132", "protocol": "tcp", "src_port": 49942, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9833686131374094, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "124.70.62.170", "protocol": "tcp", "src_port": 50384, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9944584265644585, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.38.119", "protocol": "tcp", "src_port": 50490, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9986222879414073, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "112.34.113.250", "protocol": "tcp", "src_port": 50417, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9871899379387804, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50197, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50527, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50155, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 13:00:09.231] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 18|max_alert: 1000 [2025-12-11 13:00:09.231] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 13:00:09.231] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 13:00:09.231] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 13:00:12.177] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[1] at offset 24874 key: NULL payload: {"bucket":"2025-12-11","object":"13/output/gbm/alert.pcap.11.17610986931300.jsonl","url":"http://111.32.12.11:9000/2025-12-11/13/output/gbm/alert.pcap.11.17610986931300.jsonl?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Expires=604800&X-Amz-SignedHeaders=host&X-Amz-Signature=2e335222373adc3203b1629748a4d093aea29b0cd16cf064d864ad97e3246150&X-Amz-Date=20251211T050011Z"} [2025-12-11 13:00:12.177] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 13:00:12.177] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 13:00:12.177] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 13:00:12.177] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 13:00:12.177] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 13:00:12.177] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 13:00:12.368] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:13/output/gbm/alert.pcap.11.17610986931300.jsonl|result:{"code": 1, "total_count": 20, "alert_count": 20, "abnormal_count": 20, "normal_count": 0, "timestamp": 1765429212178, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50176, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.57.94.38", "protocol": "tcp", "src_port": 49888, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8913583475272854, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.143.199.172", "protocol": "tcp", "src_port": 50142, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9881503019491974, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.165.120", "protocol": "tcp", "src_port": 50305, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9986466602684037, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "106.52.100.183", "protocol": "tcp", "src_port": 50502, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9858931570717602, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50561, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.38.119", "protocol": "tcp", "src_port": 50494, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9837251088220053, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "57.155.120.218", "protocol": "tcp", "src_port": 50415, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9227656751828837, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.45", "protocol": "tcp", "src_port": 50438, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9837569544664104, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 49811, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50523, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50519, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.25", "protocol": "tcp", "src_port": 50379, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8940216726975259, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.45", "protocol": "tcp", "src_port": 50447, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9871209269901958, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "13.107.253.49", "protocol": "tcp", "src_port": 50479, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9204671188927631, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50520, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50179, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.131.139.241", "protocol": "tcp", "src_port": 50546, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8893268365633519, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.122.55", "protocol": "tcp", "src_port": 50503, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9854062911109006, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50050, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 13:00:12.368] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 20|max_alert: 1000 [2025-12-11 13:00:12.368] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 13:00:12.368] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 13:00:12.368] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 13:00:15.342] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[2] at offset 25632 key: NULL payload: {"bucket":"2025-12-11","object":"13/output/gbm/alert.pcap.1.17610986931300.jsonl","url":"http://111.32.12.11:9000/2025-12-11/13/output/gbm/alert.pcap.1.17610986931300.jsonl?X-Amz-SignedHeaders=host&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Signature=8b31e2b5811a93eae34c0a0ffbdfcd6396d79c320a0ae40fd3a877360107d831&X-Amz-Expires=604800&X-Amz-Date=20251211T050014Z&X-Amz-Algorithm=AWS4-HMAC-SHA256"} [2025-12-11 13:00:15.342] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 13:00:15.342] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 13:00:15.342] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 13:00:15.342] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 13:00:15.342] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 13:00:15.342] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 13:00:15.535] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:13/output/gbm/alert.pcap.1.17610986931300.jsonl|result:{"code": 1, "total_count": 23, "alert_count": 22, "abnormal_count": 22, "normal_count": 1, "timestamp": 1765429215342, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "120.241.86.254", "protocol": "tcp", "src_port": 50236, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8758576397939718, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "123.249.12.207", "protocol": "tcp", "src_port": 50349, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9517653518955267, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.9", "protocol": "tcp", "src_port": 50352, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9822856114799795, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50246, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.9", "protocol": "tcp", "src_port": 50355, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9178209457268623, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.2.16.16", "protocol": "tcp", "src_port": 49977, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9997183616258911, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50154, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.2.16.16", "protocol": "tcp", "src_port": 49978, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9999741330258014, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.18", "protocol": "tcp", "src_port": 50526, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.166.151", "protocol": "tcp", "src_port": 50297, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.99961990187526, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.18", "protocol": "tcp", "src_port": 50607, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.131.139.241", "protocol": "tcp", "src_port": 50548, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9166098868921807, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50635, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.254", "protocol": "tcp", "src_port": 50161, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9861184497791043, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.38.119", "protocol": "tcp", "src_port": 50487, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9993624819729473, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50196, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "104.18.38.233", "protocol": "tcp", "src_port": 49694, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50203, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50511, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50660, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.5160756214892233, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50451, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9935841069204537, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.114.80", "protocol": "tcp", "src_port": 50380, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 13:00:15.535] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 22|max_alert: 1000 [2025-12-11 13:00:15.535] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 13:00:15.535] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 13:00:15.535] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 13:00:18.534] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[1] at offset 24875 key: NULL payload: {"bucket":"2025-12-11","object":"13/output/gbm/alert.pcap.12.17610986931300.jsonl","url":"http://111.32.12.11:9000/2025-12-11/13/output/gbm/alert.pcap.12.17610986931300.jsonl?X-Amz-Date=20251211T050018Z&X-Amz-Expires=604800&X-Amz-SignedHeaders=host&X-Amz-Signature=76b80e458a331541af4c76ce8706c41f03462c47254c510592242a1438dc9f70&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Algorithm=AWS4-HMAC-SHA256"} [2025-12-11 13:00:18.534] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 13:00:18.534] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 13:00:18.534] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 13:00:18.534] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 13:00:18.534] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 13:00:18.534] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 13:00:18.730] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:13/output/gbm/alert.pcap.12.17610986931300.jsonl|result:{"code": 1, "total_count": 23, "alert_count": 23, "abnormal_count": 23, "normal_count": 0, "timestamp": 1765429218534, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "120.241.86.253", "protocol": "tcp", "src_port": 50374, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9124107711631884, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50563, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 10, "2_sum": 10, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50036, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 10, "2_sum": 10, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50290, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 10, "2_sum": 10, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.88.223", "protocol": "tcp", "src_port": 50135, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9151737736531406, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50327, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 10, "2_sum": 10, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.91", "protocol": "tcp", "src_port": 50312, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8775283158754487, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50517, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 10, "2_sum": 10, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50289, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 10, "2_sum": 10, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 49801, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "43.132.242.154", "protocol": "tcp", "src_port": 49882, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9890063873624129, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.232.40.133", "protocol": "tcp", "src_port": 49918, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9434178651974208, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.88.223", "protocol": "tcp", "src_port": 50256, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9952297098413537, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.46.51.20", "protocol": "tcp", "src_port": 50273, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8949209220998952, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.32.132.48", "protocol": "tcp", "src_port": 50596, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8736367684939467, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50048, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 10, "2_sum": 10, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "150.171.28.10", "protocol": "tcp", "src_port": 50098, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.979476406385797, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.162.10.192", "protocol": "tcp", "src_port": 50115, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9982562146170709, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.91", "protocol": "tcp", "src_port": 50325, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9723471895815434, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50063, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 10, "2_sum": 10, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50524, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 10, "2_sum": 10, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 50446, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50043, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 10, "2_sum": 10, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 13:00:18.730] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 23|max_alert: 1000 [2025-12-11 13:00:18.730] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 13:00:18.730] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 13:00:18.730] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 13:00:21.699] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[1] at offset 24876 key: NULL payload: {"bucket":"2025-12-11","object":"13/output/gbm/alert.pcap.13.17610986931300.jsonl","url":"http://111.32.12.11:9000/2025-12-11/13/output/gbm/alert.pcap.13.17610986931300.jsonl?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Expires=604800&X-Amz-Date=20251211T050021Z&X-Amz-SignedHeaders=host&X-Amz-Signature=c803213682dc5e6038ae190900379ca894e9e1ece4780040575ad804f24c12a8"} [2025-12-11 13:00:21.699] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 13:00:21.699] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 13:00:21.699] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 13:00:21.699] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 13:00:21.699] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 13:00:21.699] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 13:00:21.912] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:13/output/gbm/alert.pcap.13.17610986931300.jsonl|result:{"code": 1, "total_count": 25, "alert_count": 25, "abnormal_count": 25, "normal_count": 0, "timestamp": 1765429221699, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50029, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50483, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50153, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50280, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "150.171.29.11", "protocol": "tcp", "src_port": 50366, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9811379852086798, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.114.80", "protocol": "tcp", "src_port": 50364, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.38.119", "protocol": "tcp", "src_port": 50493, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9895604510076603, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50657, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9858390475712154, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50074, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50206, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50035, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.38.119", "protocol": "tcp", "src_port": 50507, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.992095265861976, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "142.250.66.78", "protocol": "tcp", "src_port": 49939, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.163.59.175", "protocol": "tcp", "src_port": 50009, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9898052087615025, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50150, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 50550, "dest_port": 37527, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.22.3", "protocol": "tcp", "src_port": 49941, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9027507773608666, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "150.171.30.11", "protocol": "tcp", "src_port": 50629, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9221505003231499, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50602, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "202.89.233.96", "protocol": "tcp", "src_port": 49842, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50276, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50283, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50167, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.185.134", "protocol": "tcp", "src_port": 50405, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9906477192719227, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.4.224.113", "protocol": "tcp", "src_port": 49856, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.6505383816340582, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 13:00:21.913] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 25|max_alert: 1000 [2025-12-11 13:00:21.913] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 13:00:21.913] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 13:00:21.913] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 13:00:25.078] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[2] at offset 25633 key: NULL payload: {"bucket":"2025-12-11","object":"13/output/gbm/alert.pcap.14.17610986931300.jsonl","url":"http://111.32.12.11:9000/2025-12-11/13/output/gbm/alert.pcap.14.17610986931300.jsonl?X-Amz-SignedHeaders=host&X-Amz-Signature=5e14cb1758819ae5140ecacbf26800bd1575d43fc5f9eface964996d7cc253c4&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Date=20251211T050024Z&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Expires=604800"} [2025-12-11 13:00:25.079] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 13:00:25.079] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 13:00:25.079] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 13:00:25.079] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 13:00:25.079] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 13:00:25.079] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 13:00:25.260] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:13/output/gbm/alert.pcap.14.17610986931300.jsonl|result:{"code": 1, "total_count": 22, "alert_count": 22, "abnormal_count": 22, "normal_count": 0, "timestamp": 1765429225079, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50075, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.201.232.61", "protocol": "tcp", "src_port": 50406, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8074537105643911, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50488, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50277, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 50008, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7325211921496005, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.45", "protocol": "tcp", "src_port": 50232, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8427978520815071, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50151, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50481, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50431, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50282, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50464, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.201.232.63", "protocol": "tcp", "src_port": 50185, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8623842237021218, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.131.128.241", "protocol": "tcp", "src_port": 50628, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.6327220629300937, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "150.171.28.10", "protocol": "tcp", "src_port": 50547, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9810893334081382, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.4.224.113", "protocol": "tcp", "src_port": 49858, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.948833755868132, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.92", "protocol": "tcp", "src_port": 50350, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9581254078848882, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.114.80", "protocol": "tcp", "src_port": 50462, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50299, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50509, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50148, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50045, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50087, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 13:00:25.260] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 22|max_alert: 1000 [2025-12-11 13:00:25.260] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 13:00:25.260] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 13:00:25.260] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 13:00:28.204] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[2] at offset 25634 key: NULL payload: {"bucket":"2025-12-11","object":"13/output/gbm/alert.pcap.15.17610986931300.jsonl","url":"http://111.32.12.11:9000/2025-12-11/13/output/gbm/alert.pcap.15.17610986931300.jsonl?X-Amz-SignedHeaders=host&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Date=20251211T050027Z&X-Amz-Expires=604800&X-Amz-Signature=65b0e1f26689e88aefaed8f2c5c9f15183d8e3d38581f3944a00abe58956b70a&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request"} [2025-12-11 13:00:28.205] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 13:00:28.205] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 13:00:28.205] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 13:00:28.205] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 13:00:28.205] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 13:00:28.205] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 13:00:28.393] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:13/output/gbm/alert.pcap.15.17610986931300.jsonl|result:{"code": 1, "total_count": 21, "alert_count": 21, "abnormal_count": 21, "normal_count": 0, "timestamp": 1765429228205, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50489, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.175.38.6", "protocol": "tcp", "src_port": 50508, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9251013815505887, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.166.151", "protocol": "tcp", "src_port": 50300, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9931981638327161, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.165.120", "protocol": "tcp", "src_port": 50427, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9451570018511891, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.194.233", "protocol": "tcp", "src_port": 50442, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9870391528574759, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "13.107.213.50", "protocol": "tcp", "src_port": 50090, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9195643673584233, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.114.80", "protocol": "tcp", "src_port": 50358, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50298, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.13.29.202", "protocol": "tcp", "src_port": 49899, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9319984670207415, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.165.120", "protocol": "tcp", "src_port": 50418, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9596977275034663, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "124.70.37.167", "protocol": "tcp", "src_port": 50505, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8862503171336631, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50542, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.46.216.189", "protocol": "tcp", "src_port": 50192, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9854409930237161, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "13.89.179.10", "protocol": "tcp", "src_port": 49878, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9974829953380221, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.241.198", "protocol": "tcp", "src_port": 49881, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9908791961625715, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50452, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "142.250.66.78", "protocol": "tcp", "src_port": 50474, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.194.189.11", "protocol": "tcp", "src_port": 50426, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9895428159947536, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.51.80", "protocol": "tcp", "src_port": 49914, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50061, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50516, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 13:00:28.393] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 21|max_alert: 1000 [2025-12-11 13:00:28.393] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 13:00:28.393] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 13:00:28.394] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 13:00:31.541] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[2] at offset 25635 key: NULL payload: {"bucket":"2025-12-11","object":"13/output/gbm/alert.pcap.16.17610986931300.jsonl","url":"http://111.32.12.11:9000/2025-12-11/13/output/gbm/alert.pcap.16.17610986931300.jsonl?X-Amz-Signature=01aa84e903651ad1e515ae7ad96cdf77c0889a44f74074613a2a10249065135c&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Date=20251211T050031Z&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Expires=604800&X-Amz-SignedHeaders=host"} [2025-12-11 13:00:31.541] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 13:00:31.541] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 13:00:31.541] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 13:00:31.541] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 13:00:31.541] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 13:00:31.541] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 13:00:31.736] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:13/output/gbm/alert.pcap.16.17610986931300.jsonl|result:{"code": 1, "total_count": 26, "alert_count": 26, "abnormal_count": 26, "normal_count": 0, "timestamp": 1765429231541, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "120.233.3.26", "protocol": "tcp", "src_port": 50053, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9859420979243508, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50331, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.1", "protocol": "tcp", "src_port": 49927, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.253", "protocol": "tcp", "src_port": 50377, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9228634096625739, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.32.132.48", "protocol": "tcp", "src_port": 50416, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.872489769645985, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50496, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7047630891986135, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50522, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.185.134", "protocol": "tcp", "src_port": 50557, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9312191603697401, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.13.25.27", "protocol": "tcp", "src_port": 49953, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9999659947187012, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.4.224.113", "protocol": "tcp", "src_port": 49857, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.873642452450752, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.88.223", "protocol": "tcp", "src_port": 50262, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9920454156536166, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.29.14.183", "protocol": "tcp", "src_port": 50404, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9858144175177987, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.29.14.183", "protocol": "tcp", "src_port": 49861, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9202885873733923, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50500, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50367, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "211.151.19.148", "protocol": "tcp", "src_port": 50239, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9867736940219898, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.2", "protocol": "tcp", "src_port": 49916, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.46.216.189", "protocol": "tcp", "src_port": 50095, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8005313339363406, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50051, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.219.73.130", "protocol": "tcp", "src_port": 49887, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50177, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "13.89.179.10", "protocol": "tcp", "src_port": 49873, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9740054173010114, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50207, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.165.120", "protocol": "tcp", "src_port": 50304, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9425584919270099, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.220.77.56", "protocol": "tcp", "src_port": 50313, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9756469161092314, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.92", "protocol": "tcp", "src_port": 50344, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.4285159353571787, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 13:00:31.737] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 26|max_alert: 1000 [2025-12-11 13:00:31.737] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 13:00:31.737] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 13:00:31.737] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 13:00:34.994] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[1] at offset 24877 key: NULL payload: {"bucket":"2025-12-11","object":"13/output/gbm/alert.pcap.17.17610986931300.jsonl","url":"http://111.32.12.11:9000/2025-12-11/13/output/gbm/alert.pcap.17.17610986931300.jsonl?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Signature=789adb27b0209dc3ed9e1d8ad97f323e8d09b9f6f4f138d200644574302e2cee&X-Amz-Expires=604800&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20251211T050034Z&X-Amz-SignedHeaders=host"} [2025-12-11 13:00:34.994] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 13:00:34.994] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 13:00:34.994] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 13:00:34.994] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 13:00:34.994] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 13:00:34.994] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 13:00:35.238] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:13/output/gbm/alert.pcap.17.17610986931300.jsonl|result:{"code": 1, "total_count": 18, "alert_count": 18, "abnormal_count": 18, "normal_count": 0, "timestamp": 1765429234994, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "111.31.122.55", "protocol": "tcp", "src_port": 50448, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.5769980707430126, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "124.70.62.170", "protocol": "tcp", "src_port": 50094, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9999212365720671, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.162.10.192", "protocol": "tcp", "src_port": 50103, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.5419285978798709, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.114.80", "protocol": "tcp", "src_port": 50476, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.38.151", "protocol": "tcp", "src_port": 49788, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.2.16.16", "protocol": "tcp", "src_port": 49973, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9993460937257912, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50499, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.194.233", "protocol": "tcp", "src_port": 50435, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9837705668750215, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.88.223", "protocol": "tcp", "src_port": 50257, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9990492370434219, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.9", "protocol": "tcp", "src_port": 50012, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9956502822261911, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.234.97.89", "protocol": "tcp", "src_port": 50409, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.733240780563495, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.27", "protocol": "tcp", "src_port": 49989, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8500557914131911, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.122.55", "protocol": "tcp", "src_port": 50101, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9697454177805649, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50606, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9790099228201751, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "124.70.62.170", "protocol": "tcp", "src_port": 50395, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.999908459646488, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.27", "protocol": "tcp", "src_port": 49990, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9979995189937263, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.162.10.192", "protocol": "tcp", "src_port": 50114, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.976863610352734, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 50225, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9087545563693218, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 13:00:35.238] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 18|max_alert: 1000 [2025-12-11 13:00:35.238] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 13:00:35.238] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 13:00:35.238] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 13:00:38.128] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[2] at offset 25636 key: NULL payload: {"bucket":"2025-12-11","object":"13/output/gbm/alert.pcap.18.17610986931300.jsonl","url":"http://111.32.12.11:9000/2025-12-11/13/output/gbm/alert.pcap.18.17610986931300.jsonl?X-Amz-SignedHeaders=host&X-Amz-Expires=604800&X-Amz-Date=20251211T050037Z&X-Amz-Signature=40b9da506beae84b26aab701042d3c58b034924f1aca9acfb1e784a079787212&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request"} [2025-12-11 13:00:38.128] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 13:00:38.128] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 13:00:38.128] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 13:00:38.128] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 13:00:38.128] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 13:00:38.128] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 13:00:38.418] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:13/output/gbm/alert.pcap.18.17610986931300.jsonl|result:{"code": 1, "total_count": 19, "alert_count": 18, "abnormal_count": 18, "normal_count": 1, "timestamp": 1765429238128, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50650, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9941374340185456, "2_count": 4.0, "2_sum": 4, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.232.40.133", "protocol": "tcp", "src_port": 49935, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8955605067471277, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 50169, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.253.255.38", "protocol": "tcp", "src_port": 50449, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9496389457889445, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.232.40.133", "protocol": "tcp", "src_port": 49929, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9272505117395095, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50046, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50088, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50220, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.166.151", "protocol": "tcp", "src_port": 50371, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9989794701501156, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.92", "protocol": "tcp", "src_port": 50383, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7481021796885889, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.219.73.130", "protocol": "tcp", "src_port": 49893, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.113.130.85", "protocol": "tcp", "src_port": 50373, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50553, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9263918774338468, "2_count": 4.0, "2_sum": 4, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50132, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50554, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9489417371813754, "2_count": 4.0, "2_sum": 4, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50386, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50141, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50475, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9477100345633777, "2_count": 4.0, "2_sum": 4, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 13:00:38.418] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 18|max_alert: 1000 [2025-12-11 13:00:38.418] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 13:00:38.418] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 13:00:38.418] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 13:00:41.266] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[2] at offset 25637 key: NULL payload: {"bucket":"2025-12-11","object":"13/output/gbm/alert.pcap.19.17610986931300.jsonl","url":"http://111.32.12.11:9000/2025-12-11/13/output/gbm/alert.pcap.19.17610986931300.jsonl?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Date=20251211T050040Z&X-Amz-Signature=0fd4eadcf8a43bb44c16c0ae68dbcef1824c23f7cfcf05e30c4b1ad2550034d4&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-SignedHeaders=host&X-Amz-Expires=604800"} [2025-12-11 13:00:41.266] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 13:00:41.266] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 13:00:41.266] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 13:00:41.266] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 13:00:41.266] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 13:00:41.267] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 13:00:41.499] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:13/output/gbm/alert.pcap.19.17610986931300.jsonl|result:{"code": 1, "total_count": 17, "alert_count": 17, "abnormal_count": 17, "normal_count": 0, "timestamp": 1765429241268, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "120.233.3.25", "protocol": "tcp", "src_port": 50345, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9053165640648995, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50432, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 5, "2_sum": 5, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "106.13.244.95", "protocol": "tcp", "src_port": 50626, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.991571871695044, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.26", "protocol": "tcp", "src_port": 49999, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9723690262017185, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50651, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9127998696423738, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50140, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 5, "2_sum": 5, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 50183, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9671683755020176, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50267, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 5, "2_sum": 5, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50221, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 5, "2_sum": 5, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50222, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 5, "2_sum": 5, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "150.171.30.11", "protocol": "tcp", "src_port": 50623, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9724127917525347, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "13.89.179.10", "protocol": "tcp", "src_port": 49870, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9985463831905574, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.158.247.186", "protocol": "tcp", "src_port": 50254, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9923373572362969, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "124.70.62.170", "protocol": "tcp", "src_port": 50385, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9998863446143573, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.131.128.241", "protocol": "tcp", "src_port": 50589, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9358989909907683, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.61.248", "protocol": "tcp", "src_port": 50006, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9986048917384169, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "211.151.19.148", "protocol": "tcp", "src_port": 50321, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9840336453751718, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 13:00:41.499] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 17|max_alert: 1000 [2025-12-11 13:00:41.499] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 13:00:41.499] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 13:00:41.499] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 13:00:44.442] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[2] at offset 25638 key: NULL payload: {"bucket":"2025-12-11","object":"13/output/gbm/alert.pcap.20.17610986931300.jsonl","url":"http://111.32.12.11:9000/2025-12-11/13/output/gbm/alert.pcap.20.17610986931300.jsonl?X-Amz-Expires=604800&X-Amz-Signature=d89417ac72a3ccb84a0a1c6f2de522341ee526e96d222a16911f310dec0f6480&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-SignedHeaders=host&X-Amz-Date=20251211T050044Z&X-Amz-Algorithm=AWS4-HMAC-SHA256"} [2025-12-11 13:00:44.442] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 13:00:44.442] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 13:00:44.442] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 13:00:44.442] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 13:00:44.442] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 13:00:44.443] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 13:00:44.677] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:13/output/gbm/alert.pcap.20.17610986931300.jsonl|result:{"code": 1, "total_count": 17, "alert_count": 17, "abnormal_count": 17, "normal_count": 0, "timestamp": 1765429244443, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50598, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.972751885055052, "2_count": 3, "2_sum": 3, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50616, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.981431987646444, "2_count": 3, "2_sum": 3, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.166.151", "protocol": "tcp", "src_port": 50378, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.996645095315891, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.253.253.233", "protocol": "tcp", "src_port": 50317, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.4786736570096651, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.48.172.241", "protocol": "tcp", "src_port": 50129, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9417868802887015, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.62.174.243", "protocol": "tcp", "src_port": 50555, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9719451686850884, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.220.151.49", "protocol": "tcp", "src_port": 49991, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9681277345350449, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "124.71.236.98", "protocol": "tcp", "src_port": 50400, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9777942042208041, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50453, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.9", "protocol": "tcp", "src_port": 50356, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9753376675463165, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.46.68.203", "protocol": "tcp", "src_port": 50096, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9610043927222635, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.2.16.16", "protocol": "tcp", "src_port": 49970, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9999655776123294, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "142.250.66.78", "protocol": "tcp", "src_port": 49773, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.219.73.130", "protocol": "tcp", "src_port": 49894, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "124.71.234.74", "protocol": "tcp", "src_port": 50189, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8094812727311573, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50622, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9949329167991451, "2_count": 3, "2_sum": 3, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50082, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 13:00:44.677] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 17|max_alert: 1000 [2025-12-11 13:00:44.677] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 13:00:44.677] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 13:00:44.677] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 13:00:47.615] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[1] at offset 24878 key: NULL payload: {"bucket":"2025-12-11","object":"13/output/gbm/alert.pcap.21.17610986931300.jsonl","url":"http://111.32.12.11:9000/2025-12-11/13/output/gbm/alert.pcap.21.17610986931300.jsonl?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Expires=604800&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Signature=14023929a65125a95ff42719932843bf9ea38258735db305584065f1ac216c98&X-Amz-Date=20251211T050047Z&X-Amz-SignedHeaders=host"} [2025-12-11 13:00:47.615] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 13:00:47.615] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 13:00:47.615] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 13:00:47.615] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 13:00:47.615] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 13:00:47.616] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 13:00:47.860] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:13/output/gbm/alert.pcap.21.17610986931300.jsonl|result:{"code": 1, "total_count": 20, "alert_count": 20, "abnormal_count": 20, "normal_count": 0, "timestamp": 1765429247616, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50330, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.26", "protocol": "tcp", "src_port": 50027, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8630319401034162, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 49933, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.983522767485445, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.25", "protocol": "tcp", "src_port": 50346, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7253580536479742, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "150.171.27.10", "protocol": "tcp", "src_port": 49871, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9792783921980416, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.18", "protocol": "tcp", "src_port": 50191, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.254", "protocol": "tcp", "src_port": 50018, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9989742169573105, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50233, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.194.233", "protocol": "tcp", "src_port": 50315, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9974657537062649, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 50211, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9942232611378077, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.253", "protocol": "tcp", "src_port": 50348, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9663875797170431, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.234.97.89", "protocol": "tcp", "src_port": 50477, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7967743601421772, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50389, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50633, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9961574170482782, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.232.40.133", "protocol": "tcp", "src_port": 49921, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9758065422065172, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50574, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50076, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.27", "protocol": "tcp", "src_port": 50014, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7728545617685111, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50086, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50407, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9700577356238725, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 13:00:47.860] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 20|max_alert: 1000 [2025-12-11 13:00:47.860] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 13:00:47.860] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 13:00:47.860] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 13:00:50.824] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 26017 key: NULL payload: {"bucket":"2025-12-11","object":"13/output/gbm/alert.pcap.2.17610986931300.jsonl","url":"http://111.32.12.11:9000/2025-12-11/13/output/gbm/alert.pcap.2.17610986931300.jsonl?X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Expires=604800&X-Amz-SignedHeaders=host&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Signature=5477fc4da7728346a7196c63a62f68cf32776e22618f8727b9e78517aedec2b4&X-Amz-Date=20251211T050050Z"} [2025-12-11 13:00:50.824] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 13:00:50.824] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 13:00:50.824] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 13:00:50.824] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 13:00:50.824] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 13:00:50.826] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 13:00:51.093] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:13/output/gbm/alert.pcap.2.17610986931300.jsonl|result:{"code": 1, "total_count": 27, "alert_count": 26, "abnormal_count": 26, "normal_count": 1, "timestamp": 1765429250826, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50634, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "118.89.204.198", "protocol": "tcp", "src_port": 50648, "dest_port": 443, "y_pred": 2, "y_pred_proba_max": 0.539671673599211, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "Behinder"}, {"src_ip": "10.1.131.158", "dest_ip": "120.222.152.64", "protocol": "tcp", "src_port": 50658, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7337989747885654, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.29.14.183", "protocol": "tcp", "src_port": 50402, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9766503916105866, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.92", "protocol": "tcp", "src_port": 50398, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9866180027435798, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50459, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8818531237715439, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50471, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9971823306211751, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50484, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.185.134", "protocol": "tcp", "src_port": 50337, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9998485770667981, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.29.14.183", "protocol": "tcp", "src_port": 50401, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9944651374268547, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.63.215.47", "protocol": "tcp", "src_port": 49943, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9542007136130981, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.240.99.58", "protocol": "tcp", "src_port": 50480, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9758749087809037, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50580, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.165.120", "protocol": "tcp", "src_port": 50414, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9781294486115352, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.232.40.133", "protocol": "tcp", "src_port": 50004, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9448851526818528, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50278, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50528, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.26", "protocol": "tcp", "src_port": 49995, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9973271032011077, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.114.80", "protocol": "tcp", "src_port": 50381, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.254", "protocol": "tcp", "src_port": 50237, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8347470129747349, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.2", "protocol": "tcp", "src_port": 49821, "dest_port": 8080, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50287, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50328, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.166.151", "protocol": "tcp", "src_port": 50296, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9998741851816862, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50570, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.105", "protocol": "tcp", "src_port": 50625, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9825246278129468, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 13:00:51.093] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 26|max_alert: 1000 [2025-12-11 13:00:51.093] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 13:00:51.093] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 13:00:51.093] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 13:00:54.375] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[1] at offset 24879 key: NULL payload: {"bucket":"2025-12-11","object":"13/output/gbm/alert.pcap.22.17610986931300.jsonl","url":"http://111.32.12.11:9000/2025-12-11/13/output/gbm/alert.pcap.22.17610986931300.jsonl?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Signature=af1145f115d19816d25102f4a2be264b2f639eeec0867de7939878cbd8ea5dad&X-Amz-Date=20251211T050053Z&X-Amz-Expires=604800&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-SignedHeaders=host"} [2025-12-11 13:00:54.375] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 13:00:54.375] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 13:00:54.375] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 13:00:54.375] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 13:00:54.375] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 13:00:54.376] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 13:00:54.641] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:13/output/gbm/alert.pcap.22.17610986931300.jsonl|result:{"code": 1, "total_count": 18, "alert_count": 17, "abnormal_count": 17, "normal_count": 1, "timestamp": 1765429254376, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50028, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 3.0, "2_sum": 3, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50662, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8871346318388157, "2_count": 3.0, "2_sum": 3, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50612, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.965275103129727, "2_count": 3.0, "2_sum": 3, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50368, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 3.0, "2_sum": 3, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.29.14.183", "protocol": "tcp", "src_port": 50026, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9986473928200259, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.194.233", "protocol": "tcp", "src_port": 50440, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9902328849146982, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.62.174.243", "protocol": "tcp", "src_port": 50545, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9624252679015631, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50530, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9024018957960891, "2_count": 3.0, "2_sum": 3, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50118, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 3.0, "2_sum": 3, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.4.224.113", "protocol": "tcp", "src_port": 49854, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.5786036795604459, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.51.161.66", "protocol": "tcp", "src_port": 50123, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7731938946060795, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.63.215.47", "protocol": "tcp", "src_port": 49944, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9869387818080411, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.165.120", "protocol": "tcp", "src_port": 50357, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9389862274330749, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.114.80", "protocol": "tcp", "src_port": 50365, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 49925, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.5747671805046822, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.92", "protocol": "tcp", "src_port": 50397, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9107999416750001, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.131.128.241", "protocol": "tcp", "src_port": 50585, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8249611815657307, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 13:00:54.642] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 17|max_alert: 1000 [2025-12-11 13:00:54.642] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 13:00:54.642] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 13:00:54.642] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 13:00:58.249] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 26018 key: NULL payload: {"bucket":"2025-12-11","object":"13/output/gbm/alert.pcap.23.17610986931300.jsonl","url":"http://111.32.12.11:9000/2025-12-11/13/output/gbm/alert.pcap.23.17610986931300.jsonl?X-Amz-Expires=604800&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20251211T050057Z&X-Amz-Signature=8bb570db9bd68fadfd6de67c0965ef853172d97abe39200e5e520859a6d5e7da&X-Amz-SignedHeaders=host&X-Amz-Algorithm=AWS4-HMAC-SHA256"} [2025-12-11 13:00:58.249] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 13:00:58.249] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 13:00:58.249] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 13:00:58.249] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 13:00:58.249] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 13:00:58.250] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 13:00:58.501] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:13/output/gbm/alert.pcap.23.17610986931300.jsonl|result:{"code": 1, "total_count": 21, "alert_count": 21, "abnormal_count": 21, "normal_count": 0, "timestamp": 1765429258250, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50044, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50037, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50260, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50168, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50562, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.194.233", "protocol": "tcp", "src_port": 50126, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9961544144455967, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.158.247.186", "protocol": "tcp", "src_port": 50309, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.994290448467571, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50064, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50429, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "13.107.246.74", "protocol": "tcp", "src_port": 50506, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9605298901417075, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.13.104.59", "protocol": "tcp", "src_port": 50627, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9944505609423887, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.222.152.64", "protocol": "tcp", "src_port": 50638, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9779043168436835, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50042, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50514, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50640, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.25", "protocol": "tcp", "src_port": 50382, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7011351746711142, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50149, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.25", "protocol": "tcp", "src_port": 50073, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9992385224413204, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.122.55", "protocol": "tcp", "src_port": 50498, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9793698927690696, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50085, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.150.160.206", "protocol": "tcp", "src_port": 50124, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9747845243097288, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 13:00:58.501] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 21|max_alert: 1000 [2025-12-11 13:00:58.501] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 13:00:58.501] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 13:00:58.501] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 13:01:01.513] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[2] at offset 25639 key: NULL payload: {"bucket":"2025-12-11","object":"13/output/gbm/alert.pcap.24.17610986931300.jsonl","url":"http://111.32.12.11:9000/2025-12-11/13/output/gbm/alert.pcap.24.17610986931300.jsonl?X-Amz-Signature=032ae65eabad5041dcb079e8edb8601bc6d98fc91003fe2738332efdcf1ba3f0&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-SignedHeaders=host&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20251211T050101Z&X-Amz-Expires=604800"} [2025-12-11 13:01:01.513] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 13:01:01.513] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 13:01:01.513] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 13:01:01.513] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 13:01:01.513] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 13:01:01.514] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 13:01:01.758] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:13/output/gbm/alert.pcap.24.17610986931300.jsonl|result:{"code": 1, "total_count": 18, "alert_count": 17, "abnormal_count": 17, "normal_count": 1, "timestamp": 1765429261514, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50281, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 50229, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7784157580153467, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.13.28.21", "protocol": "tcp", "src_port": 49947, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9999415747476534, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50034, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.163.59.175", "protocol": "tcp", "src_port": 50011, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9883959426357691, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50603, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.27", "protocol": "tcp", "src_port": 49985, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8652710729389349, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.38.119", "protocol": "tcp", "src_port": 50495, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9911306060967026, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50482, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50259, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50594, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.4.74", "protocol": "tcp", "src_port": 50319, "dest_port": 9000, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50031, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.46.68.203", "protocol": "tcp", "src_port": 50195, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9897633686170296, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.163.59.175", "protocol": "tcp", "src_port": 50478, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.990150959540726, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.13.104.59", "protocol": "tcp", "src_port": 50631, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9853386683896556, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50033, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 13:01:01.758] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 17|max_alert: 1000 [2025-12-11 13:01:01.758] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 13:01:01.758] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 13:01:01.758] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 13:01:04.857] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 26019 key: NULL payload: {"bucket":"2025-12-11","object":"13/output/gbm/alert.pcap.25.17610986931300.jsonl","url":"http://111.32.12.11:9000/2025-12-11/13/output/gbm/alert.pcap.25.17610986931300.jsonl?X-Amz-SignedHeaders=host&X-Amz-Date=20251211T050104Z&X-Amz-Signature=db4e4e8c5178ff68aab84b28cb40235a2f40f4835c2881bd75104fcfc40cbbc9&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Expires=604800&X-Amz-Algorithm=AWS4-HMAC-SHA256"} [2025-12-11 13:01:04.857] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 13:01:04.857] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 13:01:04.858] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 13:01:04.858] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 13:01:04.858] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 13:01:04.858] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 13:01:05.109] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:13/output/gbm/alert.pcap.25.17610986931300.jsonl|result:{"code": 1, "total_count": 18, "alert_count": 17, "abnormal_count": 17, "normal_count": 1, "timestamp": 1765429264858, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "172.16.92.2", "protocol": "tcp", "src_port": 50125, "dest_port": 8080, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.88.223", "protocol": "tcp", "src_port": 50134, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9851867603065232, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50551, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8059095115195145, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50652, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4.0, "2_sum": 4, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "142.250.66.78", "protocol": "tcp", "src_port": 49742, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.91", "protocol": "tcp", "src_port": 50334, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9530506499197517, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.232.40.133", "protocol": "tcp", "src_port": 49919, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9172603475203133, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50062, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4.0, "2_sum": 4, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.232.40.133", "protocol": "tcp", "src_port": 50005, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8427110539814073, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "202.89.233.96", "dest_ip": "10.1.131.158", "protocol": "tcp", "src_port": 443, "dest_port": 49847, "y_pred": 1, "y_pred_proba_max": 0.9988023204669473, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.201.232.63", "protocol": "tcp", "src_port": 50419, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.5238760318986195, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50288, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4.0, "2_sum": 4, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.155.160.140", "protocol": "tcp", "src_port": 49790, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50038, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4.0, "2_sum": 4, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.240.99.58", "protocol": "tcp", "src_port": 50641, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9750652642107684, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 50013, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.88.223", "protocol": "tcp", "src_port": 50258, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9955188316394289, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 13:01:05.109] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 17|max_alert: 1000 [2025-12-11 13:01:05.109] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 13:01:05.109] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 13:01:05.109] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 13:01:08.114] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[1] at offset 24880 key: NULL payload: {"bucket":"2025-12-11","object":"13/output/gbm/alert.pcap.26.17610986931300.jsonl","url":"http://111.32.12.11:9000/2025-12-11/13/output/gbm/alert.pcap.26.17610986931300.jsonl?X-Amz-Date=20251211T050107Z&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Expires=604800&X-Amz-Signature=f918940a19489ad075ce267d2903ffaa20c4b98ac98f02b8d1ca13139a96aa78&X-Amz-SignedHeaders=host&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request"} [2025-12-11 13:01:08.114] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 13:01:08.114] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 13:01:08.114] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 13:01:08.114] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 13:01:08.115] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 13:01:08.115] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 13:01:08.378] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:13/output/gbm/alert.pcap.26.17610986931300.jsonl|result:{"code": 1, "total_count": 23, "alert_count": 22, "abnormal_count": 22, "normal_count": 1, "timestamp": 1765429268115, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "223.111.194.233", "protocol": "tcp", "src_port": 50439, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9853373018252618, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.165.120", "protocol": "tcp", "src_port": 50314, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.998447736613844, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50463, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7.0, "2_sum": 7, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "151.101.1.229", "protocol": "tcp", "src_port": 50316, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.5882853156839113, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.13.29.202", "protocol": "tcp", "src_port": 49897, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.99989131645703, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.13.29.134", "protocol": "tcp", "src_port": 49954, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9940003495439546, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.253", "protocol": "tcp", "src_port": 50347, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9363461552085169, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50521, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7.0, "2_sum": 7, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.92", "protocol": "tcp", "src_port": 50362, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9737436655985068, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50040, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7.0, "2_sum": 7, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "43.140.12.43", "protocol": "tcp", "src_port": 50318, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9759535265977303, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50322, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7.0, "2_sum": 7, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.9", "protocol": "tcp", "src_port": 50353, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9248568229582469, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.45", "protocol": "tcp", "src_port": 50445, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9894949279716366, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50467, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7.0, "2_sum": 7, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50593, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7.0, "2_sum": 7, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 50230, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9601621867432435, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.114.80", "protocol": "tcp", "src_port": 50375, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.163.59.175", "protocol": "tcp", "src_port": 49930, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9813722275948225, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50512, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7.0, "2_sum": 7, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.253", "protocol": "tcp", "src_port": 50117, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9786811180845782, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.27", "protocol": "tcp", "src_port": 49986, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9907578643456904, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 13:01:08.379] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 22|max_alert: 1000 [2025-12-11 13:01:08.379] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 13:01:08.379] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 13:01:08.379] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 13:01:11.334] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[1] at offset 24881 key: NULL payload: {"bucket":"2025-12-11","object":"13/output/gbm/alert.pcap.3.17610986931300.jsonl","url":"http://111.32.12.11:9000/2025-12-11/13/output/gbm/alert.pcap.3.17610986931300.jsonl?X-Amz-Signature=01f04739b3375f53fe330d8d81ad6f6e086f3df212a021136da1e3f85d650f89&X-Amz-SignedHeaders=host&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20251211T050110Z&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Expires=604800"} [2025-12-11 13:01:11.334] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 13:01:11.334] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 13:01:11.334] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 13:01:11.334] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 13:01:11.334] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 13:01:11.334] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 13:01:11.624] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:13/output/gbm/alert.pcap.3.17610986931300.jsonl|result:{"code": 1, "total_count": 31, "alert_count": 30, "abnormal_count": 30, "normal_count": 1, "timestamp": 1765429271334, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "120.233.3.27", "protocol": "tcp", "src_port": 49983, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9683054451954104, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.165.120", "protocol": "tcp", "src_port": 50423, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9079618105919538, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.253.253.233", "protocol": "tcp", "src_port": 50436, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8619378326923961, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.232.40.133", "protocol": "tcp", "src_port": 49922, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7619577796081339, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 50231, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9912641259791639, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50128, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50032, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.219.73.130", "protocol": "tcp", "src_port": 49890, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.92", "protocol": "tcp", "src_port": 49915, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8858063837145578, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.13.104.59", "protocol": "tcp", "src_port": 50630, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9949141468870227, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 49824, "dest_port": 37527, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "124.70.62.170", "protocol": "tcp", "src_port": 50093, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9302011994091218, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50573, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50041, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.29.14.183", "protocol": "tcp", "src_port": 50020, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9995274668813986, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50131, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.166.151", "protocol": "tcp", "src_port": 50286, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9998887397093179, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.63.215.47", "protocol": "tcp", "src_port": 49982, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9977918468988228, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.219.73.130", "protocol": "tcp", "src_port": 49889, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.27", "protocol": "tcp", "src_port": 49987, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9439550958667982, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50390, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.114.80", "protocol": "tcp", "src_port": 50473, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.194.189.11", "protocol": "tcp", "src_port": 50307, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9974631042458713, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "142.250.66.68", "protocol": "tcp", "src_port": 50437, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50560, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9372883613254258, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50468, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50579, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.2", "protocol": "tcp", "src_port": 50143, "dest_port": 8080, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 50399, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.13.104.59", "protocol": "tcp", "src_port": 50639, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.5747755261992421, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 13:01:11.624] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 30|max_alert: 1000 [2025-12-11 13:01:11.624] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 13:01:11.624] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 13:01:11.624] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 13:01:14.467] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 26020 key: NULL payload: {"bucket":"2025-12-11","object":"13/output/gbm/alert.pcap.4.17610986931300.jsonl","url":"http://111.32.12.11:9000/2025-12-11/13/output/gbm/alert.pcap.4.17610986931300.jsonl?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Expires=604800&X-Amz-Date=20251211T050113Z&X-Amz-Signature=3f9c3c8c564b60f446f3e64f4898ce7d150c8810ef4b4ca203169c27a2256578&X-Amz-SignedHeaders=host"} [2025-12-11 13:01:14.467] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 13:01:14.467] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 13:01:14.467] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 13:01:14.467] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 13:01:14.467] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 13:01:14.468] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 13:01:14.681] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:13/output/gbm/alert.pcap.4.17610986931300.jsonl|result:{"code": 1, "total_count": 16, "alert_count": 16, "abnormal_count": 16, "normal_count": 0, "timestamp": 1765429274468, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50268, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 9, "2_sum": 9, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.131.128.241", "protocol": "tcp", "src_port": 50461, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9531336479755481, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50599, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 9, "2_sum": 9, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.4.224.113", "protocol": "tcp", "src_port": 49860, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8325953986089363, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50428, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 9, "2_sum": 9, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50170, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 9, "2_sum": 9, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50653, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 9, "2_sum": 9, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.25", "protocol": "tcp", "src_port": 50340, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9557360906725153, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "150.171.30.11", "protocol": "tcp", "src_port": 50007, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8576461187690411, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "104.18.38.233", "protocol": "tcp", "src_port": 49696, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50039, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 9, "2_sum": 9, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.2", "protocol": "tcp", "src_port": 49815, "dest_port": 8080, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50271, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 9, "2_sum": 9, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "142.250.66.78", "protocol": "tcp", "src_port": 49761, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50664, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 9, "2_sum": 9, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50642, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 9, "2_sum": 9, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 13:01:14.681] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 16|max_alert: 1000 [2025-12-11 13:01:14.681] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 13:01:14.681] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 13:01:14.681] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 13:01:17.994] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 26021 key: NULL payload: {"bucket":"2025-12-11","object":"13/output/gbm/alert.pcap.5.17610986931300.jsonl","url":"http://111.32.12.11:9000/2025-12-11/13/output/gbm/alert.pcap.5.17610986931300.jsonl?X-Amz-Signature=177fdc7fde955bb2af8fa14fddfc58835b35626fe72e3dfa56e263e6625e8536&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Date=20251211T050117Z&X-Amz-Expires=604800&X-Amz-SignedHeaders=host"} [2025-12-11 13:01:17.994] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 13:01:17.994] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 13:01:17.994] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 13:01:17.994] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 13:01:17.994] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 13:01:17.995] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 13:01:18.245] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:13/output/gbm/alert.pcap.5.17610986931300.jsonl|result:{"code": 1, "total_count": 19, "alert_count": 18, "abnormal_count": 18, "normal_count": 1, "timestamp": 1765429277995, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "13.89.179.10", "protocol": "tcp", "src_port": 49867, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8945460691510866, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.4.74", "protocol": "tcp", "src_port": 50320, "dest_port": 9000, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 50549, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "112.34.111.235", "protocol": "tcp", "src_port": 50587, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9795590475790195, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50564, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 5.0, "2_sum": 5, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50541, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 5.0, "2_sum": 5, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50030, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 5.0, "2_sum": 5, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.91", "protocol": "tcp", "src_port": 50242, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9588125203903446, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.46.72.204", "protocol": "tcp", "src_port": 50136, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.956663066769366, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50654, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9423199405388736, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.158.247.186", "protocol": "tcp", "src_port": 50121, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9753820447058325, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50624, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9747306537408316, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50171, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 5.0, "2_sum": 5, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.51.80", "protocol": "tcp", "src_port": 49902, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50119, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 5.0, "2_sum": 5, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.163.59.175", "protocol": "tcp", "src_port": 50422, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9849394001481901, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.91", "protocol": "tcp", "src_port": 50333, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9577733114926612, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 49924, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8509806284431485, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 13:01:18.245] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 18|max_alert: 1000 [2025-12-11 13:01:18.245] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 13:01:18.245] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 13:01:18.245] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 13:01:21.135] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 26022 key: NULL payload: {"bucket":"2025-12-11","object":"13/output/gbm/alert.pcap.6.17610986931300.jsonl","url":"http://111.32.12.11:9000/2025-12-11/13/output/gbm/alert.pcap.6.17610986931300.jsonl?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Expires=604800&X-Amz-Signature=bcbe0bb42a38853e52ba255e4103b20d7024e09421ff834f30042bf1e255a808&X-Amz-Date=20251211T050120Z&X-Amz-SignedHeaders=host&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request"} [2025-12-11 13:01:21.135] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 13:01:21.135] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 13:01:21.136] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 13:01:21.136] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 13:01:21.136] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 13:01:21.137] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 13:01:21.382] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:13/output/gbm/alert.pcap.6.17610986931300.jsonl|result:{"code": 1, "total_count": 13, "alert_count": 13, "abnormal_count": 13, "normal_count": 0, "timestamp": 1765429281137, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50515, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.102.211", "protocol": "tcp", "src_port": 50413, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9734791177969814, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.2.16.16", "protocol": "tcp", "src_port": 49975, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9999376387945121, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.26", "protocol": "tcp", "src_port": 50003, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8694093805364917, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.91", "protocol": "tcp", "src_port": 50339, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.986405059765616, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.13.28.239", "protocol": "tcp", "src_port": 49901, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.938456651589145, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "139.9.117.192", "protocol": "tcp", "src_port": 50450, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9837263446909994, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50465, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.5306824619789472, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "13.89.179.10", "protocol": "tcp", "src_port": 49883, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9941602682227848, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.57.94.38", "protocol": "tcp", "src_port": 49892, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9998694918181811, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "139.9.117.192", "protocol": "tcp", "src_port": 50372, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8894850327223105, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50391, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "121.36.68.44", "protocol": "tcp", "src_port": 50504, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9358189956292381, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 13:01:21.382] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 13|max_alert: 1000 [2025-12-11 13:01:21.382] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 13:01:21.382] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 13:01:21.382] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 13:01:24.333] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[2] at offset 25640 key: NULL payload: {"bucket":"2025-12-11","object":"13/output/gbm/alert.pcap.7.17610986931300.jsonl","url":"http://111.32.12.11:9000/2025-12-11/13/output/gbm/alert.pcap.7.17610986931300.jsonl?X-Amz-Expires=604800&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20251211T050123Z&X-Amz-Signature=84c5d85908d3fd752f0409d2b829cf74630165d51bc741334b6d1de1bc693870&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-SignedHeaders=host"} [2025-12-11 13:01:24.333] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 13:01:24.333] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 13:01:24.333] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 13:01:24.333] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 13:01:24.334] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 13:01:24.334] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 13:01:24.565] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:13/output/gbm/alert.pcap.7.17610986931300.jsonl|result:{"code": 1, "total_count": 18, "alert_count": 18, "abnormal_count": 18, "normal_count": 0, "timestamp": 1765429284334, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "117.185.125.188", "protocol": "tcp", "src_port": 49872, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9978759357079158, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50083, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4, "2_sum": 4, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.27", "protocol": "tcp", "src_port": 50100, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8412893359572905, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.194.233", "protocol": "tcp", "src_port": 50255, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9107155218087142, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50663, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.719260591950917, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.240.8.132", "protocol": "tcp", "src_port": 50227, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8897661563929269, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.219.73.130", "protocol": "tcp", "src_port": 49885, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50156, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4, "2_sum": 4, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50581, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4, "2_sum": 4, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50270, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4, "2_sum": 4, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.26", "protocol": "tcp", "src_port": 49994, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9896285535627298, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.194.233", "protocol": "tcp", "src_port": 50441, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9878625671600126, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.4.224.113", "protocol": "tcp", "src_port": 49849, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9532634905214581, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 50116, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.51.80", "protocol": "tcp", "src_port": 50010, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.254", "protocol": "tcp", "src_port": 50199, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9600487826290192, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "112.34.111.235", "protocol": "tcp", "src_port": 50411, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.998549290571419, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 50172, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9400817611226765, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 13:01:24.565] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 18|max_alert: 1000 [2025-12-11 13:01:24.565] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 13:01:24.565] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 13:01:24.565] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 13:01:27.522] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[1] at offset 24882 key: NULL payload: {"bucket":"2025-12-11","object":"13/output/gbm/alert.pcap.8.17610986931300.jsonl","url":"http://111.32.12.11:9000/2025-12-11/13/output/gbm/alert.pcap.8.17610986931300.jsonl?X-Amz-Expires=604800&X-Amz-Date=20251211T050127Z&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-SignedHeaders=host&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Signature=25af492cc59863d058bc280b92d706cd9b17ebca7d1065af961feed24448956e"} [2025-12-11 13:01:27.522] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 13:01:27.522] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 13:01:27.522] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 13:01:27.522] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 13:01:27.522] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 13:01:27.523] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 13:01:27.775] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:13/output/gbm/alert.pcap.8.17610986931300.jsonl|result:{"code": 1, "total_count": 19, "alert_count": 19, "abnormal_count": 19, "normal_count": 0, "timestamp": 1765429287524, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "36.131.128.241", "protocol": "tcp", "src_port": 50591, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9050869489117033, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.63.215.47", "protocol": "tcp", "src_port": 49980, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9999657034539758, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.219.73.130", "protocol": "tcp", "src_port": 49891, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50127, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4, "2_sum": 4, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 49923, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.777270406334166, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50388, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4, "2_sum": 4, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.45", "protocol": "tcp", "src_port": 50408, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9967591338452444, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.131.139.241", "protocol": "tcp", "src_port": 50556, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9803786101644398, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.26", "protocol": "tcp", "src_port": 49997, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.984269050955257, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "121.36.47.3", "protocol": "tcp", "src_port": 50015, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9995715118177109, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50223, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4, "2_sum": 4, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "202.89.233.96", "protocol": "tcp", "src_port": 49865, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9973910874567038, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50077, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4, "2_sum": 4, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50649, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9766422035502361, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 50184, "dest_port": 37527, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.201.232.63", "protocol": "tcp", "src_port": 50420, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9757408487177269, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50661, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.647571366572099, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.232.40.133", "protocol": "tcp", "src_port": 49920, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9117178716777372, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "40.74.78.229", "protocol": "tcp", "src_port": 50370, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9939770881097445, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 13:01:27.776] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 19|max_alert: 1000 [2025-12-11 13:01:27.776] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 13:01:27.776] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 13:01:27.776] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 13:01:30.710] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 26023 key: NULL payload: {"bucket":"2025-12-11","object":"13/output/gbm/alert.pcap.9.17610986931300.jsonl","url":"http://111.32.12.11:9000/2025-12-11/13/output/gbm/alert.pcap.9.17610986931300.jsonl?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Expires=604800&X-Amz-Date=20251211T050130Z&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Signature=0641fac5881a7a36aeb9320b1967966911b48bbee79c4a4035e1cee3587f4b7d&X-Amz-SignedHeaders=host"} [2025-12-11 13:01:30.711] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 13:01:30.711] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 13:01:30.711] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 13:01:30.711] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 13:01:30.711] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 13:01:30.711] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 13:01:30.948] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:13/output/gbm/alert.pcap.9.17610986931300.jsonl|result:{"code": 1, "total_count": 19, "alert_count": 19, "abnormal_count": 19, "normal_count": 0, "timestamp": 1765429290711, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50387, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50582, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "150.171.30.11", "protocol": "tcp", "src_port": 50434, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.975176941910785, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "157.148.32.174", "protocol": "tcp", "src_port": 50216, "dest_port": 8106, "y_pred": 1, "y_pred_proba_max": 0.7815374741509655, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.45", "protocol": "tcp", "src_port": 50444, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9975171238915119, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 49928, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9931314740190077, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.163.59.175", "protocol": "tcp", "src_port": 50443, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9947042004868148, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.219.73.130", "protocol": "tcp", "src_port": 49895, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "124.71.234.74", "protocol": "tcp", "src_port": 50079, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8967653329082704, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50552, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9460026832017429, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "112.2.102.140", "protocol": "tcp", "src_port": 49880, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8833391308810551, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50571, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.29.14.183", "protocol": "tcp", "src_port": 50403, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9756646950440937, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50577, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8828376373447289, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50047, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50323, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50234, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.26", "protocol": "tcp", "src_port": 49993, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.987471741326815, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50279, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 13:01:30.948] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 19|max_alert: 1000 [2025-12-11 13:01:30.948] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 13:01:30.948] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 13:01:30.948] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 13:10:09.154] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[1] at offset 24883 key: NULL payload: {"bucket":"2025-12-11","object":"13/output/gbm/alert.pcap.10.17610986931310.jsonl","url":"http://111.32.12.11:9000/2025-12-11/13/output/gbm/alert.pcap.10.17610986931310.jsonl?X-Amz-SignedHeaders=host&X-Amz-Expires=604800&X-Amz-Signature=f48d1fc451e467744815fa329d72fc5388c717cec0b7dfbd272efaa8c48e785f&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Date=20251211T051008Z"} [2025-12-11 13:10:09.154] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 13:10:09.154] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 13:10:09.154] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 13:10:09.154] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 13:10:09.154] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 13:10:09.155] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 13:10:09.384] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:13/output/gbm/alert.pcap.10.17610986931310.jsonl|result:{"code": 1, "total_count": 18, "alert_count": 18, "abnormal_count": 18, "normal_count": 0, "timestamp": 1765429809155, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "117.162.10.192", "protocol": "tcp", "src_port": 50105, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8497049935950336, "2_count": 3, "2_sum": 3, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.194.233", "protocol": "tcp", "src_port": 50251, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.6458299041355519, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.38.119", "protocol": "tcp", "src_port": 50490, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9986222879414073, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "124.70.37.167", "protocol": "tcp", "src_port": 50497, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9671327905226952, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50247, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "124.70.62.170", "protocol": "tcp", "src_port": 50384, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9944584265644585, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.162.10.192", "protocol": "tcp", "src_port": 50102, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9628606284766527, "2_count": 3, "2_sum": 3, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.240.8.132", "protocol": "tcp", "src_port": 49942, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9833686131374094, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50527, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "112.34.113.250", "protocol": "tcp", "src_port": 50417, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9871899379387804, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 49802, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50202, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50180, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.162.10.192", "protocol": "tcp", "src_port": 50106, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7891251009837256, "2_count": 3, "2_sum": 3, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50510, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50197, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50155, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.9", "protocol": "tcp", "src_port": 50354, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9266852516381958, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 13:10:09.384] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 18|max_alert: 1000 [2025-12-11 13:10:09.384] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 13:10:09.384] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 13:10:09.384] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 13:10:12.319] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 26024 key: NULL payload: {"bucket":"2025-12-11","object":"13/output/gbm/alert.pcap.11.17610986931310.jsonl","url":"http://111.32.12.11:9000/2025-12-11/13/output/gbm/alert.pcap.11.17610986931310.jsonl?X-Amz-SignedHeaders=host&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Signature=c2192e6119e2ea7a20e97a4e4e3e1662dbd2dda3dc2ef4dadec48fc99f34835e&X-Amz-Date=20251211T051011Z&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Expires=604800"} [2025-12-11 13:10:12.319] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 13:10:12.319] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 13:10:12.319] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 13:10:12.319] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 13:10:12.319] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 13:10:12.320] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 13:10:12.560] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:13/output/gbm/alert.pcap.11.17610986931310.jsonl|result:{"code": 1, "total_count": 20, "alert_count": 20, "abnormal_count": 20, "normal_count": 0, "timestamp": 1765429812320, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "39.156.8.45", "protocol": "tcp", "src_port": 50447, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9871209269901958, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50179, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "57.155.120.218", "protocol": "tcp", "src_port": 50415, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9227656751828837, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "13.107.253.49", "protocol": "tcp", "src_port": 50479, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9204671188927631, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.131.139.241", "protocol": "tcp", "src_port": 50546, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8893268365633519, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.57.94.38", "protocol": "tcp", "src_port": 49888, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8913583475272854, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50050, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.143.199.172", "protocol": "tcp", "src_port": 50142, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9881503019491974, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.45", "protocol": "tcp", "src_port": 50438, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9837569544664104, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.38.119", "protocol": "tcp", "src_port": 50494, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9837251088220053, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.122.55", "protocol": "tcp", "src_port": 50503, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9854062911109006, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50523, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "106.52.100.183", "protocol": "tcp", "src_port": 50502, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9858931570717602, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50519, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.165.120", "protocol": "tcp", "src_port": 50305, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9986466602684037, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 49811, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50176, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.25", "protocol": "tcp", "src_port": 50379, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8940216726975259, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50520, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50561, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 13:10:12.560] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 20|max_alert: 1000 [2025-12-11 13:10:12.560] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 13:10:12.560] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 13:10:12.560] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 13:10:15.526] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[1] at offset 24884 key: NULL payload: {"bucket":"2025-12-11","object":"13/output/gbm/alert.pcap.1.17610986931310.jsonl","url":"http://111.32.12.11:9000/2025-12-11/13/output/gbm/alert.pcap.1.17610986931310.jsonl?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Signature=f9cbf7477c5ca1f59501b619835feccf1bded6aa0781298c322c417116b097d6&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Expires=604800&X-Amz-Date=20251211T051015Z&X-Amz-SignedHeaders=host"} [2025-12-11 13:10:15.526] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 13:10:15.526] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 13:10:15.526] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 13:10:15.526] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 13:10:15.526] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 13:10:15.526] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 13:10:15.782] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:13/output/gbm/alert.pcap.1.17610986931310.jsonl|result:{"code": 1, "total_count": 23, "alert_count": 22, "abnormal_count": 22, "normal_count": 1, "timestamp": 1765429815526, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "10.1.9.18", "protocol": "tcp", "src_port": 50607, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50196, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50635, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.2.16.16", "protocol": "tcp", "src_port": 49978, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9999741330258014, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.166.151", "protocol": "tcp", "src_port": 50297, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.99961990187526, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "104.18.38.233", "protocol": "tcp", "src_port": 49694, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50660, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.5160756214892233, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.131.139.241", "protocol": "tcp", "src_port": 50548, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9166098868921807, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.9", "protocol": "tcp", "src_port": 50352, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9822856114799795, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.2.16.16", "protocol": "tcp", "src_port": 49977, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9997183616258911, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50246, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.9", "protocol": "tcp", "src_port": 50355, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9178209457268623, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.254", "protocol": "tcp", "src_port": 50236, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8758576397939718, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50451, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9935841069204537, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.38.119", "protocol": "tcp", "src_port": 50487, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9993624819729473, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "123.249.12.207", "protocol": "tcp", "src_port": 50349, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9517653518955267, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50154, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.254", "protocol": "tcp", "src_port": 50161, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9861184497791043, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50203, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.114.80", "protocol": "tcp", "src_port": 50380, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50511, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.18", "protocol": "tcp", "src_port": 50526, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 13:10:15.782] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 22|max_alert: 1000 [2025-12-11 13:10:15.782] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 13:10:15.782] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 13:10:15.782] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 13:10:18.718] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[2] at offset 25641 key: NULL payload: {"bucket":"2025-12-11","object":"13/output/gbm/alert.pcap.12.17610986931310.jsonl","url":"http://111.32.12.11:9000/2025-12-11/13/output/gbm/alert.pcap.12.17610986931310.jsonl?X-Amz-Expires=604800&X-Amz-SignedHeaders=host&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Signature=b65c8fb2fd00aec2c92efa2009095516be738eeca434ed0b8681d58730b65b2e&X-Amz-Date=20251211T051018Z"} [2025-12-11 13:10:18.718] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 13:10:18.718] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 13:10:18.718] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 13:10:18.718] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 13:10:18.718] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 13:10:18.718] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 13:10:18.999] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:13/output/gbm/alert.pcap.12.17610986931310.jsonl|result:{"code": 1, "total_count": 23, "alert_count": 23, "abnormal_count": 23, "normal_count": 0, "timestamp": 1765429818719, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "117.162.10.192", "protocol": "tcp", "src_port": 50115, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9982562146170709, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "43.132.242.154", "protocol": "tcp", "src_port": 49882, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9890063873624129, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50048, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 10, "2_sum": 10, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50524, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 10, "2_sum": 10, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.88.223", "protocol": "tcp", "src_port": 50135, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9151737736531406, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50563, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 10, "2_sum": 10, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.32.132.48", "protocol": "tcp", "src_port": 50596, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8736367684939467, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.88.223", "protocol": "tcp", "src_port": 50256, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9952297098413537, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50063, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 10, "2_sum": 10, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.253", "protocol": "tcp", "src_port": 50374, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9124107711631884, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.46.51.20", "protocol": "tcp", "src_port": 50273, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8949209220998952, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.91", "protocol": "tcp", "src_port": 50325, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9723471895815434, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 50446, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.91", "protocol": "tcp", "src_port": 50312, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8775283158754487, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50327, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 10, "2_sum": 10, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50517, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 10, "2_sum": 10, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "150.171.28.10", "protocol": "tcp", "src_port": 50098, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.979476406385797, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 49801, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50043, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 10, "2_sum": 10, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50289, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 10, "2_sum": 10, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50036, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 10, "2_sum": 10, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.232.40.133", "protocol": "tcp", "src_port": 49918, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9434178651974208, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50290, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 10, "2_sum": 10, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 13:10:18.999] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 23|max_alert: 1000 [2025-12-11 13:10:18.999] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 13:10:18.999] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 13:10:18.999] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 13:10:21.874] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[2] at offset 25642 key: NULL payload: {"bucket":"2025-12-11","object":"13/output/gbm/alert.pcap.13.17610986931310.jsonl","url":"http://111.32.12.11:9000/2025-12-11/13/output/gbm/alert.pcap.13.17610986931310.jsonl?X-Amz-Signature=b9d1d2292034277d0975cbe8912858b01c18a2bb284ed78a9a4b36ba0a85bbc3&X-Amz-Date=20251211T051021Z&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Expires=604800&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-SignedHeaders=host"} [2025-12-11 13:10:21.874] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 13:10:21.874] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 13:10:21.874] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 13:10:21.874] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 13:10:21.875] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 13:10:21.875] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 13:10:22.117] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:13/output/gbm/alert.pcap.13.17610986931310.jsonl|result:{"code": 1, "total_count": 25, "alert_count": 25, "abnormal_count": 25, "normal_count": 0, "timestamp": 1765429821875, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "150.171.29.11", "protocol": "tcp", "src_port": 50366, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9811379852086798, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50602, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "202.89.233.96", "protocol": "tcp", "src_port": 49842, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 50550, "dest_port": 37527, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50074, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50283, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50657, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9858390475712154, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50280, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50035, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.114.80", "protocol": "tcp", "src_port": 50364, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.38.119", "protocol": "tcp", "src_port": 50493, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9895604510076603, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "142.250.66.78", "protocol": "tcp", "src_port": 49939, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50029, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50483, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.185.134", "protocol": "tcp", "src_port": 50405, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9906477192719227, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "150.171.30.11", "protocol": "tcp", "src_port": 50629, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9221505003231499, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.163.59.175", "protocol": "tcp", "src_port": 50009, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9898052087615025, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50150, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50167, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.4.224.113", "protocol": "tcp", "src_port": 49856, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.6505383816340582, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.38.119", "protocol": "tcp", "src_port": 50507, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.992095265861976, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50206, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.22.3", "protocol": "tcp", "src_port": 49941, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9027507773608666, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50153, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50276, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 13:10:22.117] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 25|max_alert: 1000 [2025-12-11 13:10:22.117] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 13:10:22.117] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 13:10:22.117] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 13:10:25.266] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[2] at offset 25643 key: NULL payload: {"bucket":"2025-12-11","object":"13/output/gbm/alert.pcap.14.17610986931310.jsonl","url":"http://111.32.12.11:9000/2025-12-11/13/output/gbm/alert.pcap.14.17610986931310.jsonl?X-Amz-Date=20251211T051024Z&X-Amz-Signature=dda318d926eb4de4273e2e6981603bcbc899d78282e48822f4e9fe40d551c539&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Expires=604800&X-Amz-SignedHeaders=host&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request"} [2025-12-11 13:10:25.266] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 13:10:25.266] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 13:10:25.266] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 13:10:25.267] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 13:10:25.267] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 13:10:25.267] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 13:10:25.519] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:13/output/gbm/alert.pcap.14.17610986931310.jsonl|result:{"code": 1, "total_count": 22, "alert_count": 22, "abnormal_count": 22, "normal_count": 0, "timestamp": 1765429825267, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50509, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 50008, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7325211921496005, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50075, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50488, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50087, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50431, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50045, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50151, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50464, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.4.224.113", "protocol": "tcp", "src_port": 49858, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.948833755868132, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50299, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.92", "protocol": "tcp", "src_port": 50350, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9581254078848882, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50282, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.114.80", "protocol": "tcp", "src_port": 50462, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50481, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.201.232.63", "protocol": "tcp", "src_port": 50185, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8623842237021218, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50277, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "150.171.28.10", "protocol": "tcp", "src_port": 50547, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9810893334081382, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.201.232.61", "protocol": "tcp", "src_port": 50406, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8074537105643911, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50148, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.131.128.241", "protocol": "tcp", "src_port": 50628, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.6327220629300937, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.45", "protocol": "tcp", "src_port": 50232, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8427978520815071, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 13:10:25.519] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 22|max_alert: 1000 [2025-12-11 13:10:25.519] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 13:10:25.519] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 13:10:25.519] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 13:10:28.385] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 26025 key: NULL payload: {"bucket":"2025-12-11","object":"13/output/gbm/alert.pcap.15.17610986931310.jsonl","url":"http://111.32.12.11:9000/2025-12-11/13/output/gbm/alert.pcap.15.17610986931310.jsonl?X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20251211T051027Z&X-Amz-Signature=ccf21770218ba2a44f22ee23527f453ef036239b6b764a80b207434d69339877&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Expires=604800&X-Amz-SignedHeaders=host"} [2025-12-11 13:10:28.385] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 13:10:28.385] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 13:10:28.385] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 13:10:28.386] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 13:10:28.386] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 13:10:28.386] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 13:10:28.633] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:13/output/gbm/alert.pcap.15.17610986931310.jsonl|result:{"code": 1, "total_count": 21, "alert_count": 21, "abnormal_count": 21, "normal_count": 0, "timestamp": 1765429828386, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50489, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.13.29.202", "protocol": "tcp", "src_port": 49899, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9319984670207415, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.46.216.189", "protocol": "tcp", "src_port": 50192, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9854409930237161, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.194.233", "protocol": "tcp", "src_port": 50442, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9870391528574759, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.166.151", "protocol": "tcp", "src_port": 50300, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9931981638327161, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.175.38.6", "protocol": "tcp", "src_port": 50508, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9251013815505887, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50452, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.241.198", "protocol": "tcp", "src_port": 49881, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9908791961625715, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.51.80", "protocol": "tcp", "src_port": 49914, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50298, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "124.70.37.167", "protocol": "tcp", "src_port": 50505, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8862503171336631, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.194.189.11", "protocol": "tcp", "src_port": 50426, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9895428159947536, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50516, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.165.120", "protocol": "tcp", "src_port": 50418, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9596977275034663, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "13.89.179.10", "protocol": "tcp", "src_port": 49878, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9974829953380221, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.165.120", "protocol": "tcp", "src_port": 50427, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9451570018511891, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "13.107.213.50", "protocol": "tcp", "src_port": 50090, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9195643673584233, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.114.80", "protocol": "tcp", "src_port": 50358, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "142.250.66.78", "protocol": "tcp", "src_port": 50474, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50542, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50061, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 13:10:28.634] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 21|max_alert: 1000 [2025-12-11 13:10:28.634] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 13:10:28.634] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 13:10:28.634] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 13:10:31.714] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 26026 key: NULL payload: {"bucket":"2025-12-11","object":"13/output/gbm/alert.pcap.16.17610986931310.jsonl","url":"http://111.32.12.11:9000/2025-12-11/13/output/gbm/alert.pcap.16.17610986931310.jsonl?X-Amz-SignedHeaders=host&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Signature=7c885585c7cbe7aa5b98aa0b10722b04aee08a0502893270b687c148600a3e44&X-Amz-Date=20251211T051031Z&X-Amz-Expires=604800"} [2025-12-11 13:10:31.714] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 13:10:31.714] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 13:10:31.714] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 13:10:31.714] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 13:10:31.714] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 13:10:31.714] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 13:10:31.984] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:13/output/gbm/alert.pcap.16.17610986931310.jsonl|result:{"code": 1, "total_count": 26, "alert_count": 26, "abnormal_count": 26, "normal_count": 0, "timestamp": 1765429831714, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "111.13.25.27", "protocol": "tcp", "src_port": 49953, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9999659947187012, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.92", "protocol": "tcp", "src_port": 50344, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.4285159353571787, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50177, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.220.77.56", "protocol": "tcp", "src_port": 50313, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9756469161092314, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.29.14.183", "protocol": "tcp", "src_port": 50404, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9858144175177987, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.219.73.130", "protocol": "tcp", "src_port": 49887, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.32.132.48", "protocol": "tcp", "src_port": 50416, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.872489769645985, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50500, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "211.151.19.148", "protocol": "tcp", "src_port": 50239, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9867736940219898, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50051, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50207, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50331, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50522, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50367, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.29.14.183", "protocol": "tcp", "src_port": 49861, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9202885873733923, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.1", "protocol": "tcp", "src_port": 49927, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50496, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7047630891986135, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.253", "protocol": "tcp", "src_port": 50377, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9228634096625739, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.46.216.189", "protocol": "tcp", "src_port": 50095, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8005313339363406, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.88.223", "protocol": "tcp", "src_port": 50262, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9920454156536166, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.185.134", "protocol": "tcp", "src_port": 50557, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9312191603697401, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.2", "protocol": "tcp", "src_port": 49916, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "13.89.179.10", "protocol": "tcp", "src_port": 49873, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9740054173010114, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.4.224.113", "protocol": "tcp", "src_port": 49857, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.873642452450752, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.26", "protocol": "tcp", "src_port": 50053, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9859420979243508, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.165.120", "protocol": "tcp", "src_port": 50304, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9425584919270099, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 13:10:31.984] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 26|max_alert: 1000 [2025-12-11 13:10:31.984] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 13:10:31.984] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 13:10:31.984] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 13:10:35.187] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[1] at offset 24885 key: NULL payload: {"bucket":"2025-12-11","object":"13/output/gbm/alert.pcap.17.17610986931310.jsonl","url":"http://111.32.12.11:9000/2025-12-11/13/output/gbm/alert.pcap.17.17610986931310.jsonl?X-Amz-Date=20251211T051034Z&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Signature=ca72178327f00229326daf1dc18ff99bcded43956ca197d3aabf94092aa7f2a9&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-SignedHeaders=host&X-Amz-Expires=604800"} [2025-12-11 13:10:35.187] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 13:10:35.187] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 13:10:35.187] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 13:10:35.187] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 13:10:35.187] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 13:10:35.188] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 13:10:35.445] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:13/output/gbm/alert.pcap.17.17610986931310.jsonl|result:{"code": 1, "total_count": 18, "alert_count": 18, "abnormal_count": 18, "normal_count": 0, "timestamp": 1765429835188, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "111.31.122.55", "protocol": "tcp", "src_port": 50448, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.5769980707430126, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50499, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.122.55", "protocol": "tcp", "src_port": 50101, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9697454177805649, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.162.10.192", "protocol": "tcp", "src_port": 50103, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.5419285978798709, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.88.223", "protocol": "tcp", "src_port": 50257, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9990492370434219, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.38.151", "protocol": "tcp", "src_port": 49788, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.162.10.192", "protocol": "tcp", "src_port": 50114, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.976863610352734, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.194.233", "protocol": "tcp", "src_port": 50435, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9837705668750215, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.27", "protocol": "tcp", "src_port": 49989, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8500557914131911, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "124.70.62.170", "protocol": "tcp", "src_port": 50094, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9999212365720671, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "124.70.62.170", "protocol": "tcp", "src_port": 50395, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.999908459646488, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.27", "protocol": "tcp", "src_port": 49990, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9979995189937263, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.2.16.16", "protocol": "tcp", "src_port": 49973, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9993460937257912, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.234.97.89", "protocol": "tcp", "src_port": 50409, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.733240780563495, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.9", "protocol": "tcp", "src_port": 50012, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9956502822261911, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.114.80", "protocol": "tcp", "src_port": 50476, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 50225, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9087545563693218, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50606, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9790099228201751, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 13:10:35.445] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 18|max_alert: 1000 [2025-12-11 13:10:35.445] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 13:10:35.445] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 13:10:35.445] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 13:10:38.323] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[1] at offset 24886 key: NULL payload: {"bucket":"2025-12-11","object":"13/output/gbm/alert.pcap.18.17610986931310.jsonl","url":"http://111.32.12.11:9000/2025-12-11/13/output/gbm/alert.pcap.18.17610986931310.jsonl?X-Amz-Date=20251211T051037Z&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-SignedHeaders=host&X-Amz-Signature=e4d2177d0042b69db94a885e6fda93c1307bd83a03ceccb55142fa044ffae264&X-Amz-Expires=604800"} [2025-12-11 13:10:38.323] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 13:10:38.323] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 13:10:38.323] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 13:10:38.323] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 13:10:38.323] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 13:10:38.324] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 13:10:38.550] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:13/output/gbm/alert.pcap.18.17610986931310.jsonl|result:{"code": 1, "total_count": 19, "alert_count": 18, "abnormal_count": 18, "normal_count": 1, "timestamp": 1765429838325, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50141, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50132, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.232.40.133", "protocol": "tcp", "src_port": 49929, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9272505117395095, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.113.130.85", "protocol": "tcp", "src_port": 50373, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.92", "protocol": "tcp", "src_port": 50383, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7481021796885889, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50650, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9941374340185456, "2_count": 4.0, "2_sum": 4, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.219.73.130", "protocol": "tcp", "src_port": 49893, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 50169, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50554, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9489417371813754, "2_count": 4.0, "2_sum": 4, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50475, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9477100345633777, "2_count": 4.0, "2_sum": 4, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.253.255.38", "protocol": "tcp", "src_port": 50449, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9496389457889445, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50220, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50386, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50046, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.166.151", "protocol": "tcp", "src_port": 50371, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9989794701501156, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50553, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9263918774338468, "2_count": 4.0, "2_sum": 4, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50088, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.232.40.133", "protocol": "tcp", "src_port": 49935, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8955605067471277, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 13:10:38.550] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 18|max_alert: 1000 [2025-12-11 13:10:38.550] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 13:10:38.550] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 13:10:38.550] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 13:10:41.461] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[2] at offset 25644 key: NULL payload: {"bucket":"2025-12-11","object":"13/output/gbm/alert.pcap.19.17610986931310.jsonl","url":"http://111.32.12.11:9000/2025-12-11/13/output/gbm/alert.pcap.19.17610986931310.jsonl?X-Amz-Expires=604800&X-Amz-Signature=8c57147e80139fa079c2b1d44e83eb777f2ed4e4178587ecbd4c8374dc39b2dd&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20251211T051041Z&X-Amz-SignedHeaders=host"} [2025-12-11 13:10:41.461] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 13:10:41.461] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 13:10:41.461] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 13:10:41.461] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 13:10:41.461] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 13:10:41.461] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 13:10:41.699] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:13/output/gbm/alert.pcap.19.17610986931310.jsonl|result:{"code": 1, "total_count": 17, "alert_count": 17, "abnormal_count": 17, "normal_count": 0, "timestamp": 1765429841462, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50651, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9127998696423738, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50432, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 5, "2_sum": 5, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50140, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 5, "2_sum": 5, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "13.89.179.10", "protocol": "tcp", "src_port": 49870, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9985463831905574, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50267, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 5, "2_sum": 5, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.158.247.186", "protocol": "tcp", "src_port": 50254, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9923373572362969, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50222, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 5, "2_sum": 5, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.131.128.241", "protocol": "tcp", "src_port": 50589, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9358989909907683, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "150.171.30.11", "protocol": "tcp", "src_port": 50623, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9724127917525347, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "211.151.19.148", "protocol": "tcp", "src_port": 50321, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9840336453751718, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.61.248", "protocol": "tcp", "src_port": 50006, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9986048917384169, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "124.70.62.170", "protocol": "tcp", "src_port": 50385, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9998863446143573, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.26", "protocol": "tcp", "src_port": 49999, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9723690262017185, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 50183, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9671683755020176, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50221, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 5, "2_sum": 5, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "106.13.244.95", "protocol": "tcp", "src_port": 50626, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.991571871695044, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.25", "protocol": "tcp", "src_port": 50345, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9053165640648995, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 13:10:41.699] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 17|max_alert: 1000 [2025-12-11 13:10:41.699] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 13:10:41.699] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 13:10:41.699] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 13:10:44.637] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[2] at offset 25645 key: NULL payload: {"bucket":"2025-12-11","object":"13/output/gbm/alert.pcap.20.17610986931310.jsonl","url":"http://111.32.12.11:9000/2025-12-11/13/output/gbm/alert.pcap.20.17610986931310.jsonl?X-Amz-Signature=e98ca47fb7c28fa40dda57dfce92ecc06465e41f84899330864f48bcf400bf4d&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Expires=604800&X-Amz-Date=20251211T051044Z&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-SignedHeaders=host"} [2025-12-11 13:10:44.637] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 13:10:44.637] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 13:10:44.637] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 13:10:44.637] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 13:10:44.637] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 13:10:44.638] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 13:10:44.889] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:13/output/gbm/alert.pcap.20.17610986931310.jsonl|result:{"code": 1, "total_count": 17, "alert_count": 17, "abnormal_count": 17, "normal_count": 0, "timestamp": 1765429844638, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "111.62.174.243", "protocol": "tcp", "src_port": 50555, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9719451686850884, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.48.172.241", "protocol": "tcp", "src_port": 50129, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9417868802887015, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50082, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50622, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9949329167991451, "2_count": 3, "2_sum": 3, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.219.73.130", "protocol": "tcp", "src_port": 49894, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "124.71.234.74", "protocol": "tcp", "src_port": 50189, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8094812727311573, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.166.151", "protocol": "tcp", "src_port": 50378, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.996645095315891, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.46.68.203", "protocol": "tcp", "src_port": 50096, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9610043927222635, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.220.151.49", "protocol": "tcp", "src_port": 49991, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9681277345350449, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.2.16.16", "protocol": "tcp", "src_port": 49970, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9999655776123294, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.253.253.233", "protocol": "tcp", "src_port": 50317, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.4786736570096651, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "124.71.236.98", "protocol": "tcp", "src_port": 50400, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9777942042208041, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50453, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50616, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.981431987646444, "2_count": 3, "2_sum": 3, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50598, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.972751885055052, "2_count": 3, "2_sum": 3, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "142.250.66.78", "protocol": "tcp", "src_port": 49773, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.9", "protocol": "tcp", "src_port": 50356, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9753376675463165, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 13:10:44.889] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 17|max_alert: 1000 [2025-12-11 13:10:44.889] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 13:10:44.889] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 13:10:44.889] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 13:10:47.772] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 26027 key: NULL payload: {"bucket":"2025-12-11","object":"13/output/gbm/alert.pcap.21.17610986931310.jsonl","url":"http://111.32.12.11:9000/2025-12-11/13/output/gbm/alert.pcap.21.17610986931310.jsonl?X-Amz-SignedHeaders=host&X-Amz-Date=20251211T051047Z&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Expires=604800&X-Amz-Signature=9e6b1546b2d3073667159cda4c44a44af4855fb96b2894d06c7fe2c0f3c60ea6"} [2025-12-11 13:10:47.772] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 13:10:47.772] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 13:10:47.772] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 13:10:47.772] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 13:10:47.772] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 13:10:47.773] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 13:10:48.018] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:13/output/gbm/alert.pcap.21.17610986931310.jsonl|result:{"code": 1, "total_count": 20, "alert_count": 20, "abnormal_count": 20, "normal_count": 0, "timestamp": 1765429847773, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "150.171.27.10", "protocol": "tcp", "src_port": 49871, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9792783921980416, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 49933, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.983522767485445, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.27", "protocol": "tcp", "src_port": 50014, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7728545617685111, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.18", "protocol": "tcp", "src_port": 50191, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.232.40.133", "protocol": "tcp", "src_port": 49921, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9758065422065172, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.234.97.89", "protocol": "tcp", "src_port": 50477, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7967743601421772, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 50211, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9942232611378077, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50574, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.194.233", "protocol": "tcp", "src_port": 50315, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9974657537062649, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50389, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.254", "protocol": "tcp", "src_port": 50018, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9989742169573105, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.25", "protocol": "tcp", "src_port": 50346, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7253580536479742, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.26", "protocol": "tcp", "src_port": 50027, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8630319401034162, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50407, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9700577356238725, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50633, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9961574170482782, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.253", "protocol": "tcp", "src_port": 50348, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9663875797170431, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50076, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50330, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50233, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50086, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 13:10:48.018] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 20|max_alert: 1000 [2025-12-11 13:10:48.018] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 13:10:48.018] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 13:10:48.018] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 13:10:50.961] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 26028 key: NULL payload: {"bucket":"2025-12-11","object":"13/output/gbm/alert.pcap.2.17610986931310.jsonl","url":"http://111.32.12.11:9000/2025-12-11/13/output/gbm/alert.pcap.2.17610986931310.jsonl?X-Amz-Signature=e41ef1c92c11e5502d022f5c9308dea6100cad496f28284ed92e02b8787fde7c&X-Amz-Date=20251211T051050Z&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Expires=604800&X-Amz-SignedHeaders=host"} [2025-12-11 13:10:50.961] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 13:10:50.961] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 13:10:50.961] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 13:10:50.962] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 13:10:50.962] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 13:10:50.962] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 13:10:51.244] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:13/output/gbm/alert.pcap.2.17610986931310.jsonl|result:{"code": 1, "total_count": 27, "alert_count": 26, "abnormal_count": 26, "normal_count": 1, "timestamp": 1765429850963, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "111.63.215.47", "protocol": "tcp", "src_port": 49943, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9542007136130981, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.26", "protocol": "tcp", "src_port": 49995, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9973271032011077, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.2", "protocol": "tcp", "src_port": 49821, "dest_port": 8080, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.240.99.58", "protocol": "tcp", "src_port": 50480, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9758749087809037, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50278, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50484, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.165.120", "protocol": "tcp", "src_port": 50414, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9781294486115352, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "118.89.204.198", "protocol": "tcp", "src_port": 50648, "dest_port": 443, "y_pred": 2, "y_pred_proba_max": 0.539671673599211, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "Behinder"}, {"src_ip": "10.1.131.158", "dest_ip": "120.222.152.64", "protocol": "tcp", "src_port": 50658, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7337989747885654, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50570, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.232.40.133", "protocol": "tcp", "src_port": 50004, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9448851526818528, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50471, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9971823306211751, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50528, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50459, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8818531237715439, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.254", "protocol": "tcp", "src_port": 50237, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8347470129747349, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.92", "protocol": "tcp", "src_port": 50398, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9866180027435798, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.105", "protocol": "tcp", "src_port": 50625, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9825246278129468, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.166.151", "protocol": "tcp", "src_port": 50296, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9998741851816862, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.185.134", "protocol": "tcp", "src_port": 50337, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9998485770667981, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50580, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50328, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50287, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.29.14.183", "protocol": "tcp", "src_port": 50402, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9766503916105866, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50634, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.114.80", "protocol": "tcp", "src_port": 50381, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.29.14.183", "protocol": "tcp", "src_port": 50401, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9944651374268547, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 13:10:51.244] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 26|max_alert: 1000 [2025-12-11 13:10:51.244] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 13:10:51.244] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 13:10:51.244] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 13:10:54.451] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 26029 key: NULL payload: {"bucket":"2025-12-11","object":"13/output/gbm/alert.pcap.22.17610986931310.jsonl","url":"http://111.32.12.11:9000/2025-12-11/13/output/gbm/alert.pcap.22.17610986931310.jsonl?X-Amz-Date=20251211T051054Z&X-Amz-Expires=604800&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Signature=b69019d0ae08a008ec1e60b5d32dc4b692f7ce0ec3a586606cee7a3f53484476&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-SignedHeaders=host"} [2025-12-11 13:10:54.451] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 13:10:54.451] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 13:10:54.451] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 13:10:54.451] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 13:10:54.451] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 13:10:54.452] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 13:10:54.644] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:13/output/gbm/alert.pcap.22.17610986931310.jsonl|result:{"code": 1, "total_count": 18, "alert_count": 17, "abnormal_count": 17, "normal_count": 1, "timestamp": 1765429854452, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "36.156.39.92", "protocol": "tcp", "src_port": 50397, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9107999416750001, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.63.215.47", "protocol": "tcp", "src_port": 49944, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9869387818080411, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.29.14.183", "protocol": "tcp", "src_port": 50026, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9986473928200259, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 49925, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.5747671805046822, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.62.174.243", "protocol": "tcp", "src_port": 50545, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9624252679015631, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.165.120", "protocol": "tcp", "src_port": 50357, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9389862274330749, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50118, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 3.0, "2_sum": 3, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50028, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 3.0, "2_sum": 3, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50612, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.965275103129727, "2_count": 3.0, "2_sum": 3, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.194.233", "protocol": "tcp", "src_port": 50440, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9902328849146982, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50530, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9024018957960891, "2_count": 3.0, "2_sum": 3, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.51.161.66", "protocol": "tcp", "src_port": 50123, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7731938946060795, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.4.224.113", "protocol": "tcp", "src_port": 49854, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.5786036795604459, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.114.80", "protocol": "tcp", "src_port": 50365, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.131.128.241", "protocol": "tcp", "src_port": 50585, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8249611815657307, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50368, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 3.0, "2_sum": 3, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50662, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8871346318388157, "2_count": 3.0, "2_sum": 3, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 13:10:54.644] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 17|max_alert: 1000 [2025-12-11 13:10:54.644] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 13:10:54.644] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 13:10:54.644] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 13:10:58.318] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 26030 key: NULL payload: {"bucket":"2025-12-11","object":"13/output/gbm/alert.pcap.23.17610986931310.jsonl","url":"http://111.32.12.11:9000/2025-12-11/13/output/gbm/alert.pcap.23.17610986931310.jsonl?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Signature=e5fa92277e75040a8dc7e9f3b75ef7a2a5167eda6be16b6bcfcc896d13c9f950&X-Amz-Date=20251211T051058Z&X-Amz-Expires=604800&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-SignedHeaders=host"} [2025-12-11 13:10:58.318] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 13:10:58.319] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 13:10:58.319] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 13:10:58.319] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 13:10:58.319] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 13:10:58.319] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 13:10:58.565] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:13/output/gbm/alert.pcap.23.17610986931310.jsonl|result:{"code": 1, "total_count": 21, "alert_count": 21, "abnormal_count": 21, "normal_count": 0, "timestamp": 1765429858319, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "36.158.247.186", "protocol": "tcp", "src_port": 50309, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.994290448467571, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50085, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50514, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50562, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50064, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50037, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.25", "protocol": "tcp", "src_port": 50073, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9992385224413204, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50044, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "13.107.246.74", "protocol": "tcp", "src_port": 50506, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9605298901417075, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.25", "protocol": "tcp", "src_port": 50382, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7011351746711142, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50429, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.150.160.206", "protocol": "tcp", "src_port": 50124, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9747845243097288, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50042, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50168, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50260, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.13.104.59", "protocol": "tcp", "src_port": 50627, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9944505609423887, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.222.152.64", "protocol": "tcp", "src_port": 50638, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9779043168436835, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.122.55", "protocol": "tcp", "src_port": 50498, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9793698927690696, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50640, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50149, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.194.233", "protocol": "tcp", "src_port": 50126, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9961544144455967, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 13:10:58.565] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 21|max_alert: 1000 [2025-12-11 13:10:58.565] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 13:10:58.565] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 13:10:58.565] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 13:11:01.552] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[1] at offset 24887 key: NULL payload: {"bucket":"2025-12-11","object":"13/output/gbm/alert.pcap.24.17610986931310.jsonl","url":"http://111.32.12.11:9000/2025-12-11/13/output/gbm/alert.pcap.24.17610986931310.jsonl?X-Amz-Signature=68be7338a4edee71c55a2890162cbf1085eb3db5eaac2b78644a5a4ebf2ff173&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Expires=604800&X-Amz-SignedHeaders=host&X-Amz-Date=20251211T051101Z"} [2025-12-11 13:11:01.552] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 13:11:01.552] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 13:11:01.553] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 13:11:01.553] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 13:11:01.553] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 13:11:01.553] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 13:11:01.736] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:13/output/gbm/alert.pcap.24.17610986931310.jsonl|result:{"code": 1, "total_count": 18, "alert_count": 17, "abnormal_count": 17, "normal_count": 1, "timestamp": 1765429861553, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50482, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.38.119", "protocol": "tcp", "src_port": 50495, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9911306060967026, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50034, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.13.28.21", "protocol": "tcp", "src_port": 49947, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9999415747476534, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50281, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50033, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.27", "protocol": "tcp", "src_port": 49985, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8652710729389349, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50259, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50031, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.163.59.175", "protocol": "tcp", "src_port": 50478, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.990150959540726, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50594, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.4.74", "protocol": "tcp", "src_port": 50319, "dest_port": 9000, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.46.68.203", "protocol": "tcp", "src_port": 50195, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9897633686170296, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.163.59.175", "protocol": "tcp", "src_port": 50011, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9883959426357691, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 50229, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7784157580153467, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50603, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.13.104.59", "protocol": "tcp", "src_port": 50631, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9853386683896556, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 13:11:01.736] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 17|max_alert: 1000 [2025-12-11 13:11:01.736] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 13:11:01.736] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 13:11:01.736] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 13:11:05.007] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[2] at offset 25646 key: NULL payload: {"bucket":"2025-12-11","object":"13/output/gbm/alert.pcap.25.17610986931310.jsonl","url":"http://111.32.12.11:9000/2025-12-11/13/output/gbm/alert.pcap.25.17610986931310.jsonl?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-SignedHeaders=host&X-Amz-Date=20251211T051104Z&X-Amz-Expires=604800&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Signature=43f3b4e97cfdc4c492df7ba0bb75f80c436fc94380d7786b3d1bf9be6ab048d2"} [2025-12-11 13:11:05.007] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 13:11:05.007] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 13:11:05.007] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 13:11:05.007] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 13:11:05.007] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 13:11:05.008] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 13:11:05.257] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:13/output/gbm/alert.pcap.25.17610986931310.jsonl|result:{"code": 1, "total_count": 18, "alert_count": 17, "abnormal_count": 17, "normal_count": 1, "timestamp": 1765429865009, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50551, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8059095115195145, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50652, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4.0, "2_sum": 4, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 50013, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.232.40.133", "protocol": "tcp", "src_port": 49919, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9172603475203133, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.88.223", "protocol": "tcp", "src_port": 50134, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9851867603065232, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "142.250.66.78", "protocol": "tcp", "src_port": 49742, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.91", "protocol": "tcp", "src_port": 50334, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9530506499197517, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.155.160.140", "protocol": "tcp", "src_port": 49790, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "202.89.233.96", "dest_ip": "10.1.131.158", "protocol": "tcp", "src_port": 443, "dest_port": 49847, "y_pred": 1, "y_pred_proba_max": 0.9988023204669473, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50038, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4.0, "2_sum": 4, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50062, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4.0, "2_sum": 4, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.232.40.133", "protocol": "tcp", "src_port": 50005, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8427110539814073, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.240.99.58", "protocol": "tcp", "src_port": 50641, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9750652642107684, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50288, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4.0, "2_sum": 4, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.201.232.63", "protocol": "tcp", "src_port": 50419, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.5238760318986195, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.2", "protocol": "tcp", "src_port": 50125, "dest_port": 8080, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.88.223", "protocol": "tcp", "src_port": 50258, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9955188316394289, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 13:11:05.257] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 17|max_alert: 1000 [2025-12-11 13:11:05.257] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 13:11:05.257] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 13:11:05.257] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 13:11:08.214] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[1] at offset 24888 key: NULL payload: {"bucket":"2025-12-11","object":"13/output/gbm/alert.pcap.26.17610986931310.jsonl","url":"http://111.32.12.11:9000/2025-12-11/13/output/gbm/alert.pcap.26.17610986931310.jsonl?X-Amz-Signature=d30570189536b10ddfa2647cf4143031eb5d625934e2c3c40070dc2bcc70d177&X-Amz-Expires=604800&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Date=20251211T051107Z&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-SignedHeaders=host"} [2025-12-11 13:11:08.214] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 13:11:08.214] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 13:11:08.214] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 13:11:08.214] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 13:11:08.214] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 13:11:08.215] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 13:11:08.464] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:13/output/gbm/alert.pcap.26.17610986931310.jsonl|result:{"code": 1, "total_count": 23, "alert_count": 22, "abnormal_count": 22, "normal_count": 1, "timestamp": 1765429868215, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "111.31.114.80", "protocol": "tcp", "src_port": 50375, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50521, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7.0, "2_sum": 7, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "43.140.12.43", "protocol": "tcp", "src_port": 50318, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9759535265977303, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.194.233", "protocol": "tcp", "src_port": 50439, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9853373018252618, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50322, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7.0, "2_sum": 7, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.13.29.202", "protocol": "tcp", "src_port": 49897, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.99989131645703, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.9", "protocol": "tcp", "src_port": 50353, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9248568229582469, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.253", "protocol": "tcp", "src_port": 50347, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9363461552085169, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50040, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7.0, "2_sum": 7, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 50230, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9601621867432435, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.45", "protocol": "tcp", "src_port": 50445, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9894949279716366, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.92", "protocol": "tcp", "src_port": 50362, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9737436655985068, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50593, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7.0, "2_sum": 7, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.165.120", "protocol": "tcp", "src_port": 50314, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.998447736613844, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.27", "protocol": "tcp", "src_port": 49986, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9907578643456904, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50463, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7.0, "2_sum": 7, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50467, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7.0, "2_sum": 7, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.163.59.175", "protocol": "tcp", "src_port": 49930, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9813722275948225, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.253", "protocol": "tcp", "src_port": 50117, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9786811180845782, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "151.101.1.229", "protocol": "tcp", "src_port": 50316, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.5882853156839113, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50512, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7.0, "2_sum": 7, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.13.29.134", "protocol": "tcp", "src_port": 49954, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9940003495439546, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 13:11:08.464] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 22|max_alert: 1000 [2025-12-11 13:11:08.464] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 13:11:08.464] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 13:11:08.464] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 13:11:11.434] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[2] at offset 25647 key: NULL payload: {"bucket":"2025-12-11","object":"13/output/gbm/alert.pcap.3.17610986931310.jsonl","url":"http://111.32.12.11:9000/2025-12-11/13/output/gbm/alert.pcap.3.17610986931310.jsonl?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Expires=604800&X-Amz-Date=20251211T051110Z&X-Amz-Signature=e4ae4dd8cd56ae095069b587af309e73105fe77ed9c2865426f7b1de621bb7b4&X-Amz-SignedHeaders=host&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request"} [2025-12-11 13:11:11.434] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 13:11:11.434] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 13:11:11.434] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 13:11:11.434] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 13:11:11.434] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 13:11:11.434] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 13:11:11.634] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:13/output/gbm/alert.pcap.3.17610986931310.jsonl|result:{"code": 1, "total_count": 31, "alert_count": 30, "abnormal_count": 30, "normal_count": 1, "timestamp": 1765429871434, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "120.226.166.151", "protocol": "tcp", "src_port": 50286, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9998887397093179, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50032, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50128, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.27", "protocol": "tcp", "src_port": 49987, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9439550958667982, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.194.189.11", "protocol": "tcp", "src_port": 50307, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9974631042458713, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "142.250.66.68", "protocol": "tcp", "src_port": 50437, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50573, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "124.70.62.170", "protocol": "tcp", "src_port": 50093, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9302011994091218, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.29.14.183", "protocol": "tcp", "src_port": 50020, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9995274668813986, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 50231, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9912641259791639, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.2", "protocol": "tcp", "src_port": 50143, "dest_port": 8080, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 49824, "dest_port": 37527, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.63.215.47", "protocol": "tcp", "src_port": 49982, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9977918468988228, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.165.120", "protocol": "tcp", "src_port": 50423, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9079618105919538, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.13.104.59", "protocol": "tcp", "src_port": 50630, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9949141468870227, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.92", "protocol": "tcp", "src_port": 49915, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8858063837145578, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50041, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 50399, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.253.253.233", "protocol": "tcp", "src_port": 50436, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8619378326923961, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.114.80", "protocol": "tcp", "src_port": 50473, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50560, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9372883613254258, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.27", "protocol": "tcp", "src_port": 49983, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9683054451954104, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.219.73.130", "protocol": "tcp", "src_port": 49890, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.13.104.59", "protocol": "tcp", "src_port": 50639, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.5747755261992421, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.219.73.130", "protocol": "tcp", "src_port": 49889, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50131, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50579, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.232.40.133", "protocol": "tcp", "src_port": 49922, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7619577796081339, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50468, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50390, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 13:11:11.634] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 30|max_alert: 1000 [2025-12-11 13:11:11.634] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 13:11:11.634] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 13:11:11.634] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 13:11:14.563] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[1] at offset 24889 key: NULL payload: {"bucket":"2025-12-11","object":"13/output/gbm/alert.pcap.4.17610986931310.jsonl","url":"http://111.32.12.11:9000/2025-12-11/13/output/gbm/alert.pcap.4.17610986931310.jsonl?X-Amz-SignedHeaders=host&X-Amz-Date=20251211T051114Z&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Expires=604800&X-Amz-Signature=06efb4d9728ae3dcf595aa272cde21500712caab95b12cf500b44103821e8c01"} [2025-12-11 13:11:14.563] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 13:11:14.563] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 13:11:14.563] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 13:11:14.563] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 13:11:14.563] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 13:11:14.563] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 13:11:14.737] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:13/output/gbm/alert.pcap.4.17610986931310.jsonl|result:{"code": 1, "total_count": 16, "alert_count": 16, "abnormal_count": 16, "normal_count": 0, "timestamp": 1765429874563, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "36.131.128.241", "protocol": "tcp", "src_port": 50461, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9531336479755481, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.2", "protocol": "tcp", "src_port": 49815, "dest_port": 8080, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.25", "protocol": "tcp", "src_port": 50340, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9557360906725153, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50271, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 9, "2_sum": 9, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "104.18.38.233", "protocol": "tcp", "src_port": 49696, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50268, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 9, "2_sum": 9, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50599, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 9, "2_sum": 9, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50428, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 9, "2_sum": 9, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50653, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 9, "2_sum": 9, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50642, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 9, "2_sum": 9, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "142.250.66.78", "protocol": "tcp", "src_port": 49761, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.4.224.113", "protocol": "tcp", "src_port": 49860, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8325953986089363, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "150.171.30.11", "protocol": "tcp", "src_port": 50007, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8576461187690411, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50664, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 9, "2_sum": 9, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50039, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 9, "2_sum": 9, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50170, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 9, "2_sum": 9, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 13:11:14.737] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 16|max_alert: 1000 [2025-12-11 13:11:14.737] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 13:11:14.737] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 13:11:14.737] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 13:11:18.107] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 26031 key: NULL payload: {"bucket":"2025-12-11","object":"13/output/gbm/alert.pcap.5.17610986931310.jsonl","url":"http://111.32.12.11:9000/2025-12-11/13/output/gbm/alert.pcap.5.17610986931310.jsonl?X-Amz-Date=20251211T051117Z&X-Amz-Expires=604800&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-SignedHeaders=host&X-Amz-Signature=b57939018c921506367f824caf90f775e04c9717d3087cc89807c6b6b83c07ad"} [2025-12-11 13:11:18.107] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 13:11:18.107] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 13:11:18.107] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 13:11:18.107] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 13:11:18.107] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 13:11:18.108] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 13:11:18.293] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:13/output/gbm/alert.pcap.5.17610986931310.jsonl|result:{"code": 1, "total_count": 19, "alert_count": 18, "abnormal_count": 18, "normal_count": 1, "timestamp": 1765429878108, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "36.158.247.186", "protocol": "tcp", "src_port": 50121, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9753820447058325, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.51.80", "protocol": "tcp", "src_port": 49902, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50541, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 5.0, "2_sum": 5, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 49924, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8509806284431485, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50171, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 5.0, "2_sum": 5, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50119, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 5.0, "2_sum": 5, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 50549, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "13.89.179.10", "protocol": "tcp", "src_port": 49867, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8945460691510866, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50030, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 5.0, "2_sum": 5, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.46.72.204", "protocol": "tcp", "src_port": 50136, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.956663066769366, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.4.74", "protocol": "tcp", "src_port": 50320, "dest_port": 9000, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50564, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 5.0, "2_sum": 5, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.91", "protocol": "tcp", "src_port": 50242, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9588125203903446, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "112.34.111.235", "protocol": "tcp", "src_port": 50587, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9795590475790195, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50654, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9423199405388736, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.163.59.175", "protocol": "tcp", "src_port": 50422, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9849394001481901, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.91", "protocol": "tcp", "src_port": 50333, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9577733114926612, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50624, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9747306537408316, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 13:11:18.293] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 18|max_alert: 1000 [2025-12-11 13:11:18.293] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 13:11:18.293] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 13:11:18.293] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 13:11:21.248] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[1] at offset 24890 key: NULL payload: {"bucket":"2025-12-11","object":"13/output/gbm/alert.pcap.6.17610986931310.jsonl","url":"http://111.32.12.11:9000/2025-12-11/13/output/gbm/alert.pcap.6.17610986931310.jsonl?X-Amz-Expires=604800&X-Amz-SignedHeaders=host&X-Amz-Signature=b017c9caf3cabd7c4ad9a3add218e2c4cc76c9d1b868b8bf9d639b5a420d6bd9&X-Amz-Date=20251211T051120Z&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request"} [2025-12-11 13:11:21.248] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 13:11:21.248] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 13:11:21.248] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 13:11:21.248] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 13:11:21.248] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 13:11:21.249] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 13:11:21.427] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:13/output/gbm/alert.pcap.6.17610986931310.jsonl|result:{"code": 1, "total_count": 13, "alert_count": 13, "abnormal_count": 13, "normal_count": 0, "timestamp": 1765429881249, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50391, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.2.16.16", "protocol": "tcp", "src_port": 49975, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9999376387945121, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.102.211", "protocol": "tcp", "src_port": 50413, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9734791177969814, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "139.9.117.192", "protocol": "tcp", "src_port": 50372, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8894850327223105, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "121.36.68.44", "protocol": "tcp", "src_port": 50504, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9358189956292381, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.57.94.38", "protocol": "tcp", "src_port": 49892, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9998694918181811, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50465, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.5306824619789472, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.13.28.239", "protocol": "tcp", "src_port": 49901, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.938456651589145, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "139.9.117.192", "protocol": "tcp", "src_port": 50450, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9837263446909994, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.26", "protocol": "tcp", "src_port": 50003, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8694093805364917, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "13.89.179.10", "protocol": "tcp", "src_port": 49883, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9941602682227848, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.91", "protocol": "tcp", "src_port": 50339, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.986405059765616, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50515, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 13:11:21.427] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 13|max_alert: 1000 [2025-12-11 13:11:21.427] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 13:11:21.427] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 13:11:21.427] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 13:11:24.516] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[1] at offset 24891 key: NULL payload: {"bucket":"2025-12-11","object":"13/output/gbm/alert.pcap.7.17610986931310.jsonl","url":"http://111.32.12.11:9000/2025-12-11/13/output/gbm/alert.pcap.7.17610986931310.jsonl?X-Amz-SignedHeaders=host&X-Amz-Signature=3f912febcc390ea73c0506ec3ff189522d395d3e9923031f988dabcfac4fe984&X-Amz-Date=20251211T051124Z&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Expires=604800&X-Amz-Algorithm=AWS4-HMAC-SHA256"} [2025-12-11 13:11:24.516] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 13:11:24.516] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 13:11:24.516] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 13:11:24.516] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 13:11:24.516] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 13:11:24.516] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 13:11:24.736] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:13/output/gbm/alert.pcap.7.17610986931310.jsonl|result:{"code": 1, "total_count": 18, "alert_count": 18, "abnormal_count": 18, "normal_count": 0, "timestamp": 1765429884516, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "120.233.3.27", "protocol": "tcp", "src_port": 50100, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8412893359572905, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.219.73.130", "protocol": "tcp", "src_port": 49885, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.194.233", "protocol": "tcp", "src_port": 50255, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9107155218087142, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.194.233", "protocol": "tcp", "src_port": 50441, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9878625671600126, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.185.125.188", "protocol": "tcp", "src_port": 49872, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9978759357079158, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 50116, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.240.8.132", "protocol": "tcp", "src_port": 50227, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8897661563929269, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50581, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4, "2_sum": 4, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50270, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4, "2_sum": 4, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50083, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4, "2_sum": 4, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.254", "protocol": "tcp", "src_port": 50199, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9600487826290192, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 50172, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9400817611226765, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.51.80", "protocol": "tcp", "src_port": 50010, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "112.34.111.235", "protocol": "tcp", "src_port": 50411, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.998549290571419, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50156, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4, "2_sum": 4, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50663, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.719260591950917, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.26", "protocol": "tcp", "src_port": 49994, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9896285535627298, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.4.224.113", "protocol": "tcp", "src_port": 49849, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9532634905214581, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 13:11:24.736] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 18|max_alert: 1000 [2025-12-11 13:11:24.736] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 13:11:24.736] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 13:11:24.736] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 13:11:27.705] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 26032 key: NULL payload: {"bucket":"2025-12-11","object":"13/output/gbm/alert.pcap.8.17610986931310.jsonl","url":"http://111.32.12.11:9000/2025-12-11/13/output/gbm/alert.pcap.8.17610986931310.jsonl?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Expires=604800&X-Amz-SignedHeaders=host&X-Amz-Signature=c84a05b27e9a16588b3d75a1a6d3db2742ad6209fb18f3bc11d08b53e9ee324d&X-Amz-Date=20251211T051127Z"} [2025-12-11 13:11:27.705] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 13:11:27.705] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 13:11:27.706] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 13:11:27.706] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 13:11:27.706] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 13:11:27.706] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 13:11:27.896] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:13/output/gbm/alert.pcap.8.17610986931310.jsonl|result:{"code": 1, "total_count": 19, "alert_count": 19, "abnormal_count": 19, "normal_count": 0, "timestamp": 1765429887706, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "36.131.128.241", "protocol": "tcp", "src_port": 50591, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9050869489117033, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "121.36.47.3", "protocol": "tcp", "src_port": 50015, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9995715118177109, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.131.139.241", "protocol": "tcp", "src_port": 50556, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9803786101644398, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.219.73.130", "protocol": "tcp", "src_port": 49891, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 50184, "dest_port": 37527, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.45", "protocol": "tcp", "src_port": 50408, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9967591338452444, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "202.89.233.96", "protocol": "tcp", "src_port": 49865, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9973910874567038, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 49923, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.777270406334166, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.63.215.47", "protocol": "tcp", "src_port": 49980, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9999657034539758, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50077, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4, "2_sum": 4, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50223, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4, "2_sum": 4, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.201.232.63", "protocol": "tcp", "src_port": 50420, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9757408487177269, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50127, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4, "2_sum": 4, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "40.74.78.229", "protocol": "tcp", "src_port": 50370, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9939770881097445, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.232.40.133", "protocol": "tcp", "src_port": 49920, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9117178716777372, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50649, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9766422035502361, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.26", "protocol": "tcp", "src_port": 49997, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.984269050955257, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50661, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.647571366572099, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50388, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4, "2_sum": 4, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 13:11:27.896] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 19|max_alert: 1000 [2025-12-11 13:11:27.896] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 13:11:27.896] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 13:11:27.896] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 13:11:30.874] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 26033 key: NULL payload: {"bucket":"2025-12-11","object":"13/output/gbm/alert.pcap.9.17610986931310.jsonl","url":"http://111.32.12.11:9000/2025-12-11/13/output/gbm/alert.pcap.9.17610986931310.jsonl?X-Amz-SignedHeaders=host&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Expires=604800&X-Amz-Signature=ef1707c3630443b3c558ffc8e948f43ffc48cd8c99a9dd9f18bb0faef00af15e&X-Amz-Date=20251211T051130Z"} [2025-12-11 13:11:30.874] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 13:11:30.874] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 13:11:30.874] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 13:11:30.874] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 13:11:30.874] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 13:11:30.874] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 13:11:31.105] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:13/output/gbm/alert.pcap.9.17610986931310.jsonl|result:{"code": 1, "total_count": 19, "alert_count": 19, "abnormal_count": 19, "normal_count": 0, "timestamp": 1765429890874, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "39.156.8.45", "protocol": "tcp", "src_port": 50444, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9975171238915119, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50387, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "157.148.32.174", "protocol": "tcp", "src_port": 50216, "dest_port": 8106, "y_pred": 1, "y_pred_proba_max": 0.7815374741509655, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.219.73.130", "protocol": "tcp", "src_port": 49895, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.29.14.183", "protocol": "tcp", "src_port": 50403, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9756646950440937, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.26", "protocol": "tcp", "src_port": 49993, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.987471741326815, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 49928, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9931314740190077, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50552, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9460026832017429, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50577, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8828376373447289, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50582, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.163.59.175", "protocol": "tcp", "src_port": 50443, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9947042004868148, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50234, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50323, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50571, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "112.2.102.140", "protocol": "tcp", "src_port": 49880, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8833391308810551, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "124.71.234.74", "protocol": "tcp", "src_port": 50079, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8967653329082704, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50279, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "150.171.30.11", "protocol": "tcp", "src_port": 50434, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.975176941910785, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50047, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 13:11:31.105] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 19|max_alert: 1000 [2025-12-11 13:11:31.105] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 13:11:31.105] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 13:11:31.105] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 13:11:34.211] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[1] at offset 24892 key: NULL payload: {"bucket":"2025-12-11","object":"13/output/gbm/alert.pcap.9.1765429846.jsonl","url":"http://111.32.12.11:9000/2025-12-11/13/output/gbm/alert.pcap.9.1765429846.jsonl?X-Amz-Signature=d449416107c1ffe4a8cc0f015c2aae8d15bef15fe6f09ca55cf11cac37dcc05c&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20251211T051133Z&X-Amz-SignedHeaders=host&X-Amz-Expires=604800&X-Amz-Algorithm=AWS4-HMAC-SHA256"} [2025-12-11 13:11:34.211] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 13:11:34.211] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 13:11:34.211] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 13:11:34.211] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 13:11:34.211] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 13:11:34.212] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 13:11:34.218] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:13/output/gbm/alert.pcap.9.1765429846.jsonl|result:{"code": 0, "total_count": 0, "alert_count": 0, "abnormal_count": 0, "normal_count": 0, "timestamp": 1765429894212, "module": "anquanchu", "alerted": false, "details": []} [2025-12-11 13:11:34.218] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 0|max_alert: 1000 [2025-12-11 13:11:34.218] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 13:20:09.160] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[1] at offset 24893 key: NULL payload: {"bucket":"2025-12-11","object":"13/output/gbm/alert.pcap.10.17610986931320.jsonl","url":"http://111.32.12.11:9000/2025-12-11/13/output/gbm/alert.pcap.10.17610986931320.jsonl?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20251211T052008Z&X-Amz-Expires=604800&X-Amz-SignedHeaders=host&X-Amz-Signature=eb19336ce067cd3af11c6f1014a09c2fed9a4ed8660bb5da976c9d3f77555162"} [2025-12-11 13:20:09.160] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 13:20:09.160] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 13:20:09.161] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 13:20:09.161] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 13:20:09.161] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 13:20:09.162] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 13:20:09.438] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:13/output/gbm/alert.pcap.10.17610986931320.jsonl|result:{"code": 1, "total_count": 18, "alert_count": 18, "abnormal_count": 18, "normal_count": 0, "timestamp": 1765430409162, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50180, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50527, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.162.10.192", "protocol": "tcp", "src_port": 50106, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7891251009837256, "2_count": 3, "2_sum": 3, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.240.8.132", "protocol": "tcp", "src_port": 49942, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9833686131374094, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50155, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 49802, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "112.34.113.250", "protocol": "tcp", "src_port": 50417, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9871899379387804, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.162.10.192", "protocol": "tcp", "src_port": 50102, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9628606284766527, "2_count": 3, "2_sum": 3, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.162.10.192", "protocol": "tcp", "src_port": 50105, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8497049935950336, "2_count": 3, "2_sum": 3, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.194.233", "protocol": "tcp", "src_port": 50251, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.6458299041355519, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "124.70.37.167", "protocol": "tcp", "src_port": 50497, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9671327905226952, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50202, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50247, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.9", "protocol": "tcp", "src_port": 50354, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9266852516381958, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50510, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.38.119", "protocol": "tcp", "src_port": 50490, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9986222879414073, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50197, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "124.70.62.170", "protocol": "tcp", "src_port": 50384, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9944584265644585, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 13:20:09.438] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 18|max_alert: 1000 [2025-12-11 13:20:09.438] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 13:20:09.438] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 13:20:09.438] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 13:20:12.310] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 26034 key: NULL payload: {"bucket":"2025-12-11","object":"13/output/gbm/alert.pcap.11.17610986931320.jsonl","url":"http://111.32.12.11:9000/2025-12-11/13/output/gbm/alert.pcap.11.17610986931320.jsonl?X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Expires=604800&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-SignedHeaders=host&X-Amz-Date=20251211T052011Z&X-Amz-Signature=0ccb97b78edd9d1d1c9f5bb811c63bfed77d0e2d3dc802b7ef1ac5b765443068"} [2025-12-11 13:20:12.311] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 13:20:12.311] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 13:20:12.311] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 13:20:12.311] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 13:20:12.311] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 13:20:12.311] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 13:20:12.498] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:13/output/gbm/alert.pcap.11.17610986931320.jsonl|result:{"code": 1, "total_count": 20, "alert_count": 20, "abnormal_count": 20, "normal_count": 0, "timestamp": 1765430412311, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "36.131.139.241", "protocol": "tcp", "src_port": 50546, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8893268365633519, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50523, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "57.155.120.218", "protocol": "tcp", "src_port": 50415, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9227656751828837, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.57.94.38", "protocol": "tcp", "src_port": 49888, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8913583475272854, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 49811, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.38.119", "protocol": "tcp", "src_port": 50494, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9837251088220053, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50179, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.25", "protocol": "tcp", "src_port": 50379, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8940216726975259, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.165.120", "protocol": "tcp", "src_port": 50305, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9986466602684037, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50520, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50050, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "106.52.100.183", "protocol": "tcp", "src_port": 50502, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9858931570717602, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.122.55", "protocol": "tcp", "src_port": 50503, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9854062911109006, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.143.199.172", "protocol": "tcp", "src_port": 50142, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9881503019491974, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50176, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.45", "protocol": "tcp", "src_port": 50438, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9837569544664104, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.45", "protocol": "tcp", "src_port": 50447, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9871209269901958, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "13.107.253.49", "protocol": "tcp", "src_port": 50479, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9204671188927631, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50519, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50561, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 13:20:12.498] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 20|max_alert: 1000 [2025-12-11 13:20:12.498] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 13:20:12.498] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 13:20:12.498] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 13:20:15.470] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[1] at offset 24894 key: NULL payload: {"bucket":"2025-12-11","object":"13/output/gbm/alert.pcap.1.17610986931320.jsonl","url":"http://111.32.12.11:9000/2025-12-11/13/output/gbm/alert.pcap.1.17610986931320.jsonl?X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-SignedHeaders=host&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Expires=604800&X-Amz-Signature=6627c78f571c0ade7cf05263abd5d83c70aab53145c805336c64fbce88d0e577&X-Amz-Date=20251211T052015Z"} [2025-12-11 13:20:15.470] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 13:20:15.470] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 13:20:15.470] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 13:20:15.470] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 13:20:15.470] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 13:20:15.470] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 13:20:15.662] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:13/output/gbm/alert.pcap.1.17610986931320.jsonl|result:{"code": 1, "total_count": 23, "alert_count": 22, "abnormal_count": 22, "normal_count": 1, "timestamp": 1765430415470, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50203, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.9", "protocol": "tcp", "src_port": 50355, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9178209457268623, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "104.18.38.233", "protocol": "tcp", "src_port": 49694, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50511, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.18", "protocol": "tcp", "src_port": 50607, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.2.16.16", "protocol": "tcp", "src_port": 49977, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9997183616258911, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50451, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9935841069204537, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50154, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50196, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50635, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.166.151", "protocol": "tcp", "src_port": 50297, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.99961990187526, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50660, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.5160756214892233, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.9", "protocol": "tcp", "src_port": 50352, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9822856114799795, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.2.16.16", "protocol": "tcp", "src_port": 49978, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9999741330258014, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.114.80", "protocol": "tcp", "src_port": 50380, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "123.249.12.207", "protocol": "tcp", "src_port": 50349, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9517653518955267, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.254", "protocol": "tcp", "src_port": 50236, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8758576397939718, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.38.119", "protocol": "tcp", "src_port": 50487, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9993624819729473, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50246, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.254", "protocol": "tcp", "src_port": 50161, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9861184497791043, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.18", "protocol": "tcp", "src_port": 50526, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.131.139.241", "protocol": "tcp", "src_port": 50548, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9166098868921807, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 13:20:15.662] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 22|max_alert: 1000 [2025-12-11 13:20:15.662] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 13:20:15.662] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 13:20:15.662] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 13:20:18.674] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 26035 key: NULL payload: {"bucket":"2025-12-11","object":"13/output/gbm/alert.pcap.12.17610986931320.jsonl","url":"http://111.32.12.11:9000/2025-12-11/13/output/gbm/alert.pcap.12.17610986931320.jsonl?X-Amz-Date=20251211T052018Z&X-Amz-Expires=604800&X-Amz-SignedHeaders=host&X-Amz-Signature=e84d5a603c1339fcfb5067dd16eb4fc402fb83d9d9dcfe94db19cd12b7eef777&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Algorithm=AWS4-HMAC-SHA256"} [2025-12-11 13:20:18.675] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 13:20:18.675] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 13:20:18.675] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 13:20:18.675] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 13:20:18.675] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 13:20:18.675] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 13:20:18.868] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:13/output/gbm/alert.pcap.12.17610986931320.jsonl|result:{"code": 1, "total_count": 23, "alert_count": 23, "abnormal_count": 23, "normal_count": 0, "timestamp": 1765430418675, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 49801, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50043, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 10, "2_sum": 10, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.88.223", "protocol": "tcp", "src_port": 50135, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9151737736531406, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50048, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 10, "2_sum": 10, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.162.10.192", "protocol": "tcp", "src_port": 50115, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9982562146170709, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50063, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 10, "2_sum": 10, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.88.223", "protocol": "tcp", "src_port": 50256, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9952297098413537, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.46.51.20", "protocol": "tcp", "src_port": 50273, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8949209220998952, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50327, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 10, "2_sum": 10, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "150.171.28.10", "protocol": "tcp", "src_port": 50098, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.979476406385797, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50524, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 10, "2_sum": 10, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50036, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 10, "2_sum": 10, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "43.132.242.154", "protocol": "tcp", "src_port": 49882, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9890063873624129, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.32.132.48", "protocol": "tcp", "src_port": 50596, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8736367684939467, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.91", "protocol": "tcp", "src_port": 50312, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8775283158754487, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.91", "protocol": "tcp", "src_port": 50325, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9723471895815434, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50563, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 10, "2_sum": 10, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.232.40.133", "protocol": "tcp", "src_port": 49918, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9434178651974208, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50289, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 10, "2_sum": 10, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50290, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 10, "2_sum": 10, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 50446, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50517, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 10, "2_sum": 10, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.253", "protocol": "tcp", "src_port": 50374, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9124107711631884, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 13:20:18.868] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 23|max_alert: 1000 [2025-12-11 13:20:18.868] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 13:20:18.868] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 13:20:18.868] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 13:20:21.839] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[2] at offset 25648 key: NULL payload: {"bucket":"2025-12-11","object":"13/output/gbm/alert.pcap.13.17610986931320.jsonl","url":"http://111.32.12.11:9000/2025-12-11/13/output/gbm/alert.pcap.13.17610986931320.jsonl?X-Amz-Expires=604800&X-Amz-SignedHeaders=host&X-Amz-Date=20251211T052021Z&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Signature=e3f84e5d6f3935955d81d36d19d40d518dfc5aba699bb23b79aff7ae746cd386&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request"} [2025-12-11 13:20:21.839] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 13:20:21.839] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 13:20:21.840] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 13:20:21.840] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 13:20:21.840] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 13:20:21.841] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 13:20:22.074] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:13/output/gbm/alert.pcap.13.17610986931320.jsonl|result:{"code": 1, "total_count": 25, "alert_count": 25, "abnormal_count": 25, "normal_count": 0, "timestamp": 1765430421841, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50029, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.4.224.113", "protocol": "tcp", "src_port": 49856, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.6505383816340582, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.38.119", "protocol": "tcp", "src_port": 50507, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.992095265861976, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50035, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50657, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9858390475712154, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50276, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50074, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.114.80", "protocol": "tcp", "src_port": 50364, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50280, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50150, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.163.59.175", "protocol": "tcp", "src_port": 50009, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9898052087615025, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "150.171.29.11", "protocol": "tcp", "src_port": 50366, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9811379852086798, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "150.171.30.11", "protocol": "tcp", "src_port": 50629, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9221505003231499, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50483, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50206, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50283, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.38.119", "protocol": "tcp", "src_port": 50493, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9895604510076603, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50602, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50153, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 50550, "dest_port": 37527, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.22.3", "protocol": "tcp", "src_port": 49941, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9027507773608666, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.185.134", "protocol": "tcp", "src_port": 50405, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9906477192719227, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "142.250.66.78", "protocol": "tcp", "src_port": 49939, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "202.89.233.96", "protocol": "tcp", "src_port": 49842, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50167, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 13:20:22.074] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 25|max_alert: 1000 [2025-12-11 13:20:22.074] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 13:20:22.074] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 13:20:22.074] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 13:20:25.218] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[1] at offset 24895 key: NULL payload: {"bucket":"2025-12-11","object":"13/output/gbm/alert.pcap.14.17610986931320.jsonl","url":"http://111.32.12.11:9000/2025-12-11/13/output/gbm/alert.pcap.14.17610986931320.jsonl?X-Amz-SignedHeaders=host&X-Amz-Signature=769b1f14fc909947c75fddf349fcd36da56d976f872c9bcbf877b327e685bd14&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20251211T052024Z&X-Amz-Expires=604800"} [2025-12-11 13:20:25.219] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 13:20:25.219] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 13:20:25.219] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 13:20:25.219] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 13:20:25.219] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 13:20:25.219] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 13:20:25.451] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:13/output/gbm/alert.pcap.14.17610986931320.jsonl|result:{"code": 1, "total_count": 22, "alert_count": 22, "abnormal_count": 22, "normal_count": 0, "timestamp": 1765430425219, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50277, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50488, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50509, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50282, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "150.171.28.10", "protocol": "tcp", "src_port": 50547, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9810893334081382, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50148, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50464, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.45", "protocol": "tcp", "src_port": 50232, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8427978520815071, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50087, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50151, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.92", "protocol": "tcp", "src_port": 50350, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9581254078848882, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50431, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.4.224.113", "protocol": "tcp", "src_port": 49858, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.948833755868132, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50299, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.131.128.241", "protocol": "tcp", "src_port": 50628, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.6327220629300937, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.114.80", "protocol": "tcp", "src_port": 50462, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50045, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.201.232.61", "protocol": "tcp", "src_port": 50406, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8074537105643911, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50075, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 50008, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7325211921496005, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50481, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.201.232.63", "protocol": "tcp", "src_port": 50185, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8623842237021218, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 13:20:25.451] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 22|max_alert: 1000 [2025-12-11 13:20:25.451] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 13:20:25.451] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 13:20:25.451] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 13:20:28.344] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 26036 key: NULL payload: {"bucket":"2025-12-11","object":"13/output/gbm/alert.pcap.15.17610986931320.jsonl","url":"http://111.32.12.11:9000/2025-12-11/13/output/gbm/alert.pcap.15.17610986931320.jsonl?X-Amz-Signature=441a56de7da3cff6be500b683deaec28246f8eb1d25a2679854772941716a5e3&X-Amz-Expires=604800&X-Amz-Date=20251211T052027Z&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-SignedHeaders=host&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request"} [2025-12-11 13:20:28.344] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 13:20:28.344] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 13:20:28.344] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 13:20:28.344] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 13:20:28.344] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 13:20:28.344] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 13:20:28.580] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:13/output/gbm/alert.pcap.15.17610986931320.jsonl|result:{"code": 1, "total_count": 21, "alert_count": 21, "abnormal_count": 21, "normal_count": 0, "timestamp": 1765430428344, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "13.89.179.10", "protocol": "tcp", "src_port": 49878, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9974829953380221, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.166.151", "protocol": "tcp", "src_port": 50300, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9931981638327161, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "13.107.213.50", "protocol": "tcp", "src_port": 50090, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9195643673584233, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.13.29.202", "protocol": "tcp", "src_port": 49899, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9319984670207415, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.194.233", "protocol": "tcp", "src_port": 50442, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9870391528574759, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.194.189.11", "protocol": "tcp", "src_port": 50426, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9895428159947536, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50489, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50542, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50298, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.114.80", "protocol": "tcp", "src_port": 50358, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.175.38.6", "protocol": "tcp", "src_port": 50508, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9251013815505887, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.165.120", "protocol": "tcp", "src_port": 50418, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9596977275034663, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50452, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50516, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.241.198", "protocol": "tcp", "src_port": 49881, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9908791961625715, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.46.216.189", "protocol": "tcp", "src_port": 50192, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9854409930237161, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.51.80", "protocol": "tcp", "src_port": 49914, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50061, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.165.120", "protocol": "tcp", "src_port": 50427, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9451570018511891, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "124.70.37.167", "protocol": "tcp", "src_port": 50505, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8862503171336631, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "142.250.66.78", "protocol": "tcp", "src_port": 50474, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 13:20:28.580] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 21|max_alert: 1000 [2025-12-11 13:20:28.580] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 13:20:28.580] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 13:20:28.580] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 13:20:31.673] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 26037 key: NULL payload: {"bucket":"2025-12-11","object":"13/output/gbm/alert.pcap.16.17610986931320.jsonl","url":"http://111.32.12.11:9000/2025-12-11/13/output/gbm/alert.pcap.16.17610986931320.jsonl?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Date=20251211T052031Z&X-Amz-Signature=88d8e33dd123e70b308afae46014e7783598de16e7faaf806db5d89cfd299f34&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Expires=604800&X-Amz-SignedHeaders=host"} [2025-12-11 13:20:31.673] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 13:20:31.673] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 13:20:31.673] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 13:20:31.674] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 13:20:31.674] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 13:20:31.674] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 13:20:31.944] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:13/output/gbm/alert.pcap.16.17610986931320.jsonl|result:{"code": 1, "total_count": 26, "alert_count": 26, "abnormal_count": 26, "normal_count": 0, "timestamp": 1765430431675, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "111.4.224.113", "protocol": "tcp", "src_port": 49857, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.873642452450752, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.29.14.183", "protocol": "tcp", "src_port": 49861, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9202885873733923, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.2", "protocol": "tcp", "src_port": 49916, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.165.120", "protocol": "tcp", "src_port": 50304, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9425584919270099, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.253", "protocol": "tcp", "src_port": 50377, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9228634096625739, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50500, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.219.73.130", "protocol": "tcp", "src_port": 49887, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.29.14.183", "protocol": "tcp", "src_port": 50404, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9858144175177987, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.46.216.189", "protocol": "tcp", "src_port": 50095, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8005313339363406, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.32.132.48", "protocol": "tcp", "src_port": 50416, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.872489769645985, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50177, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.13.25.27", "protocol": "tcp", "src_port": 49953, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9999659947187012, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.88.223", "protocol": "tcp", "src_port": 50262, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9920454156536166, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.1", "protocol": "tcp", "src_port": 49927, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50051, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50331, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50522, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "211.151.19.148", "protocol": "tcp", "src_port": 50239, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9867736940219898, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "13.89.179.10", "protocol": "tcp", "src_port": 49873, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9740054173010114, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50367, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.220.77.56", "protocol": "tcp", "src_port": 50313, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9756469161092314, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.92", "protocol": "tcp", "src_port": 50344, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.4285159353571787, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.185.134", "protocol": "tcp", "src_port": 50557, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9312191603697401, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50496, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7047630891986135, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50207, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.26", "protocol": "tcp", "src_port": 50053, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9859420979243508, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 13:20:31.944] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 26|max_alert: 1000 [2025-12-11 13:20:31.944] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 13:20:31.944] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 13:20:31.944] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 13:20:35.138] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[1] at offset 24896 key: NULL payload: {"bucket":"2025-12-11","object":"13/output/gbm/alert.pcap.17.17610986931320.jsonl","url":"http://111.32.12.11:9000/2025-12-11/13/output/gbm/alert.pcap.17.17610986931320.jsonl?X-Amz-Signature=3712e1de5fc49cb402bc44366b6953211fb64449844f3240e3cde19f4dc07702&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Date=20251211T052034Z&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Expires=604800&X-Amz-SignedHeaders=host"} [2025-12-11 13:20:35.138] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 13:20:35.138] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 13:20:35.139] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 13:20:35.139] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 13:20:35.139] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 13:20:35.140] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 13:20:35.439] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:13/output/gbm/alert.pcap.17.17610986931320.jsonl|result:{"code": 1, "total_count": 18, "alert_count": 18, "abnormal_count": 18, "normal_count": 0, "timestamp": 1765430435140, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "223.111.88.223", "protocol": "tcp", "src_port": 50257, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9990492370434219, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.27", "protocol": "tcp", "src_port": 49990, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9979995189937263, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "124.70.62.170", "protocol": "tcp", "src_port": 50395, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.999908459646488, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 50225, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9087545563693218, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.9", "protocol": "tcp", "src_port": 50012, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9956502822261911, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.234.97.89", "protocol": "tcp", "src_port": 50409, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.733240780563495, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.38.151", "protocol": "tcp", "src_port": 49788, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.162.10.192", "protocol": "tcp", "src_port": 50114, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.976863610352734, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "124.70.62.170", "protocol": "tcp", "src_port": 50094, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9999212365720671, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.27", "protocol": "tcp", "src_port": 49989, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8500557914131911, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.162.10.192", "protocol": "tcp", "src_port": 50103, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.5419285978798709, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.114.80", "protocol": "tcp", "src_port": 50476, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.122.55", "protocol": "tcp", "src_port": 50101, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9697454177805649, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.194.233", "protocol": "tcp", "src_port": 50435, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9837705668750215, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.2.16.16", "protocol": "tcp", "src_port": 49973, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9993460937257912, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50606, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9790099228201751, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.122.55", "protocol": "tcp", "src_port": 50448, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.5769980707430126, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50499, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 13:20:35.439] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 18|max_alert: 1000 [2025-12-11 13:20:35.439] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 13:20:35.439] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 13:20:35.439] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 13:20:38.327] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[2] at offset 25649 key: NULL payload: {"bucket":"2025-12-11","object":"13/output/gbm/alert.pcap.18.17610986931320.jsonl","url":"http://111.32.12.11:9000/2025-12-11/13/output/gbm/alert.pcap.18.17610986931320.jsonl?X-Amz-SignedHeaders=host&X-Amz-Date=20251211T052037Z&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Signature=109a5f0c5ccb9ffe88823a821ae30679931a08489b6eb8d1acc1eb4273bd4742&X-Amz-Expires=604800&X-Amz-Algorithm=AWS4-HMAC-SHA256"} [2025-12-11 13:20:38.328] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 13:20:38.328] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 13:20:38.328] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 13:20:38.328] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 13:20:38.328] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 13:20:38.329] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 13:20:38.570] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:13/output/gbm/alert.pcap.18.17610986931320.jsonl|result:{"code": 1, "total_count": 19, "alert_count": 18, "abnormal_count": 18, "normal_count": 1, "timestamp": 1765430438329, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50141, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.166.151", "protocol": "tcp", "src_port": 50371, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9989794701501156, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50220, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.219.73.130", "protocol": "tcp", "src_port": 49893, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50046, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50554, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9489417371813754, "2_count": 4.0, "2_sum": 4, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50650, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9941374340185456, "2_count": 4.0, "2_sum": 4, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.232.40.133", "protocol": "tcp", "src_port": 49935, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8955605067471277, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50475, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9477100345633777, "2_count": 4.0, "2_sum": 4, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.232.40.133", "protocol": "tcp", "src_port": 49929, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9272505117395095, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.92", "protocol": "tcp", "src_port": 50383, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7481021796885889, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50386, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50132, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 50169, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.253.255.38", "protocol": "tcp", "src_port": 50449, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9496389457889445, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.113.130.85", "protocol": "tcp", "src_port": 50373, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50553, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9263918774338468, "2_count": 4.0, "2_sum": 4, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50088, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 13:20:38.571] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 18|max_alert: 1000 [2025-12-11 13:20:38.571] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 13:20:38.571] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 13:20:38.571] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 13:20:41.470] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[1] at offset 24897 key: NULL payload: {"bucket":"2025-12-11","object":"13/output/gbm/alert.pcap.19.17610986931320.jsonl","url":"http://111.32.12.11:9000/2025-12-11/13/output/gbm/alert.pcap.19.17610986931320.jsonl?X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20251211T052041Z&X-Amz-Signature=6cbb6936fbc2525b5aa60daa83fd4819bdf538ef40d81f9b6f0eda179f3638d6&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Expires=604800&X-Amz-SignedHeaders=host"} [2025-12-11 13:20:41.470] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 13:20:41.470] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 13:20:41.470] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 13:20:41.470] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 13:20:41.470] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 13:20:41.470] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 13:20:41.728] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:13/output/gbm/alert.pcap.19.17610986931320.jsonl|result:{"code": 1, "total_count": 17, "alert_count": 17, "abnormal_count": 17, "normal_count": 0, "timestamp": 1765430441471, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "124.70.62.170", "protocol": "tcp", "src_port": 50385, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9998863446143573, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 50183, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9671683755020176, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "13.89.179.10", "protocol": "tcp", "src_port": 49870, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9985463831905574, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.25", "protocol": "tcp", "src_port": 50345, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9053165640648995, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50222, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 5, "2_sum": 5, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50267, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 5, "2_sum": 5, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50432, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 5, "2_sum": 5, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50140, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 5, "2_sum": 5, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "150.171.30.11", "protocol": "tcp", "src_port": 50623, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9724127917525347, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "106.13.244.95", "protocol": "tcp", "src_port": 50626, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.991571871695044, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50651, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9127998696423738, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50221, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 5, "2_sum": 5, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.26", "protocol": "tcp", "src_port": 49999, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9723690262017185, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.158.247.186", "protocol": "tcp", "src_port": 50254, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9923373572362969, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.131.128.241", "protocol": "tcp", "src_port": 50589, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9358989909907683, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "211.151.19.148", "protocol": "tcp", "src_port": 50321, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9840336453751718, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.61.248", "protocol": "tcp", "src_port": 50006, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9986048917384169, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 13:20:41.728] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 17|max_alert: 1000 [2025-12-11 13:20:41.728] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 13:20:41.728] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 13:20:41.728] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 13:20:44.662] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[1] at offset 24898 key: NULL payload: {"bucket":"2025-12-11","object":"13/output/gbm/alert.pcap.20.17610986931320.jsonl","url":"http://111.32.12.11:9000/2025-12-11/13/output/gbm/alert.pcap.20.17610986931320.jsonl?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Date=20251211T052044Z&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Expires=604800&X-Amz-SignedHeaders=host&X-Amz-Signature=d5bbb390ebea1f9ffaf92b2b05dc6eaf8229371a133b77ff4dee9381838007c2"} [2025-12-11 13:20:44.662] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 13:20:44.662] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 13:20:44.662] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 13:20:44.662] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 13:20:44.662] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 13:20:44.663] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 13:20:44.920] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:13/output/gbm/alert.pcap.20.17610986931320.jsonl|result:{"code": 1, "total_count": 17, "alert_count": 17, "abnormal_count": 17, "normal_count": 0, "timestamp": 1765430444664, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "120.226.166.151", "protocol": "tcp", "src_port": 50378, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.996645095315891, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.253.253.233", "protocol": "tcp", "src_port": 50317, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.4786736570096651, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50082, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.219.73.130", "protocol": "tcp", "src_port": 49894, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50598, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.972751885055052, "2_count": 3, "2_sum": 3, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.220.151.49", "protocol": "tcp", "src_port": 49991, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9681277345350449, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.9", "protocol": "tcp", "src_port": 50356, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9753376675463165, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50622, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9949329167991451, "2_count": 3, "2_sum": 3, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.46.68.203", "protocol": "tcp", "src_port": 50096, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9610043927222635, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.2.16.16", "protocol": "tcp", "src_port": 49970, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9999655776123294, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "124.71.236.98", "protocol": "tcp", "src_port": 50400, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9777942042208041, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50453, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.62.174.243", "protocol": "tcp", "src_port": 50555, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9719451686850884, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50616, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.981431987646444, "2_count": 3, "2_sum": 3, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "124.71.234.74", "protocol": "tcp", "src_port": 50189, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8094812727311573, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "142.250.66.78", "protocol": "tcp", "src_port": 49773, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.48.172.241", "protocol": "tcp", "src_port": 50129, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9417868802887015, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 13:20:44.920] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 17|max_alert: 1000 [2025-12-11 13:20:44.920] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 13:20:44.920] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 13:20:44.920] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 13:20:47.797] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[2] at offset 25650 key: NULL payload: {"bucket":"2025-12-11","object":"13/output/gbm/alert.pcap.21.17610986931320.jsonl","url":"http://111.32.12.11:9000/2025-12-11/13/output/gbm/alert.pcap.21.17610986931320.jsonl?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Expires=604800&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-SignedHeaders=host&X-Amz-Signature=8a87788408b5db48e2451c2b45859dede1b2139297769e9670e8130edc8a69ef&X-Amz-Date=20251211T052047Z"} [2025-12-11 13:20:47.797] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 13:20:47.797] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 13:20:47.797] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 13:20:47.797] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 13:20:47.797] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 13:20:47.798] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 13:20:48.062] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:13/output/gbm/alert.pcap.21.17610986931320.jsonl|result:{"code": 1, "total_count": 20, "alert_count": 20, "abnormal_count": 20, "normal_count": 0, "timestamp": 1765430447798, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "120.233.3.26", "protocol": "tcp", "src_port": 50027, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8630319401034162, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "150.171.27.10", "protocol": "tcp", "src_port": 49871, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9792783921980416, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50233, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50086, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 49933, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.983522767485445, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50633, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9961574170482782, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 50211, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9942232611378077, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50330, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.254", "protocol": "tcp", "src_port": 50018, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9989742169573105, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.25", "protocol": "tcp", "src_port": 50346, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7253580536479742, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.232.40.133", "protocol": "tcp", "src_port": 49921, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9758065422065172, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.27", "protocol": "tcp", "src_port": 50014, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7728545617685111, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.234.97.89", "protocol": "tcp", "src_port": 50477, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7967743601421772, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50076, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.253", "protocol": "tcp", "src_port": 50348, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9663875797170431, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.194.233", "protocol": "tcp", "src_port": 50315, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9974657537062649, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50407, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9700577356238725, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50574, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50389, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.18", "protocol": "tcp", "src_port": 50191, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 13:20:48.062] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 20|max_alert: 1000 [2025-12-11 13:20:48.062] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 13:20:48.062] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 13:20:48.062] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 13:20:50.991] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[2] at offset 25651 key: NULL payload: {"bucket":"2025-12-11","object":"13/output/gbm/alert.pcap.2.17610986931320.jsonl","url":"http://111.32.12.11:9000/2025-12-11/13/output/gbm/alert.pcap.2.17610986931320.jsonl?X-Amz-Date=20251211T052050Z&X-Amz-Expires=604800&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Signature=b83e0384ed1ad58f3252661ce2c46898d446999325b3a30bcae8eaee1b4453e0&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-SignedHeaders=host"} [2025-12-11 13:20:50.991] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 13:20:50.991] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 13:20:50.992] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 13:20:50.992] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 13:20:50.992] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 13:20:50.992] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 13:20:51.308] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:13/output/gbm/alert.pcap.2.17610986931320.jsonl|result:{"code": 1, "total_count": 27, "alert_count": 26, "abnormal_count": 26, "normal_count": 1, "timestamp": 1765430450993, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50459, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8818531237715439, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50580, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.254", "protocol": "tcp", "src_port": 50237, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8347470129747349, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50278, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.165.120", "protocol": "tcp", "src_port": 50414, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9781294486115352, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50634, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50287, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50484, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.105", "protocol": "tcp", "src_port": 50625, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9825246278129468, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.29.14.183", "protocol": "tcp", "src_port": 50401, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9944651374268547, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "118.89.204.198", "protocol": "tcp", "src_port": 50648, "dest_port": 443, "y_pred": 2, "y_pred_proba_max": 0.539671673599211, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "Behinder"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.92", "protocol": "tcp", "src_port": 50398, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9866180027435798, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.63.215.47", "protocol": "tcp", "src_port": 49943, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9542007136130981, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50528, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.2", "protocol": "tcp", "src_port": 49821, "dest_port": 8080, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.185.134", "protocol": "tcp", "src_port": 50337, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9998485770667981, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50570, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.114.80", "protocol": "tcp", "src_port": 50381, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.29.14.183", "protocol": "tcp", "src_port": 50402, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9766503916105866, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.222.152.64", "protocol": "tcp", "src_port": 50658, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7337989747885654, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.166.151", "protocol": "tcp", "src_port": 50296, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9998741851816862, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.232.40.133", "protocol": "tcp", "src_port": 50004, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9448851526818528, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.240.99.58", "protocol": "tcp", "src_port": 50480, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9758749087809037, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50471, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9971823306211751, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50328, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.26", "protocol": "tcp", "src_port": 49995, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9973271032011077, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 13:20:51.308] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 26|max_alert: 1000 [2025-12-11 13:20:51.308] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 13:20:51.308] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 13:20:51.308] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 13:20:54.488] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[1] at offset 24899 key: NULL payload: {"bucket":"2025-12-11","object":"13/output/gbm/alert.pcap.22.17610986931320.jsonl","url":"http://111.32.12.11:9000/2025-12-11/13/output/gbm/alert.pcap.22.17610986931320.jsonl?X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Date=20251211T052054Z&X-Amz-Signature=35c1e9d065cb4a3a8cb3b2a7671085936e2504f4070c95ae32e94746ce8d804d&X-Amz-Expires=604800&X-Amz-SignedHeaders=host"} [2025-12-11 13:20:54.488] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 13:20:54.488] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 13:20:54.489] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 13:20:54.489] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 13:20:54.489] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 13:20:54.489] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 13:20:54.751] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:13/output/gbm/alert.pcap.22.17610986931320.jsonl|result:{"code": 1, "total_count": 18, "alert_count": 17, "abnormal_count": 17, "normal_count": 1, "timestamp": 1765430454489, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "111.31.114.80", "protocol": "tcp", "src_port": 50365, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50612, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.965275103129727, "2_count": 3.0, "2_sum": 3, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.51.161.66", "protocol": "tcp", "src_port": 50123, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7731938946060795, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.29.14.183", "protocol": "tcp", "src_port": 50026, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9986473928200259, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.92", "protocol": "tcp", "src_port": 50397, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9107999416750001, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.4.224.113", "protocol": "tcp", "src_port": 49854, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.5786036795604459, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.165.120", "protocol": "tcp", "src_port": 50357, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9389862274330749, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.62.174.243", "protocol": "tcp", "src_port": 50545, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9624252679015631, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50028, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 3.0, "2_sum": 3, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50118, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 3.0, "2_sum": 3, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50368, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 3.0, "2_sum": 3, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.131.128.241", "protocol": "tcp", "src_port": 50585, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8249611815657307, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50662, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8871346318388157, "2_count": 3.0, "2_sum": 3, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.63.215.47", "protocol": "tcp", "src_port": 49944, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9869387818080411, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 49925, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.5747671805046822, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.194.233", "protocol": "tcp", "src_port": 50440, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9902328849146982, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50530, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9024018957960891, "2_count": 3.0, "2_sum": 3, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 13:20:54.751] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 17|max_alert: 1000 [2025-12-11 13:20:54.751] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 13:20:54.751] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 13:20:54.751] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 13:20:58.337] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[2] at offset 25652 key: NULL payload: {"bucket":"2025-12-11","object":"13/output/gbm/alert.pcap.23.17610986931320.jsonl","url":"http://111.32.12.11:9000/2025-12-11/13/output/gbm/alert.pcap.23.17610986931320.jsonl?X-Amz-Signature=2178d8480da06bd71d9c37e666f3e392ac7f16307b583a8b4c4d3350ed14790d&X-Amz-Date=20251211T052057Z&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Expires=604800&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-SignedHeaders=host"} [2025-12-11 13:20:58.337] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 13:20:58.337] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 13:20:58.337] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 13:20:58.337] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 13:20:58.337] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 13:20:58.338] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 13:20:58.593] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:13/output/gbm/alert.pcap.23.17610986931320.jsonl|result:{"code": 1, "total_count": 21, "alert_count": 21, "abnormal_count": 21, "normal_count": 0, "timestamp": 1765430458338, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50260, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50044, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.13.104.59", "protocol": "tcp", "src_port": 50627, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9944505609423887, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.150.160.206", "protocol": "tcp", "src_port": 50124, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9747845243097288, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.194.233", "protocol": "tcp", "src_port": 50126, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9961544144455967, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50085, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.158.247.186", "protocol": "tcp", "src_port": 50309, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.994290448467571, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "13.107.246.74", "protocol": "tcp", "src_port": 50506, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9605298901417075, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50042, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.25", "protocol": "tcp", "src_port": 50382, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7011351746711142, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50514, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50064, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50037, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50149, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50168, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.25", "protocol": "tcp", "src_port": 50073, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9992385224413204, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50562, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50640, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50429, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.122.55", "protocol": "tcp", "src_port": 50498, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9793698927690696, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.222.152.64", "protocol": "tcp", "src_port": 50638, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9779043168436835, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 13:20:58.593] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 21|max_alert: 1000 [2025-12-11 13:20:58.593] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 13:20:58.593] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 13:20:58.593] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 13:21:01.568] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[2] at offset 25653 key: NULL payload: {"bucket":"2025-12-11","object":"13/output/gbm/alert.pcap.24.17610986931320.jsonl","url":"http://111.32.12.11:9000/2025-12-11/13/output/gbm/alert.pcap.24.17610986931320.jsonl?X-Amz-Expires=604800&X-Amz-SignedHeaders=host&X-Amz-Signature=923d2dd929618d4b96f47f23feba2316c29ef037cc211294150aa2937328cb75&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Date=20251211T052101Z"} [2025-12-11 13:21:01.568] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 13:21:01.568] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 13:21:01.568] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 13:21:01.568] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 13:21:01.568] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 13:21:01.569] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 13:21:01.810] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:13/output/gbm/alert.pcap.24.17610986931320.jsonl|result:{"code": 1, "total_count": 18, "alert_count": 17, "abnormal_count": 17, "normal_count": 1, "timestamp": 1765430461569, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "120.233.38.119", "protocol": "tcp", "src_port": 50495, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9911306060967026, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50033, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50259, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.46.68.203", "protocol": "tcp", "src_port": 50195, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9897633686170296, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 50229, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7784157580153467, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.163.59.175", "protocol": "tcp", "src_port": 50011, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9883959426357691, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50281, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50031, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.4.74", "protocol": "tcp", "src_port": 50319, "dest_port": 9000, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.163.59.175", "protocol": "tcp", "src_port": 50478, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.990150959540726, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50594, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50603, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.27", "protocol": "tcp", "src_port": 49985, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8652710729389349, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.13.104.59", "protocol": "tcp", "src_port": 50631, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9853386683896556, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50482, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.13.28.21", "protocol": "tcp", "src_port": 49947, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9999415747476534, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50034, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 13:21:01.810] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 17|max_alert: 1000 [2025-12-11 13:21:01.810] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 13:21:01.810] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 13:21:01.810] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 13:21:04.984] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[1] at offset 24900 key: NULL payload: {"bucket":"2025-12-11","object":"13/output/gbm/alert.pcap.25.17610986931320.jsonl","url":"http://111.32.12.11:9000/2025-12-11/13/output/gbm/alert.pcap.25.17610986931320.jsonl?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-SignedHeaders=host&X-Amz-Signature=26d94d960ab9c7683af4f21f06eafdf38f474eea45373ddd113ea919d0a7fec4&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20251211T052104Z&X-Amz-Expires=604800"} [2025-12-11 13:21:04.985] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 13:21:04.985] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 13:21:04.985] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 13:21:04.985] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 13:21:04.985] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 13:21:04.985] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 13:21:05.234] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:13/output/gbm/alert.pcap.25.17610986931320.jsonl|result:{"code": 1, "total_count": 18, "alert_count": 17, "abnormal_count": 17, "normal_count": 1, "timestamp": 1765430464986, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50652, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4.0, "2_sum": 4, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.232.40.133", "protocol": "tcp", "src_port": 49919, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9172603475203133, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 50013, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.88.223", "protocol": "tcp", "src_port": 50258, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9955188316394289, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "202.89.233.96", "dest_ip": "10.1.131.158", "protocol": "tcp", "src_port": 443, "dest_port": 49847, "y_pred": 1, "y_pred_proba_max": 0.9988023204669473, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.91", "protocol": "tcp", "src_port": 50334, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9530506499197517, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50038, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4.0, "2_sum": 4, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.2", "protocol": "tcp", "src_port": 50125, "dest_port": 8080, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "142.250.66.78", "protocol": "tcp", "src_port": 49742, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50288, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4.0, "2_sum": 4, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.155.160.140", "protocol": "tcp", "src_port": 49790, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.201.232.63", "protocol": "tcp", "src_port": 50419, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.5238760318986195, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50551, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8059095115195145, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.240.99.58", "protocol": "tcp", "src_port": 50641, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9750652642107684, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50062, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4.0, "2_sum": 4, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.88.223", "protocol": "tcp", "src_port": 50134, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9851867603065232, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.232.40.133", "protocol": "tcp", "src_port": 50005, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8427110539814073, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 13:21:05.234] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 17|max_alert: 1000 [2025-12-11 13:21:05.234] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 13:21:05.234] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 13:21:05.234] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 13:21:08.227] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[1] at offset 24901 key: NULL payload: {"bucket":"2025-12-11","object":"13/output/gbm/alert.pcap.26.17610986931320.jsonl","url":"http://111.32.12.11:9000/2025-12-11/13/output/gbm/alert.pcap.26.17610986931320.jsonl?X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Expires=604800&X-Amz-Signature=1f78a84812988239abbf836ba6aea0dc30d0c9cb5f842702ce4df5337537d327&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Date=20251211T052107Z&X-Amz-SignedHeaders=host"} [2025-12-11 13:21:08.228] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 13:21:08.228] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 13:21:08.228] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 13:21:08.228] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 13:21:08.228] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 13:21:08.228] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 13:21:08.507] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:13/output/gbm/alert.pcap.26.17610986931320.jsonl|result:{"code": 1, "total_count": 23, "alert_count": 22, "abnormal_count": 22, "normal_count": 1, "timestamp": 1765430468228, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "151.101.1.229", "protocol": "tcp", "src_port": 50316, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.5882853156839113, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.45", "protocol": "tcp", "src_port": 50445, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9894949279716366, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50521, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7.0, "2_sum": 7, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50512, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7.0, "2_sum": 7, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.253", "protocol": "tcp", "src_port": 50347, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9363461552085169, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.165.120", "protocol": "tcp", "src_port": 50314, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.998447736613844, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50040, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7.0, "2_sum": 7, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.27", "protocol": "tcp", "src_port": 49986, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9907578643456904, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.13.29.202", "protocol": "tcp", "src_port": 49897, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.99989131645703, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.194.233", "protocol": "tcp", "src_port": 50439, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9853373018252618, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50467, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7.0, "2_sum": 7, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 50230, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9601621867432435, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.253", "protocol": "tcp", "src_port": 50117, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9786811180845782, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.13.29.134", "protocol": "tcp", "src_port": 49954, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9940003495439546, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "43.140.12.43", "protocol": "tcp", "src_port": 50318, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9759535265977303, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.9", "protocol": "tcp", "src_port": 50353, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9248568229582469, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50322, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7.0, "2_sum": 7, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50463, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7.0, "2_sum": 7, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50593, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7.0, "2_sum": 7, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.163.59.175", "protocol": "tcp", "src_port": 49930, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9813722275948225, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.114.80", "protocol": "tcp", "src_port": 50375, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.92", "protocol": "tcp", "src_port": 50362, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9737436655985068, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 13:21:08.507] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 22|max_alert: 1000 [2025-12-11 13:21:08.507] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 13:21:08.507] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 13:21:08.507] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 13:21:11.482] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[2] at offset 25654 key: NULL payload: {"bucket":"2025-12-11","object":"13/output/gbm/alert.pcap.3.17610986931320.jsonl","url":"http://111.32.12.11:9000/2025-12-11/13/output/gbm/alert.pcap.3.17610986931320.jsonl?X-Amz-SignedHeaders=host&X-Amz-Expires=604800&X-Amz-Signature=b5c9fd9ee0910782c1a746b310bd35b23200bb2d6cc0497743fb52845709e896&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20251211T052110Z&X-Amz-Algorithm=AWS4-HMAC-SHA256"} [2025-12-11 13:21:11.483] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 13:21:11.483] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 13:21:11.483] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 13:21:11.483] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 13:21:11.483] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 13:21:11.483] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 13:21:11.739] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:13/output/gbm/alert.pcap.3.17610986931320.jsonl|result:{"code": 1, "total_count": 31, "alert_count": 30, "abnormal_count": 30, "normal_count": 1, "timestamp": 1765430471483, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "183.194.189.11", "protocol": "tcp", "src_port": 50307, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9974631042458713, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.27", "protocol": "tcp", "src_port": 49987, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9439550958667982, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.27", "protocol": "tcp", "src_port": 49983, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9683054451954104, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.219.73.130", "protocol": "tcp", "src_port": 49889, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50128, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.114.80", "protocol": "tcp", "src_port": 50473, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50032, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50468, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50560, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9372883613254258, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.253.253.233", "protocol": "tcp", "src_port": 50436, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8619378326923961, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 50231, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9912641259791639, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50131, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.165.120", "protocol": "tcp", "src_port": 50423, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9079618105919538, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.219.73.130", "protocol": "tcp", "src_port": 49890, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.63.215.47", "protocol": "tcp", "src_port": 49982, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9977918468988228, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50390, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.29.14.183", "protocol": "tcp", "src_port": 50020, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9995274668813986, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50579, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.92", "protocol": "tcp", "src_port": 49915, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8858063837145578, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 50399, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.13.104.59", "protocol": "tcp", "src_port": 50630, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9949141468870227, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.166.151", "protocol": "tcp", "src_port": 50286, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9998887397093179, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50573, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 49824, "dest_port": 37527, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.232.40.133", "protocol": "tcp", "src_port": 49922, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7619577796081339, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.2", "protocol": "tcp", "src_port": 50143, "dest_port": 8080, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50041, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "142.250.66.68", "protocol": "tcp", "src_port": 50437, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "124.70.62.170", "protocol": "tcp", "src_port": 50093, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9302011994091218, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.13.104.59", "protocol": "tcp", "src_port": 50639, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.5747755261992421, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 13:21:11.739] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 30|max_alert: 1000 [2025-12-11 13:21:11.739] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 13:21:11.739] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 13:21:11.739] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 13:21:14.612] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[1] at offset 24902 key: NULL payload: {"bucket":"2025-12-11","object":"13/output/gbm/alert.pcap.4.17610986931320.jsonl","url":"http://111.32.12.11:9000/2025-12-11/13/output/gbm/alert.pcap.4.17610986931320.jsonl?X-Amz-Signature=e4e424870e21e32377e023811e6408ddcdb2f66aaf2f3459ee4e48baab1ffedd&X-Amz-SignedHeaders=host&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Date=20251211T052114Z&X-Amz-Expires=604800"} [2025-12-11 13:21:14.612] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 13:21:14.612] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 13:21:14.612] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 13:21:14.612] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 13:21:14.612] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 13:21:14.613] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 13:21:14.835] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:13/output/gbm/alert.pcap.4.17610986931320.jsonl|result:{"code": 1, "total_count": 16, "alert_count": 16, "abnormal_count": 16, "normal_count": 0, "timestamp": 1765430474613, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "36.131.128.241", "protocol": "tcp", "src_port": 50461, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9531336479755481, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "150.171.30.11", "protocol": "tcp", "src_port": 50007, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8576461187690411, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "142.250.66.78", "protocol": "tcp", "src_port": 49761, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50428, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 9, "2_sum": 9, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.2", "protocol": "tcp", "src_port": 49815, "dest_port": 8080, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.25", "protocol": "tcp", "src_port": 50340, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9557360906725153, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50271, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 9, "2_sum": 9, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50664, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 9, "2_sum": 9, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50039, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 9, "2_sum": 9, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50599, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 9, "2_sum": 9, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50170, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 9, "2_sum": 9, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.4.224.113", "protocol": "tcp", "src_port": 49860, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8325953986089363, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50268, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 9, "2_sum": 9, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50642, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 9, "2_sum": 9, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "104.18.38.233", "protocol": "tcp", "src_port": 49696, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50653, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 9, "2_sum": 9, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 13:21:14.835] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 16|max_alert: 1000 [2025-12-11 13:21:14.835] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 13:21:14.835] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 13:21:14.835] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 13:21:18.181] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[1] at offset 24903 key: NULL payload: {"bucket":"2025-12-11","object":"13/output/gbm/alert.pcap.5.17610986931320.jsonl","url":"http://111.32.12.11:9000/2025-12-11/13/output/gbm/alert.pcap.5.17610986931320.jsonl?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Signature=c2fc3976b330b82cc86afcb3af32a1ad7dfde7323f34934539e047a5b54ae4b7&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Expires=604800&X-Amz-Date=20251211T052117Z&X-Amz-SignedHeaders=host"} [2025-12-11 13:21:18.182] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 13:21:18.182] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 13:21:18.182] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 13:21:18.182] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 13:21:18.182] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 13:21:18.182] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 13:21:18.441] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:13/output/gbm/alert.pcap.5.17610986931320.jsonl|result:{"code": 1, "total_count": 19, "alert_count": 18, "abnormal_count": 18, "normal_count": 1, "timestamp": 1765430478182, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50119, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 5.0, "2_sum": 5, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50541, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 5.0, "2_sum": 5, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 49924, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8509806284431485, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50624, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9747306537408316, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.158.247.186", "protocol": "tcp", "src_port": 50121, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9753820447058325, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "112.34.111.235", "protocol": "tcp", "src_port": 50587, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9795590475790195, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.91", "protocol": "tcp", "src_port": 50242, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9588125203903446, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "13.89.179.10", "protocol": "tcp", "src_port": 49867, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8945460691510866, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.46.72.204", "protocol": "tcp", "src_port": 50136, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.956663066769366, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 50549, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.4.74", "protocol": "tcp", "src_port": 50320, "dest_port": 9000, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.51.80", "protocol": "tcp", "src_port": 49902, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50564, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 5.0, "2_sum": 5, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50030, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 5.0, "2_sum": 5, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50654, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9423199405388736, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.91", "protocol": "tcp", "src_port": 50333, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9577733114926612, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50171, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 5.0, "2_sum": 5, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.163.59.175", "protocol": "tcp", "src_port": 50422, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9849394001481901, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 13:21:18.441] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 18|max_alert: 1000 [2025-12-11 13:21:18.441] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 13:21:18.441] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 13:21:18.441] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 13:21:21.334] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[1] at offset 24904 key: NULL payload: {"bucket":"2025-12-11","object":"13/output/gbm/alert.pcap.6.17610986931320.jsonl","url":"http://111.32.12.11:9000/2025-12-11/13/output/gbm/alert.pcap.6.17610986931320.jsonl?X-Amz-Expires=604800&X-Amz-SignedHeaders=host&X-Amz-Date=20251211T052120Z&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Signature=db87fe200e555e63559460e3bab0be6de252e8160b08dca399634c7b0471dfa2&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request"} [2025-12-11 13:21:21.334] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 13:21:21.334] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 13:21:21.334] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 13:21:21.334] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 13:21:21.334] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 13:21:21.334] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 13:21:21.576] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:13/output/gbm/alert.pcap.6.17610986931320.jsonl|result:{"code": 1, "total_count": 13, "alert_count": 13, "abnormal_count": 13, "normal_count": 0, "timestamp": 1765430481334, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "13.89.179.10", "protocol": "tcp", "src_port": 49883, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9941602682227848, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.26", "protocol": "tcp", "src_port": 50003, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8694093805364917, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.91", "protocol": "tcp", "src_port": 50339, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.986405059765616, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.57.94.38", "protocol": "tcp", "src_port": 49892, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9998694918181811, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50391, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50465, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.5306824619789472, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.2.16.16", "protocol": "tcp", "src_port": 49975, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9999376387945121, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "121.36.68.44", "protocol": "tcp", "src_port": 50504, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9358189956292381, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.13.28.239", "protocol": "tcp", "src_port": 49901, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.938456651589145, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.102.211", "protocol": "tcp", "src_port": 50413, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9734791177969814, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "139.9.117.192", "protocol": "tcp", "src_port": 50450, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9837263446909994, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50515, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "139.9.117.192", "protocol": "tcp", "src_port": 50372, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8894850327223105, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 13:21:21.576] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 13|max_alert: 1000 [2025-12-11 13:21:21.576] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 13:21:21.576] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 13:21:21.576] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 13:21:24.558] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 26038 key: NULL payload: {"bucket":"2025-12-11","object":"13/output/gbm/alert.pcap.7.17610986931320.jsonl","url":"http://111.32.12.11:9000/2025-12-11/13/output/gbm/alert.pcap.7.17610986931320.jsonl?X-Amz-Date=20251211T052124Z&X-Amz-Signature=945b63613677a490610995138dec343cac4cdee647f4ca9ba48f44709f05163c&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-SignedHeaders=host&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Expires=604800"} [2025-12-11 13:21:24.558] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 13:21:24.558] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 13:21:24.558] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 13:21:24.558] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 13:21:24.558] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 13:21:24.559] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 13:21:24.801] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:13/output/gbm/alert.pcap.7.17610986931320.jsonl|result:{"code": 1, "total_count": 18, "alert_count": 18, "abnormal_count": 18, "normal_count": 0, "timestamp": 1765430484559, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "183.240.8.132", "protocol": "tcp", "src_port": 50227, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8897661563929269, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.26", "protocol": "tcp", "src_port": 49994, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9896285535627298, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50663, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.719260591950917, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.27", "protocol": "tcp", "src_port": 50100, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8412893359572905, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.194.233", "protocol": "tcp", "src_port": 50441, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9878625671600126, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50156, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4, "2_sum": 4, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.219.73.130", "protocol": "tcp", "src_port": 49885, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 50172, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9400817611226765, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.4.224.113", "protocol": "tcp", "src_port": 49849, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9532634905214581, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.254", "protocol": "tcp", "src_port": 50199, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9600487826290192, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 50116, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.185.125.188", "protocol": "tcp", "src_port": 49872, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9978759357079158, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "112.34.111.235", "protocol": "tcp", "src_port": 50411, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.998549290571419, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50270, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4, "2_sum": 4, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.194.233", "protocol": "tcp", "src_port": 50255, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9107155218087142, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50581, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4, "2_sum": 4, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50083, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4, "2_sum": 4, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.51.80", "protocol": "tcp", "src_port": 50010, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 13:21:24.802] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 18|max_alert: 1000 [2025-12-11 13:21:24.802] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 13:21:24.802] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 13:21:24.802] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 13:21:27.750] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 26039 key: NULL payload: {"bucket":"2025-12-11","object":"13/output/gbm/alert.pcap.8.17610986931320.jsonl","url":"http://111.32.12.11:9000/2025-12-11/13/output/gbm/alert.pcap.8.17610986931320.jsonl?X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20251211T052127Z&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-SignedHeaders=host&X-Amz-Signature=e7cbb9fc7d8de6a99fe7f511892aad253ca067d56d39f9e495e12b0b4eb4fde7&X-Amz-Expires=604800"} [2025-12-11 13:21:27.750] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 13:21:27.750] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 13:21:27.750] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 13:21:27.750] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 13:21:27.750] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 13:21:27.751] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 13:21:28.002] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:13/output/gbm/alert.pcap.8.17610986931320.jsonl|result:{"code": 1, "total_count": 19, "alert_count": 19, "abnormal_count": 19, "normal_count": 0, "timestamp": 1765430487751, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "183.201.232.63", "protocol": "tcp", "src_port": 50420, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9757408487177269, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50077, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4, "2_sum": 4, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 50184, "dest_port": 37527, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "121.36.47.3", "protocol": "tcp", "src_port": 50015, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9995715118177109, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.131.128.241", "protocol": "tcp", "src_port": 50591, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9050869489117033, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50127, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4, "2_sum": 4, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.45", "protocol": "tcp", "src_port": 50408, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9967591338452444, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.26", "protocol": "tcp", "src_port": 49997, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.984269050955257, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.219.73.130", "protocol": "tcp", "src_port": 49891, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.63.215.47", "protocol": "tcp", "src_port": 49980, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9999657034539758, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50649, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9766422035502361, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.232.40.133", "protocol": "tcp", "src_port": 49920, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9117178716777372, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 49923, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.777270406334166, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50388, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4, "2_sum": 4, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50661, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.647571366572099, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.131.139.241", "protocol": "tcp", "src_port": 50556, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9803786101644398, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "202.89.233.96", "protocol": "tcp", "src_port": 49865, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9973910874567038, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50223, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4, "2_sum": 4, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "40.74.78.229", "protocol": "tcp", "src_port": 50370, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9939770881097445, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 13:21:28.002] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 19|max_alert: 1000 [2025-12-11 13:21:28.002] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 13:21:28.002] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 13:21:28.002] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 13:21:30.955] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 26040 key: NULL payload: {"bucket":"2025-12-11","object":"13/output/gbm/alert.pcap.9.17610986931320.jsonl","url":"http://111.32.12.11:9000/2025-12-11/13/output/gbm/alert.pcap.9.17610986931320.jsonl?X-Amz-SignedHeaders=host&X-Amz-Signature=a50ec1fc461c80c1afe278ece3eac290631c2c73836a81b4405b5d2fa9ef5eb2&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Date=20251211T052130Z&X-Amz-Expires=604800"} [2025-12-11 13:21:30.955] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 13:21:30.955] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 13:21:30.956] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 13:21:30.956] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 13:21:30.956] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 13:21:30.956] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 13:21:31.196] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:13/output/gbm/alert.pcap.9.17610986931320.jsonl|result:{"code": 1, "total_count": 19, "alert_count": 19, "abnormal_count": 19, "normal_count": 0, "timestamp": 1765430490956, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50552, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9460026832017429, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50582, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50279, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.219.73.130", "protocol": "tcp", "src_port": 49895, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50387, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "157.148.32.174", "protocol": "tcp", "src_port": 50216, "dest_port": 8106, "y_pred": 1, "y_pred_proba_max": 0.7815374741509655, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50047, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "150.171.30.11", "protocol": "tcp", "src_port": 50434, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.975176941910785, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 49928, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9931314740190077, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50577, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8828376373447289, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50234, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.26", "protocol": "tcp", "src_port": 49993, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.987471741326815, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50323, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.163.59.175", "protocol": "tcp", "src_port": 50443, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9947042004868148, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.29.14.183", "protocol": "tcp", "src_port": 50403, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9756646950440937, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "112.2.102.140", "protocol": "tcp", "src_port": 49880, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8833391308810551, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "124.71.234.74", "protocol": "tcp", "src_port": 50079, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8967653329082704, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.45", "protocol": "tcp", "src_port": 50444, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9975171238915119, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50571, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 13:21:31.196] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 19|max_alert: 1000 [2025-12-11 13:21:31.196] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 13:21:31.196] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 13:21:31.196] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 13:25:55.274] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 26041 key: NULL payload: {"bucket":"2025-12-11","object":"13/output/gbm/alert.pcap.9.1765430747.jsonl","url":"http://111.32.12.11:9000/2025-12-11/13/output/gbm/alert.pcap.9.1765430747.jsonl?X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Expires=604800&X-Amz-SignedHeaders=host&X-Amz-Signature=3399fbc8aee4f196ed0f6b739e70cc9bed00b1f6eef9dae064524f73c329b0f1&X-Amz-Date=20251211T052554Z"} [2025-12-11 13:25:55.274] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 13:25:55.274] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 13:25:55.274] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 13:25:55.274] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 13:25:55.274] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 13:25:55.275] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 13:25:55.286] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:13/output/gbm/alert.pcap.9.1765430747.jsonl|result:{"code": 0, "total_count": 0, "alert_count": 0, "abnormal_count": 0, "normal_count": 0, "timestamp": 1765430755275, "module": "anquanchu", "alerted": false, "details": []} [2025-12-11 13:25:55.286] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 0|max_alert: 1000 [2025-12-11 13:25:55.286] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 13:30:09.306] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[1] at offset 24905 key: NULL payload: {"bucket":"2025-12-11","object":"13/output/gbm/alert.pcap.10.17610986931330.jsonl","url":"http://111.32.12.11:9000/2025-12-11/13/output/gbm/alert.pcap.10.17610986931330.jsonl?X-Amz-SignedHeaders=host&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Date=20251211T053008Z&X-Amz-Expires=604800&X-Amz-Signature=9d519cabf3c423e434be26b0d338fa4b21058575ad0933fe967b05d3ad7411cd"} [2025-12-11 13:30:09.306] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 13:30:09.306] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 13:30:09.306] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 13:30:09.306] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 13:30:09.306] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 13:30:09.307] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 13:30:09.587] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:13/output/gbm/alert.pcap.10.17610986931330.jsonl|result:{"code": 1, "total_count": 18, "alert_count": 18, "abnormal_count": 18, "normal_count": 0, "timestamp": 1765431009308, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "223.111.194.233", "protocol": "tcp", "src_port": 50251, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.6458299041355519, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50247, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50197, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.9", "protocol": "tcp", "src_port": 50354, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9266852516381958, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50510, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50202, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "124.70.37.167", "protocol": "tcp", "src_port": 50497, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9671327905226952, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "112.34.113.250", "protocol": "tcp", "src_port": 50417, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9871899379387804, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "124.70.62.170", "protocol": "tcp", "src_port": 50384, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9944584265644585, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50527, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.38.119", "protocol": "tcp", "src_port": 50490, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9986222879414073, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.240.8.132", "protocol": "tcp", "src_port": 49942, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9833686131374094, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.162.10.192", "protocol": "tcp", "src_port": 50106, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7891251009837256, "2_count": 3, "2_sum": 3, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.162.10.192", "protocol": "tcp", "src_port": 50102, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9628606284766527, "2_count": 3, "2_sum": 3, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50155, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 49802, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50180, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.162.10.192", "protocol": "tcp", "src_port": 50105, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8497049935950336, "2_count": 3, "2_sum": 3, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 13:30:09.587] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 18|max_alert: 1000 [2025-12-11 13:30:09.587] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 13:30:09.587] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 13:30:09.587] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 13:30:12.413] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[2] at offset 25655 key: NULL payload: {"bucket":"2025-12-11","object":"13/output/gbm/alert.pcap.11.17610986931330.jsonl","url":"http://111.32.12.11:9000/2025-12-11/13/output/gbm/alert.pcap.11.17610986931330.jsonl?X-Amz-SignedHeaders=host&X-Amz-Expires=604800&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Signature=78dac68991b332062d026de7a610fc171dc1a6d4b8fe653b77e0347996e94236&X-Amz-Date=20251211T053012Z"} [2025-12-11 13:30:12.413] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 13:30:12.413] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 13:30:12.413] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 13:30:12.413] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 13:30:12.413] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 13:30:12.414] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 13:30:12.665] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:13/output/gbm/alert.pcap.11.17610986931330.jsonl|result:{"code": 1, "total_count": 20, "alert_count": 20, "abnormal_count": 20, "normal_count": 0, "timestamp": 1765431012414, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "13.107.253.49", "protocol": "tcp", "src_port": 50479, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9204671188927631, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "106.52.100.183", "protocol": "tcp", "src_port": 50502, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9858931570717602, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50523, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.122.55", "protocol": "tcp", "src_port": 50503, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9854062911109006, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 49811, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.131.139.241", "protocol": "tcp", "src_port": 50546, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8893268365633519, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.25", "protocol": "tcp", "src_port": 50379, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8940216726975259, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50561, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50179, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.45", "protocol": "tcp", "src_port": 50447, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9871209269901958, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.165.120", "protocol": "tcp", "src_port": 50305, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9986466602684037, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.38.119", "protocol": "tcp", "src_port": 50494, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9837251088220053, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50050, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "57.155.120.218", "protocol": "tcp", "src_port": 50415, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9227656751828837, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50176, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.45", "protocol": "tcp", "src_port": 50438, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9837569544664104, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50520, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.57.94.38", "protocol": "tcp", "src_port": 49888, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8913583475272854, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50519, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.143.199.172", "protocol": "tcp", "src_port": 50142, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9881503019491974, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 13:30:12.665] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 20|max_alert: 1000 [2025-12-11 13:30:12.665] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 13:30:12.665] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 13:30:12.665] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 13:30:15.566] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[2] at offset 25656 key: NULL payload: {"bucket":"2025-12-11","object":"13/output/gbm/alert.pcap.1.17610986931330.jsonl","url":"http://111.32.12.11:9000/2025-12-11/13/output/gbm/alert.pcap.1.17610986931330.jsonl?X-Amz-Date=20251211T053015Z&X-Amz-Signature=949ec50711332f6b7fc91de3b14c3cf8d215009f7237c67b22cf36c5f0ff5a80&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Expires=604800&X-Amz-SignedHeaders=host"} [2025-12-11 13:30:15.566] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 13:30:15.566] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 13:30:15.566] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 13:30:15.566] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 13:30:15.566] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 13:30:15.566] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 13:30:15.850] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:13/output/gbm/alert.pcap.1.17610986931330.jsonl|result:{"code": 1, "total_count": 23, "alert_count": 22, "abnormal_count": 22, "normal_count": 1, "timestamp": 1765431015566, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "120.241.86.254", "protocol": "tcp", "src_port": 50161, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9861184497791043, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50196, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50246, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.2.16.16", "protocol": "tcp", "src_port": 49977, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9997183616258911, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "104.18.38.233", "protocol": "tcp", "src_port": 49694, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50203, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.18", "protocol": "tcp", "src_port": 50526, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.254", "protocol": "tcp", "src_port": 50236, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8758576397939718, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50635, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.131.139.241", "protocol": "tcp", "src_port": 50548, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9166098868921807, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50660, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.5160756214892233, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.18", "protocol": "tcp", "src_port": 50607, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50154, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "123.249.12.207", "protocol": "tcp", "src_port": 50349, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9517653518955267, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.114.80", "protocol": "tcp", "src_port": 50380, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.9", "protocol": "tcp", "src_port": 50355, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9178209457268623, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.9", "protocol": "tcp", "src_port": 50352, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9822856114799795, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50511, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50451, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9935841069204537, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.166.151", "protocol": "tcp", "src_port": 50297, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.99961990187526, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.38.119", "protocol": "tcp", "src_port": 50487, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9993624819729473, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.2.16.16", "protocol": "tcp", "src_port": 49978, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9999741330258014, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 13:30:15.851] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 22|max_alert: 1000 [2025-12-11 13:30:15.851] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 13:30:15.851] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 13:30:15.851] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 13:30:18.774] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[1] at offset 24906 key: NULL payload: {"bucket":"2025-12-11","object":"13/output/gbm/alert.pcap.12.17610986931330.jsonl","url":"http://111.32.12.11:9000/2025-12-11/13/output/gbm/alert.pcap.12.17610986931330.jsonl?X-Amz-SignedHeaders=host&X-Amz-Date=20251211T053018Z&X-Amz-Signature=ab0cef793cf0e5735048ef0c88548e0c88e48255fd190af9898c976af66c9de8&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Expires=604800&X-Amz-Algorithm=AWS4-HMAC-SHA256"} [2025-12-11 13:30:18.774] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 13:30:18.774] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 13:30:18.775] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 13:30:18.775] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 13:30:18.775] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 13:30:18.775] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 13:30:19.025] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:13/output/gbm/alert.pcap.12.17610986931330.jsonl|result:{"code": 1, "total_count": 23, "alert_count": 23, "abnormal_count": 23, "normal_count": 0, "timestamp": 1765431018775, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "111.32.132.48", "protocol": "tcp", "src_port": 50596, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8736367684939467, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.253", "protocol": "tcp", "src_port": 50374, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9124107711631884, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.162.10.192", "protocol": "tcp", "src_port": 50115, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9982562146170709, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50524, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 10, "2_sum": 10, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50043, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 10, "2_sum": 10, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.88.223", "protocol": "tcp", "src_port": 50135, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9151737736531406, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "150.171.28.10", "protocol": "tcp", "src_port": 50098, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.979476406385797, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.88.223", "protocol": "tcp", "src_port": 50256, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9952297098413537, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 49801, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.91", "protocol": "tcp", "src_port": 50312, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8775283158754487, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "43.132.242.154", "protocol": "tcp", "src_port": 49882, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9890063873624129, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.232.40.133", "protocol": "tcp", "src_port": 49918, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9434178651974208, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.46.51.20", "protocol": "tcp", "src_port": 50273, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8949209220998952, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50036, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 10, "2_sum": 10, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50063, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 10, "2_sum": 10, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50289, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 10, "2_sum": 10, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 50446, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.91", "protocol": "tcp", "src_port": 50325, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9723471895815434, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50327, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 10, "2_sum": 10, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50290, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 10, "2_sum": 10, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50048, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 10, "2_sum": 10, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50517, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 10, "2_sum": 10, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50563, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 10, "2_sum": 10, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 13:30:19.025] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 23|max_alert: 1000 [2025-12-11 13:30:19.025] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 13:30:19.025] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 13:30:19.025] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 13:30:21.929] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 26042 key: NULL payload: {"bucket":"2025-12-11","object":"13/output/gbm/alert.pcap.13.17610986931330.jsonl","url":"http://111.32.12.11:9000/2025-12-11/13/output/gbm/alert.pcap.13.17610986931330.jsonl?X-Amz-SignedHeaders=host&X-Amz-Date=20251211T053021Z&X-Amz-Expires=604800&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Signature=0e65737c18c1441e54278adff8085067d8c1d0933ecd4e57188ee59cda4c873f"} [2025-12-11 13:30:21.930] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 13:30:21.930] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 13:30:21.930] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 13:30:21.930] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 13:30:21.930] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 13:30:21.930] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 13:30:22.173] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:13/output/gbm/alert.pcap.13.17610986931330.jsonl|result:{"code": 1, "total_count": 25, "alert_count": 25, "abnormal_count": 25, "normal_count": 0, "timestamp": 1765431021930, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "120.233.38.119", "protocol": "tcp", "src_port": 50507, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.992095265861976, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50276, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "150.171.30.11", "protocol": "tcp", "src_port": 50629, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9221505003231499, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50074, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 50550, "dest_port": 37527, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50483, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.38.119", "protocol": "tcp", "src_port": 50493, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9895604510076603, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50035, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50150, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.22.3", "protocol": "tcp", "src_port": 49941, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9027507773608666, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50167, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50206, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.114.80", "protocol": "tcp", "src_port": 50364, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50602, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "202.89.233.96", "protocol": "tcp", "src_port": 49842, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50029, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "142.250.66.78", "protocol": "tcp", "src_port": 49939, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50280, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "150.171.29.11", "protocol": "tcp", "src_port": 50366, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9811379852086798, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.185.134", "protocol": "tcp", "src_port": 50405, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9906477192719227, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50657, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9858390475712154, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50283, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.163.59.175", "protocol": "tcp", "src_port": 50009, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9898052087615025, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50153, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.4.224.113", "protocol": "tcp", "src_port": 49856, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.6505383816340582, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 13:30:22.173] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 25|max_alert: 1000 [2025-12-11 13:30:22.173] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 13:30:22.173] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 13:30:22.173] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 13:30:25.313] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[1] at offset 24907 key: NULL payload: {"bucket":"2025-12-11","object":"13/output/gbm/alert.pcap.14.17610986931330.jsonl","url":"http://111.32.12.11:9000/2025-12-11/13/output/gbm/alert.pcap.14.17610986931330.jsonl?X-Amz-SignedHeaders=host&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Signature=b715b8ae2782606eb9d0ab23a69e579befa034cedae908d6a33924b615f06492&X-Amz-Date=20251211T053024Z&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Expires=604800"} [2025-12-11 13:30:25.314] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 13:30:25.314] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 13:30:25.314] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 13:30:25.314] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 13:30:25.314] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 13:30:25.314] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 13:30:25.561] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:13/output/gbm/alert.pcap.14.17610986931330.jsonl|result:{"code": 1, "total_count": 22, "alert_count": 22, "abnormal_count": 22, "normal_count": 0, "timestamp": 1765431025314, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50488, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50087, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "150.171.28.10", "protocol": "tcp", "src_port": 50547, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9810893334081382, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50151, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.114.80", "protocol": "tcp", "src_port": 50462, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.201.232.61", "protocol": "tcp", "src_port": 50406, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8074537105643911, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50481, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.131.128.241", "protocol": "tcp", "src_port": 50628, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.6327220629300937, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50431, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.92", "protocol": "tcp", "src_port": 50350, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9581254078848882, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.201.232.63", "protocol": "tcp", "src_port": 50185, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8623842237021218, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.45", "protocol": "tcp", "src_port": 50232, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8427978520815071, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50509, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 50008, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7325211921496005, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50045, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50277, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50075, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50299, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50282, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50464, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50148, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.4.224.113", "protocol": "tcp", "src_port": 49858, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.948833755868132, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 13:30:25.561] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 22|max_alert: 1000 [2025-12-11 13:30:25.561] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 13:30:25.561] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 13:30:25.561] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 13:30:28.452] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[2] at offset 25657 key: NULL payload: {"bucket":"2025-12-11","object":"13/output/gbm/alert.pcap.15.17610986931330.jsonl","url":"http://111.32.12.11:9000/2025-12-11/13/output/gbm/alert.pcap.15.17610986931330.jsonl?X-Amz-Date=20251211T053027Z&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-SignedHeaders=host&X-Amz-Expires=604800&X-Amz-Signature=155fd10e13e741d39bd6d037f570a069c9ac4f2c54fcb5fed889ee3ed0248c57"} [2025-12-11 13:30:28.453] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 13:30:28.453] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 13:30:28.453] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 13:30:28.453] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 13:30:28.453] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 13:30:28.453] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 13:30:28.717] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:13/output/gbm/alert.pcap.15.17610986931330.jsonl|result:{"code": 1, "total_count": 21, "alert_count": 21, "abnormal_count": 21, "normal_count": 0, "timestamp": 1765431028453, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "172.175.38.6", "protocol": "tcp", "src_port": 50508, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9251013815505887, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50516, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "13.107.213.50", "protocol": "tcp", "src_port": 50090, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9195643673584233, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50489, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50061, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50298, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "13.89.179.10", "protocol": "tcp", "src_port": 49878, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9974829953380221, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.194.233", "protocol": "tcp", "src_port": 50442, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9870391528574759, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.114.80", "protocol": "tcp", "src_port": 50358, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50452, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.165.120", "protocol": "tcp", "src_port": 50427, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9451570018511891, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.165.120", "protocol": "tcp", "src_port": 50418, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9596977275034663, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.13.29.202", "protocol": "tcp", "src_port": 49899, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9319984670207415, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.166.151", "protocol": "tcp", "src_port": 50300, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9931981638327161, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "142.250.66.78", "protocol": "tcp", "src_port": 50474, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.51.80", "protocol": "tcp", "src_port": 49914, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.194.189.11", "protocol": "tcp", "src_port": 50426, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9895428159947536, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.46.216.189", "protocol": "tcp", "src_port": 50192, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9854409930237161, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "124.70.37.167", "protocol": "tcp", "src_port": 50505, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8862503171336631, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50542, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.241.198", "protocol": "tcp", "src_port": 49881, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9908791961625715, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 13:30:28.717] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 21|max_alert: 1000 [2025-12-11 13:30:28.717] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 13:30:28.717] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 13:30:28.717] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 13:30:31.781] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[1] at offset 24908 key: NULL payload: {"bucket":"2025-12-11","object":"13/output/gbm/alert.pcap.16.17610986931330.jsonl","url":"http://111.32.12.11:9000/2025-12-11/13/output/gbm/alert.pcap.16.17610986931330.jsonl?X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-SignedHeaders=host&X-Amz-Date=20251211T053031Z&X-Amz-Expires=604800&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Signature=138c54392b49f9541c99b912e706b02a044a9e39ef7fa600851f3a984bff073a"} [2025-12-11 13:30:31.781] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 13:30:31.781] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 13:30:31.781] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 13:30:31.781] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 13:30:31.781] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 13:30:31.782] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 13:30:32.061] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:13/output/gbm/alert.pcap.16.17610986931330.jsonl|result:{"code": 1, "total_count": 26, "alert_count": 26, "abnormal_count": 26, "normal_count": 0, "timestamp": 1765431031782, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "13.89.179.10", "protocol": "tcp", "src_port": 49873, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9740054173010114, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "211.151.19.148", "protocol": "tcp", "src_port": 50239, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9867736940219898, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.185.134", "protocol": "tcp", "src_port": 50557, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9312191603697401, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.4.224.113", "protocol": "tcp", "src_port": 49857, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.873642452450752, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50207, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.26", "protocol": "tcp", "src_port": 50053, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9859420979243508, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.88.223", "protocol": "tcp", "src_port": 50262, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9920454156536166, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.253", "protocol": "tcp", "src_port": 50377, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9228634096625739, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.219.73.130", "protocol": "tcp", "src_port": 49887, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.29.14.183", "protocol": "tcp", "src_port": 50404, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9858144175177987, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50051, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50522, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50500, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.2", "protocol": "tcp", "src_port": 49916, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.13.25.27", "protocol": "tcp", "src_port": 49953, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9999659947187012, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50177, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.1", "protocol": "tcp", "src_port": 49927, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.46.216.189", "protocol": "tcp", "src_port": 50095, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8005313339363406, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.165.120", "protocol": "tcp", "src_port": 50304, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9425584919270099, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50331, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50367, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.92", "protocol": "tcp", "src_port": 50344, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.4285159353571787, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.32.132.48", "protocol": "tcp", "src_port": 50416, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.872489769645985, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.220.77.56", "protocol": "tcp", "src_port": 50313, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9756469161092314, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.29.14.183", "protocol": "tcp", "src_port": 49861, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9202885873733923, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50496, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7047630891986135, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 13:30:32.061] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 26|max_alert: 1000 [2025-12-11 13:30:32.061] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 13:30:32.061] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 13:30:32.061] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 13:30:35.267] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[1] at offset 24909 key: NULL payload: {"bucket":"2025-12-11","object":"13/output/gbm/alert.pcap.17.17610986931330.jsonl","url":"http://111.32.12.11:9000/2025-12-11/13/output/gbm/alert.pcap.17.17610986931330.jsonl?X-Amz-Date=20251211T053034Z&X-Amz-SignedHeaders=host&X-Amz-Signature=6f56d3807d196e93f43c51e518b2024d67b2ef80b9b663bd9719982bb3148cf8&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Expires=604800"} [2025-12-11 13:30:35.267] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 13:30:35.268] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 13:30:35.268] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 13:30:35.268] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 13:30:35.268] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 13:30:35.268] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 13:30:35.539] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:13/output/gbm/alert.pcap.17.17610986931330.jsonl|result:{"code": 1, "total_count": 18, "alert_count": 18, "abnormal_count": 18, "normal_count": 0, "timestamp": 1765431035269, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "117.162.10.192", "protocol": "tcp", "src_port": 50114, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.976863610352734, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.122.55", "protocol": "tcp", "src_port": 50448, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.5769980707430126, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "124.70.62.170", "protocol": "tcp", "src_port": 50395, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.999908459646488, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.27", "protocol": "tcp", "src_port": 49990, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9979995189937263, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.194.233", "protocol": "tcp", "src_port": 50435, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9837705668750215, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.122.55", "protocol": "tcp", "src_port": 50101, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9697454177805649, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.234.97.89", "protocol": "tcp", "src_port": 50409, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.733240780563495, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.88.223", "protocol": "tcp", "src_port": 50257, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9990492370434219, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50499, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.9", "protocol": "tcp", "src_port": 50012, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9956502822261911, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.114.80", "protocol": "tcp", "src_port": 50476, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.2.16.16", "protocol": "tcp", "src_port": 49973, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9993460937257912, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.38.151", "protocol": "tcp", "src_port": 49788, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.27", "protocol": "tcp", "src_port": 49989, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8500557914131911, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "124.70.62.170", "protocol": "tcp", "src_port": 50094, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9999212365720671, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50606, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9790099228201751, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 50225, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9087545563693218, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.162.10.192", "protocol": "tcp", "src_port": 50103, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.5419285978798709, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 13:30:35.539] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 18|max_alert: 1000 [2025-12-11 13:30:35.539] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 13:30:35.539] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 13:30:35.539] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 13:30:38.406] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[2] at offset 25658 key: NULL payload: {"bucket":"2025-12-11","object":"13/output/gbm/alert.pcap.18.17610986931330.jsonl","url":"http://111.32.12.11:9000/2025-12-11/13/output/gbm/alert.pcap.18.17610986931330.jsonl?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Date=20251211T053037Z&X-Amz-Expires=604800&X-Amz-SignedHeaders=host&X-Amz-Signature=744b0f9753bbb33a90d1a27a3c5c9a149750697047ef00012044f3da4c0185ae&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request"} [2025-12-11 13:30:38.406] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 13:30:38.406] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 13:30:38.406] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 13:30:38.406] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 13:30:38.406] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 13:30:38.407] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 13:30:38.655] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:13/output/gbm/alert.pcap.18.17610986931330.jsonl|result:{"code": 1, "total_count": 19, "alert_count": 18, "abnormal_count": 18, "normal_count": 1, "timestamp": 1765431038407, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "36.156.39.92", "protocol": "tcp", "src_port": 50383, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7481021796885889, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.253.255.38", "protocol": "tcp", "src_port": 50449, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9496389457889445, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.232.40.133", "protocol": "tcp", "src_port": 49935, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8955605067471277, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50475, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9477100345633777, "2_count": 4.0, "2_sum": 4, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50088, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50650, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9941374340185456, "2_count": 4.0, "2_sum": 4, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50386, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 50169, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.232.40.133", "protocol": "tcp", "src_port": 49929, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9272505117395095, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50141, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.113.130.85", "protocol": "tcp", "src_port": 50373, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50553, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9263918774338468, "2_count": 4.0, "2_sum": 4, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50220, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50132, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.219.73.130", "protocol": "tcp", "src_port": 49893, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.166.151", "protocol": "tcp", "src_port": 50371, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9989794701501156, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50554, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9489417371813754, "2_count": 4.0, "2_sum": 4, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50046, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 13:30:38.655] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 18|max_alert: 1000 [2025-12-11 13:30:38.655] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 13:30:38.655] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 13:30:38.655] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 13:30:41.550] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[1] at offset 24910 key: NULL payload: {"bucket":"2025-12-11","object":"13/output/gbm/alert.pcap.19.17610986931330.jsonl","url":"http://111.32.12.11:9000/2025-12-11/13/output/gbm/alert.pcap.19.17610986931330.jsonl?X-Amz-Expires=604800&X-Amz-Date=20251211T053041Z&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-SignedHeaders=host&X-Amz-Signature=f9edb342dd2d2f792e41feeb4794c870b0783fb65a92f2500404cc5b1d986694"} [2025-12-11 13:30:41.550] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 13:30:41.550] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 13:30:41.550] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 13:30:41.550] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 13:30:41.550] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 13:30:41.550] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 13:30:41.801] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:13/output/gbm/alert.pcap.19.17610986931330.jsonl|result:{"code": 1, "total_count": 17, "alert_count": 17, "abnormal_count": 17, "normal_count": 0, "timestamp": 1765431041550, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "13.89.179.10", "protocol": "tcp", "src_port": 49870, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9985463831905574, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "124.70.62.170", "protocol": "tcp", "src_port": 50385, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9998863446143573, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "150.171.30.11", "protocol": "tcp", "src_port": 50623, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9724127917525347, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "106.13.244.95", "protocol": "tcp", "src_port": 50626, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.991571871695044, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50222, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 5, "2_sum": 5, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.61.248", "protocol": "tcp", "src_port": 50006, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9986048917384169, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50432, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 5, "2_sum": 5, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "211.151.19.148", "protocol": "tcp", "src_port": 50321, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9840336453751718, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.158.247.186", "protocol": "tcp", "src_port": 50254, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9923373572362969, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.25", "protocol": "tcp", "src_port": 50345, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9053165640648995, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50221, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 5, "2_sum": 5, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50140, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 5, "2_sum": 5, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50267, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 5, "2_sum": 5, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.131.128.241", "protocol": "tcp", "src_port": 50589, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9358989909907683, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 50183, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9671683755020176, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50651, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9127998696423738, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.26", "protocol": "tcp", "src_port": 49999, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9723690262017185, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 13:30:41.801] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 17|max_alert: 1000 [2025-12-11 13:30:41.801] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 13:30:41.801] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 13:30:41.801] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 13:30:44.737] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[1] at offset 24911 key: NULL payload: {"bucket":"2025-12-11","object":"13/output/gbm/alert.pcap.20.17610986931330.jsonl","url":"http://111.32.12.11:9000/2025-12-11/13/output/gbm/alert.pcap.20.17610986931330.jsonl?X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20251211T053044Z&X-Amz-SignedHeaders=host&X-Amz-Signature=d68047e2d0ab6e9bf63b282bfd1b0d6eab2822c3c6e62432332b1f8171245aec&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Expires=604800"} [2025-12-11 13:30:44.737] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 13:30:44.737] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 13:30:44.737] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 13:30:44.737] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 13:30:44.737] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 13:30:44.737] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 13:30:44.985] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:13/output/gbm/alert.pcap.20.17610986931330.jsonl|result:{"code": 1, "total_count": 17, "alert_count": 17, "abnormal_count": 17, "normal_count": 0, "timestamp": 1765431044737, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50453, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.220.151.49", "protocol": "tcp", "src_port": 49991, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9681277345350449, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "142.250.66.78", "protocol": "tcp", "src_port": 49773, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.9", "protocol": "tcp", "src_port": 50356, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9753376675463165, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.62.174.243", "protocol": "tcp", "src_port": 50555, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9719451686850884, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.219.73.130", "protocol": "tcp", "src_port": 49894, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50598, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.972751885055052, "2_count": 3, "2_sum": 3, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.48.172.241", "protocol": "tcp", "src_port": 50129, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9417868802887015, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.46.68.203", "protocol": "tcp", "src_port": 50096, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9610043927222635, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "124.71.234.74", "protocol": "tcp", "src_port": 50189, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8094812727311573, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50082, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50622, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9949329167991451, "2_count": 3, "2_sum": 3, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.253.253.233", "protocol": "tcp", "src_port": 50317, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.4786736570096651, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.2.16.16", "protocol": "tcp", "src_port": 49970, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9999655776123294, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.166.151", "protocol": "tcp", "src_port": 50378, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.996645095315891, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50616, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.981431987646444, "2_count": 3, "2_sum": 3, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "124.71.236.98", "protocol": "tcp", "src_port": 50400, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9777942042208041, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 13:30:44.985] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 17|max_alert: 1000 [2025-12-11 13:30:44.985] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 13:30:44.985] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 13:30:44.985] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 13:30:47.869] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[1] at offset 24912 key: NULL payload: {"bucket":"2025-12-11","object":"13/output/gbm/alert.pcap.21.17610986931330.jsonl","url":"http://111.32.12.11:9000/2025-12-11/13/output/gbm/alert.pcap.21.17610986931330.jsonl?X-Amz-Signature=8b8c74195f424c732c2e0cbc5e6b43b333a0657953ae10b33bb4fee0936da154&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20251211T053047Z&X-Amz-Expires=604800&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-SignedHeaders=host"} [2025-12-11 13:30:47.870] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 13:30:47.870] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 13:30:47.870] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 13:30:47.870] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 13:30:47.870] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 13:30:47.870] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 13:30:48.151] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:13/output/gbm/alert.pcap.21.17610986931330.jsonl|result:{"code": 1, "total_count": 20, "alert_count": 20, "abnormal_count": 20, "normal_count": 0, "timestamp": 1765431047870, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "10.1.9.18", "protocol": "tcp", "src_port": 50191, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.27", "protocol": "tcp", "src_port": 50014, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7728545617685111, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.254", "protocol": "tcp", "src_port": 50018, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9989742169573105, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50076, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.232.40.133", "protocol": "tcp", "src_port": 49921, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9758065422065172, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 49933, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.983522767485445, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 50211, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9942232611378077, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50086, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.194.233", "protocol": "tcp", "src_port": 50315, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9974657537062649, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50330, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50233, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.25", "protocol": "tcp", "src_port": 50346, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7253580536479742, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.253", "protocol": "tcp", "src_port": 50348, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9663875797170431, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50574, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50633, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9961574170482782, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.26", "protocol": "tcp", "src_port": 50027, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8630319401034162, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50389, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50407, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9700577356238725, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.234.97.89", "protocol": "tcp", "src_port": 50477, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7967743601421772, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "150.171.27.10", "protocol": "tcp", "src_port": 49871, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9792783921980416, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 13:30:48.151] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 20|max_alert: 1000 [2025-12-11 13:30:48.151] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 13:30:48.151] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 13:30:48.151] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 13:30:51.061] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[1] at offset 24913 key: NULL payload: {"bucket":"2025-12-11","object":"13/output/gbm/alert.pcap.2.17610986931330.jsonl","url":"http://111.32.12.11:9000/2025-12-11/13/output/gbm/alert.pcap.2.17610986931330.jsonl?X-Amz-Expires=604800&X-Amz-SignedHeaders=host&X-Amz-Signature=301f4b39bf2833476a7f075b8858195bd754a351719a250aaf9df0de1c438739&X-Amz-Date=20251211T053050Z&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request"} [2025-12-11 13:30:51.061] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 13:30:51.061] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 13:30:51.061] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 13:30:51.061] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 13:30:51.061] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 13:30:51.061] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 13:30:51.329] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:13/output/gbm/alert.pcap.2.17610986931330.jsonl|result:{"code": 1, "total_count": 27, "alert_count": 26, "abnormal_count": 26, "normal_count": 1, "timestamp": 1765431051061, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50580, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.26", "protocol": "tcp", "src_port": 49995, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9973271032011077, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50459, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8818531237715439, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50484, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.185.134", "protocol": "tcp", "src_port": 50337, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9998485770667981, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.105", "protocol": "tcp", "src_port": 50625, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9825246278129468, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "118.89.204.198", "protocol": "tcp", "src_port": 50648, "dest_port": 443, "y_pred": 2, "y_pred_proba_max": 0.539671673599211, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "Behinder"}, {"src_ip": "10.1.131.158", "dest_ip": "120.222.152.64", "protocol": "tcp", "src_port": 50658, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7337989747885654, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.92", "protocol": "tcp", "src_port": 50398, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9866180027435798, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.2", "protocol": "tcp", "src_port": 49821, "dest_port": 8080, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.29.14.183", "protocol": "tcp", "src_port": 50401, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9944651374268547, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.29.14.183", "protocol": "tcp", "src_port": 50402, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9766503916105866, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.232.40.133", "protocol": "tcp", "src_port": 50004, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9448851526818528, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.254", "protocol": "tcp", "src_port": 50237, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8347470129747349, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.166.151", "protocol": "tcp", "src_port": 50296, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9998741851816862, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50328, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.165.120", "protocol": "tcp", "src_port": 50414, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9781294486115352, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50570, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.63.215.47", "protocol": "tcp", "src_port": 49943, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9542007136130981, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50634, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50528, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.114.80", "protocol": "tcp", "src_port": 50381, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.240.99.58", "protocol": "tcp", "src_port": 50480, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9758749087809037, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50471, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9971823306211751, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50287, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50278, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 13:30:51.330] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 26|max_alert: 1000 [2025-12-11 13:30:51.330] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 13:30:51.330] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 13:30:51.330] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 13:30:54.593] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[1] at offset 24914 key: NULL payload: {"bucket":"2025-12-11","object":"13/output/gbm/alert.pcap.22.17610986931330.jsonl","url":"http://111.32.12.11:9000/2025-12-11/13/output/gbm/alert.pcap.22.17610986931330.jsonl?X-Amz-Expires=604800&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Date=20251211T053054Z&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-SignedHeaders=host&X-Amz-Signature=b7d06761516c7bb090c6a8a06bdf2dc6317dfccdf86e2aa6aec3cc1e83abc32f"} [2025-12-11 13:30:54.593] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 13:30:54.593] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 13:30:54.593] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 13:30:54.593] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 13:30:54.593] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 13:30:54.594] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 13:30:54.864] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:13/output/gbm/alert.pcap.22.17610986931330.jsonl|result:{"code": 1, "total_count": 18, "alert_count": 17, "abnormal_count": 17, "normal_count": 1, "timestamp": 1765431054594, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "111.62.174.243", "protocol": "tcp", "src_port": 50545, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9624252679015631, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.131.128.241", "protocol": "tcp", "src_port": 50585, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8249611815657307, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.92", "protocol": "tcp", "src_port": 50397, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9107999416750001, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 49925, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.5747671805046822, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50530, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9024018957960891, "2_count": 3.0, "2_sum": 3, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.165.120", "protocol": "tcp", "src_port": 50357, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9389862274330749, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50368, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 3.0, "2_sum": 3, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50612, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.965275103129727, "2_count": 3.0, "2_sum": 3, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.51.161.66", "protocol": "tcp", "src_port": 50123, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7731938946060795, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.4.224.113", "protocol": "tcp", "src_port": 49854, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.5786036795604459, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50028, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 3.0, "2_sum": 3, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50662, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8871346318388157, "2_count": 3.0, "2_sum": 3, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.29.14.183", "protocol": "tcp", "src_port": 50026, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9986473928200259, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.114.80", "protocol": "tcp", "src_port": 50365, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.63.215.47", "protocol": "tcp", "src_port": 49944, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9869387818080411, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.194.233", "protocol": "tcp", "src_port": 50440, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9902328849146982, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50118, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 3.0, "2_sum": 3, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 13:30:54.864] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 17|max_alert: 1000 [2025-12-11 13:30:54.864] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 13:30:54.864] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 13:30:54.864] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 13:30:58.485] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[2] at offset 25659 key: NULL payload: {"bucket":"2025-12-11","object":"13/output/gbm/alert.pcap.23.17610986931330.jsonl","url":"http://111.32.12.11:9000/2025-12-11/13/output/gbm/alert.pcap.23.17610986931330.jsonl?X-Amz-Expires=604800&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Date=20251211T053058Z&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-SignedHeaders=host&X-Amz-Signature=6fbdc2669cabb9726a79ab77dd89b03e340a42bcd91d21a99dd057702ca4eb25"} [2025-12-11 13:30:58.485] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 13:30:58.485] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 13:30:58.485] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 13:30:58.485] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 13:30:58.485] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 13:30:58.486] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 13:30:58.747] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:13/output/gbm/alert.pcap.23.17610986931330.jsonl|result:{"code": 1, "total_count": 21, "alert_count": 21, "abnormal_count": 21, "normal_count": 0, "timestamp": 1765431058486, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50064, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50085, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50168, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "13.107.246.74", "protocol": "tcp", "src_port": 50506, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9605298901417075, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.13.104.59", "protocol": "tcp", "src_port": 50627, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9944505609423887, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.150.160.206", "protocol": "tcp", "src_port": 50124, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9747845243097288, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.222.152.64", "protocol": "tcp", "src_port": 50638, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9779043168436835, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.122.55", "protocol": "tcp", "src_port": 50498, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9793698927690696, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50044, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50037, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.25", "protocol": "tcp", "src_port": 50382, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7011351746711142, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.25", "protocol": "tcp", "src_port": 50073, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9992385224413204, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50514, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50562, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.194.233", "protocol": "tcp", "src_port": 50126, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9961544144455967, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50042, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50260, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50640, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.158.247.186", "protocol": "tcp", "src_port": 50309, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.994290448467571, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50149, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50429, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 13:30:58.748] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 21|max_alert: 1000 [2025-12-11 13:30:58.748] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 13:30:58.748] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 13:30:58.748] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 13:31:01.710] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 26043 key: NULL payload: {"bucket":"2025-12-11","object":"13/output/gbm/alert.pcap.24.17610986931330.jsonl","url":"http://111.32.12.11:9000/2025-12-11/13/output/gbm/alert.pcap.24.17610986931330.jsonl?X-Amz-Signature=b086dd2108e2289882752a7753eb3764a79830cd9c7cdd8b8da54f4153b11e17&X-Amz-Date=20251211T053101Z&X-Amz-SignedHeaders=host&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Expires=604800"} [2025-12-11 13:31:01.710] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 13:31:01.710] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 13:31:01.710] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 13:31:01.710] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 13:31:01.710] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 13:31:01.710] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 13:31:01.940] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:13/output/gbm/alert.pcap.24.17610986931330.jsonl|result:{"code": 1, "total_count": 18, "alert_count": 17, "abnormal_count": 17, "normal_count": 1, "timestamp": 1765431061710, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "120.233.3.27", "protocol": "tcp", "src_port": 49985, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8652710729389349, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.163.59.175", "protocol": "tcp", "src_port": 50478, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.990150959540726, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.38.119", "protocol": "tcp", "src_port": 50495, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9911306060967026, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50594, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50033, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 50229, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7784157580153467, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50281, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.13.104.59", "protocol": "tcp", "src_port": 50631, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9853386683896556, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.163.59.175", "protocol": "tcp", "src_port": 50011, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9883959426357691, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.13.28.21", "protocol": "tcp", "src_port": 49947, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9999415747476534, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.4.74", "protocol": "tcp", "src_port": 50319, "dest_port": 9000, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50031, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50482, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.46.68.203", "protocol": "tcp", "src_port": 50195, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9897633686170296, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50034, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50259, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50603, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 13:31:01.940] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 17|max_alert: 1000 [2025-12-11 13:31:01.940] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 13:31:01.940] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 13:31:01.940] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 13:31:05.132] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 26044 key: NULL payload: {"bucket":"2025-12-11","object":"13/output/gbm/alert.pcap.25.17610986931330.jsonl","url":"http://111.32.12.11:9000/2025-12-11/13/output/gbm/alert.pcap.25.17610986931330.jsonl?X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Expires=604800&X-Amz-SignedHeaders=host&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Signature=4ec5eeed22d68e5bec09a4df63b49cc40f40523c70be967b76006c8f9171ac2d&X-Amz-Date=20251211T053104Z"} [2025-12-11 13:31:05.132] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 13:31:05.132] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 13:31:05.132] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 13:31:05.132] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 13:31:05.132] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 13:31:05.133] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 13:31:05.361] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:13/output/gbm/alert.pcap.25.17610986931330.jsonl|result:{"code": 1, "total_count": 18, "alert_count": 17, "abnormal_count": 17, "normal_count": 1, "timestamp": 1765431065133, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50551, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8059095115195145, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50652, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4.0, "2_sum": 4, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.240.99.58", "protocol": "tcp", "src_port": 50641, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9750652642107684, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50038, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4.0, "2_sum": 4, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.232.40.133", "protocol": "tcp", "src_port": 49919, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9172603475203133, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.91", "protocol": "tcp", "src_port": 50334, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9530506499197517, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 50013, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.88.223", "protocol": "tcp", "src_port": 50258, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9955188316394289, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "142.250.66.78", "protocol": "tcp", "src_port": 49742, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.232.40.133", "protocol": "tcp", "src_port": 50005, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8427110539814073, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "202.89.233.96", "dest_ip": "10.1.131.158", "protocol": "tcp", "src_port": 443, "dest_port": 49847, "y_pred": 1, "y_pred_proba_max": 0.9988023204669473, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50288, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4.0, "2_sum": 4, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.155.160.140", "protocol": "tcp", "src_port": 49790, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.201.232.63", "protocol": "tcp", "src_port": 50419, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.5238760318986195, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50062, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4.0, "2_sum": 4, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.88.223", "protocol": "tcp", "src_port": 50134, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9851867603065232, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.2", "protocol": "tcp", "src_port": 50125, "dest_port": 8080, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 13:31:05.361] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 17|max_alert: 1000 [2025-12-11 13:31:05.361] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 13:31:05.361] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 13:31:05.361] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 13:31:08.339] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[2] at offset 25660 key: NULL payload: {"bucket":"2025-12-11","object":"13/output/gbm/alert.pcap.26.17610986931330.jsonl","url":"http://111.32.12.11:9000/2025-12-11/13/output/gbm/alert.pcap.26.17610986931330.jsonl?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Date=20251211T053107Z&X-Amz-Expires=604800&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Signature=95ea6f19c28d95c4bc1ca8c429763233b6e1faf09df72b419d101df1cc3e872e&X-Amz-SignedHeaders=host"} [2025-12-11 13:31:08.339] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 13:31:08.339] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 13:31:08.339] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 13:31:08.339] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 13:31:08.339] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 13:31:08.340] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 13:31:08.598] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:13/output/gbm/alert.pcap.26.17610986931330.jsonl|result:{"code": 1, "total_count": 23, "alert_count": 22, "abnormal_count": 22, "normal_count": 1, "timestamp": 1765431068340, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "120.226.165.120", "protocol": "tcp", "src_port": 50314, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.998447736613844, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.92", "protocol": "tcp", "src_port": 50362, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9737436655985068, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.163.59.175", "protocol": "tcp", "src_port": 49930, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9813722275948225, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.9", "protocol": "tcp", "src_port": 50353, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9248568229582469, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.13.29.134", "protocol": "tcp", "src_port": 49954, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9940003495439546, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.45", "protocol": "tcp", "src_port": 50445, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9894949279716366, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "43.140.12.43", "protocol": "tcp", "src_port": 50318, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9759535265977303, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.253", "protocol": "tcp", "src_port": 50117, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9786811180845782, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 50230, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9601621867432435, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.13.29.202", "protocol": "tcp", "src_port": 49897, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.99989131645703, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50512, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7.0, "2_sum": 7, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.27", "protocol": "tcp", "src_port": 49986, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9907578643456904, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50467, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7.0, "2_sum": 7, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50521, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7.0, "2_sum": 7, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.253", "protocol": "tcp", "src_port": 50347, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9363461552085169, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.194.233", "protocol": "tcp", "src_port": 50439, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9853373018252618, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50463, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7.0, "2_sum": 7, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50593, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7.0, "2_sum": 7, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "151.101.1.229", "protocol": "tcp", "src_port": 50316, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.5882853156839113, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50322, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7.0, "2_sum": 7, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.114.80", "protocol": "tcp", "src_port": 50375, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50040, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7.0, "2_sum": 7, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 13:31:08.598] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 22|max_alert: 1000 [2025-12-11 13:31:08.598] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 13:31:08.598] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 13:31:08.599] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 13:31:11.559] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 26045 key: NULL payload: {"bucket":"2025-12-11","object":"13/output/gbm/alert.pcap.3.17610986931330.jsonl","url":"http://111.32.12.11:9000/2025-12-11/13/output/gbm/alert.pcap.3.17610986931330.jsonl?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Date=20251211T053111Z&X-Amz-Expires=604800&X-Amz-SignedHeaders=host&X-Amz-Signature=9ab7cc31c0cc1d513ff53c8d6ac1d41284076ddf3ffa304efc99cde28c55f021&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request"} [2025-12-11 13:31:11.559] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 13:31:11.559] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 13:31:11.560] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 13:31:11.560] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 13:31:11.560] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 13:31:11.560] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 13:31:11.812] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:13/output/gbm/alert.pcap.3.17610986931330.jsonl|result:{"code": 1, "total_count": 31, "alert_count": 30, "abnormal_count": 30, "normal_count": 1, "timestamp": 1765431071560, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "183.194.189.11", "protocol": "tcp", "src_port": 50307, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9974631042458713, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.232.40.133", "protocol": "tcp", "src_port": 49922, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7619577796081339, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50131, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 50399, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.219.73.130", "protocol": "tcp", "src_port": 49890, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "142.250.66.68", "protocol": "tcp", "src_port": 50437, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50032, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.29.14.183", "protocol": "tcp", "src_port": 50020, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9995274668813986, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.2", "protocol": "tcp", "src_port": 50143, "dest_port": 8080, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50579, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 50231, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9912641259791639, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.13.104.59", "protocol": "tcp", "src_port": 50639, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.5747755261992421, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50390, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50573, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50128, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.27", "protocol": "tcp", "src_port": 49987, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9439550958667982, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.27", "protocol": "tcp", "src_port": 49983, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9683054451954104, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.13.104.59", "protocol": "tcp", "src_port": 50630, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9949141468870227, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.166.151", "protocol": "tcp", "src_port": 50286, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9998887397093179, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.253.253.233", "protocol": "tcp", "src_port": 50436, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8619378326923961, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "124.70.62.170", "protocol": "tcp", "src_port": 50093, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9302011994091218, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.219.73.130", "protocol": "tcp", "src_port": 49889, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.63.215.47", "protocol": "tcp", "src_port": 49982, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9977918468988228, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50468, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50560, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9372883613254258, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50041, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.165.120", "protocol": "tcp", "src_port": 50423, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9079618105919538, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.92", "protocol": "tcp", "src_port": 49915, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8858063837145578, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 49824, "dest_port": 37527, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.114.80", "protocol": "tcp", "src_port": 50473, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 13:31:11.812] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 30|max_alert: 1000 [2025-12-11 13:31:11.812] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 13:31:11.812] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 13:31:11.812] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 13:31:14.697] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 26046 key: NULL payload: {"bucket":"2025-12-11","object":"13/output/gbm/alert.pcap.4.17610986931330.jsonl","url":"http://111.32.12.11:9000/2025-12-11/13/output/gbm/alert.pcap.4.17610986931330.jsonl?X-Amz-Expires=604800&X-Amz-SignedHeaders=host&X-Amz-Signature=3691013ad70e4a1adac213a834e67827605c9a002f899c642ea4b359a252184e&X-Amz-Date=20251211T053114Z&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request"} [2025-12-11 13:31:14.697] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 13:31:14.697] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 13:31:14.697] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 13:31:14.697] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 13:31:14.697] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 13:31:14.697] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 13:31:14.912] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:13/output/gbm/alert.pcap.4.17610986931330.jsonl|result:{"code": 1, "total_count": 16, "alert_count": 16, "abnormal_count": 16, "normal_count": 0, "timestamp": 1765431074697, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "111.4.224.113", "protocol": "tcp", "src_port": 49860, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8325953986089363, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50039, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 9, "2_sum": 9, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.2", "protocol": "tcp", "src_port": 49815, "dest_port": 8080, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50653, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 9, "2_sum": 9, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50271, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 9, "2_sum": 9, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.25", "protocol": "tcp", "src_port": 50340, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9557360906725153, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50642, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 9, "2_sum": 9, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50268, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 9, "2_sum": 9, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.131.128.241", "protocol": "tcp", "src_port": 50461, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9531336479755481, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "104.18.38.233", "protocol": "tcp", "src_port": 49696, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50170, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 9, "2_sum": 9, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "142.250.66.78", "protocol": "tcp", "src_port": 49761, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50599, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 9, "2_sum": 9, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "150.171.30.11", "protocol": "tcp", "src_port": 50007, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8576461187690411, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50428, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 9, "2_sum": 9, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50664, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 9, "2_sum": 9, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 13:31:14.912] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 16|max_alert: 1000 [2025-12-11 13:31:14.912] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 13:31:14.912] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 13:31:14.912] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 13:31:18.274] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[1] at offset 24915 key: NULL payload: {"bucket":"2025-12-11","object":"13/output/gbm/alert.pcap.5.17610986931330.jsonl","url":"http://111.32.12.11:9000/2025-12-11/13/output/gbm/alert.pcap.5.17610986931330.jsonl?X-Amz-Expires=604800&X-Amz-Signature=bfc068045f3b4133f02ef36d66309132a6c6ba13b2d7d348936a0381cae2c007&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20251211T053117Z&X-Amz-SignedHeaders=host&X-Amz-Algorithm=AWS4-HMAC-SHA256"} [2025-12-11 13:31:18.274] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 13:31:18.274] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 13:31:18.274] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 13:31:18.274] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 13:31:18.274] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 13:31:18.275] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 13:31:18.526] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:13/output/gbm/alert.pcap.5.17610986931330.jsonl|result:{"code": 1, "total_count": 19, "alert_count": 18, "abnormal_count": 18, "normal_count": 1, "timestamp": 1765431078275, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50119, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 5.0, "2_sum": 5, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50171, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 5.0, "2_sum": 5, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 49924, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8509806284431485, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "13.89.179.10", "protocol": "tcp", "src_port": 49867, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8945460691510866, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.91", "protocol": "tcp", "src_port": 50333, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9577733114926612, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.51.80", "protocol": "tcp", "src_port": 49902, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.158.247.186", "protocol": "tcp", "src_port": 50121, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9753820447058325, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50624, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9747306537408316, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50541, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 5.0, "2_sum": 5, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.91", "protocol": "tcp", "src_port": 50242, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9588125203903446, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50030, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 5.0, "2_sum": 5, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.4.74", "protocol": "tcp", "src_port": 50320, "dest_port": 9000, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.163.59.175", "protocol": "tcp", "src_port": 50422, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9849394001481901, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50564, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 5.0, "2_sum": 5, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.46.72.204", "protocol": "tcp", "src_port": 50136, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.956663066769366, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "112.34.111.235", "protocol": "tcp", "src_port": 50587, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9795590475790195, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50654, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9423199405388736, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 50549, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 13:31:18.527] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 18|max_alert: 1000 [2025-12-11 13:31:18.527] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 13:31:18.527] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 13:31:18.527] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 13:31:21.416] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 26047 key: NULL payload: {"bucket":"2025-12-11","object":"13/output/gbm/alert.pcap.6.17610986931330.jsonl","url":"http://111.32.12.11:9000/2025-12-11/13/output/gbm/alert.pcap.6.17610986931330.jsonl?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Expires=604800&X-Amz-Date=20251211T053120Z&X-Amz-Signature=09e831ac7848a64ada1dad053939d8658aab32fa45d4b5c5673ddec5ecd457b9&X-Amz-SignedHeaders=host"} [2025-12-11 13:31:21.416] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 13:31:21.416] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 13:31:21.417] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 13:31:21.417] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 13:31:21.417] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 13:31:21.418] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 13:31:21.676] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:13/output/gbm/alert.pcap.6.17610986931330.jsonl|result:{"code": 1, "total_count": 13, "alert_count": 13, "abnormal_count": 13, "normal_count": 0, "timestamp": 1765431081418, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "111.13.28.239", "protocol": "tcp", "src_port": 49901, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.938456651589145, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.26", "protocol": "tcp", "src_port": 50003, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8694093805364917, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.57.94.38", "protocol": "tcp", "src_port": 49892, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9998694918181811, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "139.9.117.192", "protocol": "tcp", "src_port": 50372, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8894850327223105, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.2.16.16", "protocol": "tcp", "src_port": 49975, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9999376387945121, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50391, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "121.36.68.44", "protocol": "tcp", "src_port": 50504, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9358189956292381, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50515, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.91", "protocol": "tcp", "src_port": 50339, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.986405059765616, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "13.89.179.10", "protocol": "tcp", "src_port": 49883, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9941602682227848, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.102.211", "protocol": "tcp", "src_port": 50413, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9734791177969814, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "139.9.117.192", "protocol": "tcp", "src_port": 50450, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9837263446909994, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50465, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.5306824619789472, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 13:31:21.676] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 13|max_alert: 1000 [2025-12-11 13:31:21.676] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 13:31:21.676] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 13:31:21.676] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 13:31:24.680] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 26048 key: NULL payload: {"bucket":"2025-12-11","object":"13/output/gbm/alert.pcap.7.17610986931330.jsonl","url":"http://111.32.12.11:9000/2025-12-11/13/output/gbm/alert.pcap.7.17610986931330.jsonl?X-Amz-SignedHeaders=host&X-Amz-Date=20251211T053124Z&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Expires=604800&X-Amz-Signature=9e12896a59e39a3fe8f57933f00fa87a457bdcf0e186d6267c8462054d4f9334"} [2025-12-11 13:31:24.680] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 13:31:24.680] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 13:31:24.680] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 13:31:24.680] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 13:31:24.680] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 13:31:24.681] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 13:31:24.960] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:13/output/gbm/alert.pcap.7.17610986931330.jsonl|result:{"code": 1, "total_count": 18, "alert_count": 18, "abnormal_count": 18, "normal_count": 0, "timestamp": 1765431084681, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50083, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4, "2_sum": 4, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.240.8.132", "protocol": "tcp", "src_port": 50227, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8897661563929269, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.4.224.113", "protocol": "tcp", "src_port": 49849, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9532634905214581, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.51.80", "protocol": "tcp", "src_port": 50010, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "112.34.111.235", "protocol": "tcp", "src_port": 50411, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.998549290571419, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.194.233", "protocol": "tcp", "src_port": 50441, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9878625671600126, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50663, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.719260591950917, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50156, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4, "2_sum": 4, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.185.125.188", "protocol": "tcp", "src_port": 49872, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9978759357079158, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.26", "protocol": "tcp", "src_port": 49994, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9896285535627298, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.27", "protocol": "tcp", "src_port": 50100, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8412893359572905, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.219.73.130", "protocol": "tcp", "src_port": 49885, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.254", "protocol": "tcp", "src_port": 50199, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9600487826290192, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50270, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4, "2_sum": 4, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.194.233", "protocol": "tcp", "src_port": 50255, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9107155218087142, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 50172, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9400817611226765, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 50116, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50581, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4, "2_sum": 4, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 13:31:24.960] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 18|max_alert: 1000 [2025-12-11 13:31:24.961] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 13:31:24.961] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 13:31:24.961] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 13:31:27.876] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 26049 key: NULL payload: {"bucket":"2025-12-11","object":"13/output/gbm/alert.pcap.8.17610986931330.jsonl","url":"http://111.32.12.11:9000/2025-12-11/13/output/gbm/alert.pcap.8.17610986931330.jsonl?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Signature=860ab05cd6c4f0b4c2282fca43096f5ecd8b8ce4078dc8f6ec655f839d602e10&X-Amz-Expires=604800&X-Amz-SignedHeaders=host&X-Amz-Date=20251211T053127Z&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request"} [2025-12-11 13:31:27.876] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 13:31:27.876] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 13:31:27.876] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 13:31:27.876] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 13:31:27.876] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 13:31:27.877] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 13:31:28.111] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:13/output/gbm/alert.pcap.8.17610986931330.jsonl|result:{"code": 1, "total_count": 19, "alert_count": 19, "abnormal_count": 19, "normal_count": 0, "timestamp": 1765431087877, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "120.232.40.133", "protocol": "tcp", "src_port": 49920, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9117178716777372, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "202.89.233.96", "protocol": "tcp", "src_port": 49865, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9973910874567038, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 50184, "dest_port": 37527, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.63.215.47", "protocol": "tcp", "src_port": 49980, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9999657034539758, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.201.232.63", "protocol": "tcp", "src_port": 50420, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9757408487177269, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.45", "protocol": "tcp", "src_port": 50408, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9967591338452444, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50649, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9766422035502361, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.26", "protocol": "tcp", "src_port": 49997, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.984269050955257, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50388, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4, "2_sum": 4, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50661, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.647571366572099, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50077, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4, "2_sum": 4, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "121.36.47.3", "protocol": "tcp", "src_port": 50015, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9995715118177109, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 49923, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.777270406334166, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50127, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4, "2_sum": 4, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50223, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4, "2_sum": 4, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "40.74.78.229", "protocol": "tcp", "src_port": 50370, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9939770881097445, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.131.139.241", "protocol": "tcp", "src_port": 50556, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9803786101644398, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.131.128.241", "protocol": "tcp", "src_port": 50591, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9050869489117033, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.219.73.130", "protocol": "tcp", "src_port": 49891, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 13:31:28.111] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 19|max_alert: 1000 [2025-12-11 13:31:28.111] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 13:31:28.111] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 13:31:28.111] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 13:31:31.080] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 26050 key: NULL payload: {"bucket":"2025-12-11","object":"13/output/gbm/alert.pcap.9.17610986931330.jsonl","url":"http://111.32.12.11:9000/2025-12-11/13/output/gbm/alert.pcap.9.17610986931330.jsonl?X-Amz-Date=20251211T053130Z&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Expires=604800&X-Amz-SignedHeaders=host&X-Amz-Signature=5c6b874bd70f782f5daee8217a35cbf7d4ad7e0e35d5dcc0e647e7ddf7a64ead"} [2025-12-11 13:31:31.080] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 13:31:31.080] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 13:31:31.080] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 13:31:31.080] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 13:31:31.080] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 13:31:31.081] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 13:31:31.328] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:13/output/gbm/alert.pcap.9.17610986931330.jsonl|result:{"code": 1, "total_count": 19, "alert_count": 19, "abnormal_count": 19, "normal_count": 0, "timestamp": 1765431091081, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "124.71.234.74", "protocol": "tcp", "src_port": 50079, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8967653329082704, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.219.73.130", "protocol": "tcp", "src_port": 49895, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.45", "protocol": "tcp", "src_port": 50444, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9975171238915119, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50047, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "150.171.30.11", "protocol": "tcp", "src_port": 50434, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.975176941910785, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50582, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50571, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50387, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "112.2.102.140", "protocol": "tcp", "src_port": 49880, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8833391308810551, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 49928, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9931314740190077, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.26", "protocol": "tcp", "src_port": 49993, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.987471741326815, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "157.148.32.174", "protocol": "tcp", "src_port": 50216, "dest_port": 8106, "y_pred": 1, "y_pred_proba_max": 0.7815374741509655, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50279, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.29.14.183", "protocol": "tcp", "src_port": 50403, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9756646950440937, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50234, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50323, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50577, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8828376373447289, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.163.59.175", "protocol": "tcp", "src_port": 50443, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9947042004868148, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50552, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9460026832017429, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 13:31:31.328] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 19|max_alert: 1000 [2025-12-11 13:31:31.328] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 13:31:31.328] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 13:31:31.329] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 13:40:09.397] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 26051 key: NULL payload: {"bucket":"2025-12-11","object":"13/output/gbm/alert.pcap.10.17610986931340.jsonl","url":"http://111.32.12.11:9000/2025-12-11/13/output/gbm/alert.pcap.10.17610986931340.jsonl?X-Amz-Expires=604800&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Date=20251211T054008Z&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Signature=b23e9a6e75855da1babf5696f18102efe32d2bcf260e1b0af80ffa951c56585b&X-Amz-SignedHeaders=host"} [2025-12-11 13:40:09.397] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 13:40:09.397] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 13:40:09.397] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 13:40:09.397] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 13:40:09.397] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 13:40:09.398] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 13:40:09.697] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:13/output/gbm/alert.pcap.10.17610986931340.jsonl|result:{"code": 1, "total_count": 18, "alert_count": 18, "abnormal_count": 18, "normal_count": 0, "timestamp": 1765431609398, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "117.162.10.192", "protocol": "tcp", "src_port": 50106, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7891251009837256, "2_count": 3, "2_sum": 3, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.162.10.192", "protocol": "tcp", "src_port": 50102, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9628606284766527, "2_count": 3, "2_sum": 3, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.194.233", "protocol": "tcp", "src_port": 50251, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.6458299041355519, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50202, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.38.119", "protocol": "tcp", "src_port": 50490, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9986222879414073, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50197, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50155, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.240.8.132", "protocol": "tcp", "src_port": 49942, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9833686131374094, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "112.34.113.250", "protocol": "tcp", "src_port": 50417, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9871899379387804, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "124.70.37.167", "protocol": "tcp", "src_port": 50497, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9671327905226952, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50510, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.162.10.192", "protocol": "tcp", "src_port": 50105, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8497049935950336, "2_count": 3, "2_sum": 3, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50247, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 49802, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50527, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "124.70.62.170", "protocol": "tcp", "src_port": 50384, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9944584265644585, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50180, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.9", "protocol": "tcp", "src_port": 50354, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9266852516381958, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 13:40:09.697] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 18|max_alert: 1000 [2025-12-11 13:40:09.697] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 13:40:09.697] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 13:40:09.697] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 13:40:12.536] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[1] at offset 24916 key: NULL payload: {"bucket":"2025-12-11","object":"13/output/gbm/alert.pcap.11.17610986931340.jsonl","url":"http://111.32.12.11:9000/2025-12-11/13/output/gbm/alert.pcap.11.17610986931340.jsonl?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Date=20251211T054012Z&X-Amz-SignedHeaders=host&X-Amz-Signature=4a665928b797a618c3104bfdfda0f8bb5d4c9b9a20bc76064da0dbcdf315c64f&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Expires=604800"} [2025-12-11 13:40:12.536] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 13:40:12.536] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 13:40:12.536] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 13:40:12.537] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 13:40:12.537] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 13:40:12.537] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 13:40:12.773] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:13/output/gbm/alert.pcap.11.17610986931340.jsonl|result:{"code": 1, "total_count": 20, "alert_count": 20, "abnormal_count": 20, "normal_count": 0, "timestamp": 1765431612537, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50520, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.25", "protocol": "tcp", "src_port": 50379, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8940216726975259, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50179, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.38.119", "protocol": "tcp", "src_port": 50494, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9837251088220053, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 49811, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50176, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "13.107.253.49", "protocol": "tcp", "src_port": 50479, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9204671188927631, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50523, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "106.52.100.183", "protocol": "tcp", "src_port": 50502, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9858931570717602, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "57.155.120.218", "protocol": "tcp", "src_port": 50415, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9227656751828837, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50050, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.45", "protocol": "tcp", "src_port": 50438, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9837569544664104, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.122.55", "protocol": "tcp", "src_port": 50503, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9854062911109006, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50519, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.143.199.172", "protocol": "tcp", "src_port": 50142, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9881503019491974, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.131.139.241", "protocol": "tcp", "src_port": 50546, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8893268365633519, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.45", "protocol": "tcp", "src_port": 50447, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9871209269901958, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.165.120", "protocol": "tcp", "src_port": 50305, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9986466602684037, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.57.94.38", "protocol": "tcp", "src_port": 49888, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8913583475272854, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50561, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 13:40:12.773] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 20|max_alert: 1000 [2025-12-11 13:40:12.773] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 13:40:12.773] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 13:40:12.773] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 13:40:15.692] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 26052 key: NULL payload: {"bucket":"2025-12-11","object":"13/output/gbm/alert.pcap.1.17610986931340.jsonl","url":"http://111.32.12.11:9000/2025-12-11/13/output/gbm/alert.pcap.1.17610986931340.jsonl?X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Expires=604800&X-Amz-Signature=b8ffd1addf95930b7217d64ef34e32148622e0fbf65f92e3dba9548bb635d0ef&X-Amz-SignedHeaders=host&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Date=20251211T054015Z"} [2025-12-11 13:40:15.692] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 13:40:15.692] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 13:40:15.692] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 13:40:15.692] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 13:40:15.692] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 13:40:15.693] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 13:40:15.951] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:13/output/gbm/alert.pcap.1.17610986931340.jsonl|result:{"code": 1, "total_count": 23, "alert_count": 22, "abnormal_count": 22, "normal_count": 1, "timestamp": 1765431615693, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "120.241.86.254", "protocol": "tcp", "src_port": 50236, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8758576397939718, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50451, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9935841069204537, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.2.16.16", "protocol": "tcp", "src_port": 49977, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9997183616258911, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50203, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.114.80", "protocol": "tcp", "src_port": 50380, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.9", "protocol": "tcp", "src_port": 50352, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9822856114799795, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.254", "protocol": "tcp", "src_port": 50161, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9861184497791043, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50246, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.9", "protocol": "tcp", "src_port": 50355, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9178209457268623, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50196, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "123.249.12.207", "protocol": "tcp", "src_port": 50349, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9517653518955267, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.18", "protocol": "tcp", "src_port": 50526, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.2.16.16", "protocol": "tcp", "src_port": 49978, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9999741330258014, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.18", "protocol": "tcp", "src_port": 50607, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50511, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "104.18.38.233", "protocol": "tcp", "src_port": 49694, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.38.119", "protocol": "tcp", "src_port": 50487, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9993624819729473, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.131.139.241", "protocol": "tcp", "src_port": 50548, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9166098868921807, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50660, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.5160756214892233, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50154, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50635, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.166.151", "protocol": "tcp", "src_port": 50297, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.99961990187526, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 13:40:15.951] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 22|max_alert: 1000 [2025-12-11 13:40:15.951] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 13:40:15.951] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 13:40:15.951] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 13:40:18.893] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 26053 key: NULL payload: {"bucket":"2025-12-11","object":"13/output/gbm/alert.pcap.12.17610986931340.jsonl","url":"http://111.32.12.11:9000/2025-12-11/13/output/gbm/alert.pcap.12.17610986931340.jsonl?X-Amz-Date=20251211T054018Z&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Expires=604800&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-SignedHeaders=host&X-Amz-Signature=59b1662831150e6282228243566eeee878c24dcdc26ca358b63fb09f590dc7d8"} [2025-12-11 13:40:18.893] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 13:40:18.893] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 13:40:18.894] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 13:40:18.894] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 13:40:18.894] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 13:40:18.894] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 13:40:19.151] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:13/output/gbm/alert.pcap.12.17610986931340.jsonl|result:{"code": 1, "total_count": 23, "alert_count": 23, "abnormal_count": 23, "normal_count": 0, "timestamp": 1765431618894, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "223.111.88.223", "protocol": "tcp", "src_port": 50256, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9952297098413537, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50290, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 10, "2_sum": 10, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50327, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 10, "2_sum": 10, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50524, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 10, "2_sum": 10, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.162.10.192", "protocol": "tcp", "src_port": 50115, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9982562146170709, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50036, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 10, "2_sum": 10, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50563, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 10, "2_sum": 10, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50517, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 10, "2_sum": 10, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.253", "protocol": "tcp", "src_port": 50374, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9124107711631884, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.32.132.48", "protocol": "tcp", "src_port": 50596, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8736367684939467, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "150.171.28.10", "protocol": "tcp", "src_port": 50098, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.979476406385797, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "43.132.242.154", "protocol": "tcp", "src_port": 49882, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9890063873624129, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.91", "protocol": "tcp", "src_port": 50312, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8775283158754487, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 49801, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50063, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 10, "2_sum": 10, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50043, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 10, "2_sum": 10, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50048, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 10, "2_sum": 10, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.88.223", "protocol": "tcp", "src_port": 50135, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9151737736531406, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50289, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 10, "2_sum": 10, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.91", "protocol": "tcp", "src_port": 50325, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9723471895815434, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 50446, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.232.40.133", "protocol": "tcp", "src_port": 49918, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9434178651974208, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.46.51.20", "protocol": "tcp", "src_port": 50273, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8949209220998952, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 13:40:19.151] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 23|max_alert: 1000 [2025-12-11 13:40:19.151] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 13:40:19.151] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 13:40:19.151] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 13:40:22.049] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 26054 key: NULL payload: {"bucket":"2025-12-11","object":"13/output/gbm/alert.pcap.13.17610986931340.jsonl","url":"http://111.32.12.11:9000/2025-12-11/13/output/gbm/alert.pcap.13.17610986931340.jsonl?X-Amz-SignedHeaders=host&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Signature=8f078bb5c09e2171c86d15c1a20f26ba9707fc9ef056f2317e778f491c378ec8&X-Amz-Date=20251211T054021Z&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Expires=604800"} [2025-12-11 13:40:22.049] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 13:40:22.049] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 13:40:22.049] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 13:40:22.049] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 13:40:22.049] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 13:40:22.050] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 13:40:22.298] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:13/output/gbm/alert.pcap.13.17610986931340.jsonl|result:{"code": 1, "total_count": 25, "alert_count": 25, "abnormal_count": 25, "normal_count": 0, "timestamp": 1765431622050, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50074, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.22.3", "protocol": "tcp", "src_port": 49941, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9027507773608666, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50283, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50280, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "150.171.29.11", "protocol": "tcp", "src_port": 50366, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9811379852086798, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.185.134", "protocol": "tcp", "src_port": 50405, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9906477192719227, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50167, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.163.59.175", "protocol": "tcp", "src_port": 50009, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9898052087615025, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50150, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50035, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50276, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "202.89.233.96", "protocol": "tcp", "src_port": 49842, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.38.119", "protocol": "tcp", "src_port": 50493, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9895604510076603, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "150.171.30.11", "protocol": "tcp", "src_port": 50629, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9221505003231499, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.4.224.113", "protocol": "tcp", "src_port": 49856, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.6505383816340582, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.114.80", "protocol": "tcp", "src_port": 50364, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.38.119", "protocol": "tcp", "src_port": 50507, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.992095265861976, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50029, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50206, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50657, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9858390475712154, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "142.250.66.78", "protocol": "tcp", "src_port": 49939, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 50550, "dest_port": 37527, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50153, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50602, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50483, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 13:40:22.298] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 25|max_alert: 1000 [2025-12-11 13:40:22.298] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 13:40:22.298] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 13:40:22.298] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 13:40:25.472] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 26055 key: NULL payload: {"bucket":"2025-12-11","object":"13/output/gbm/alert.pcap.14.17610986931340.jsonl","url":"http://111.32.12.11:9000/2025-12-11/13/output/gbm/alert.pcap.14.17610986931340.jsonl?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Date=20251211T054025Z&X-Amz-SignedHeaders=host&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Expires=604800&X-Amz-Signature=ede9143f5a722853c7548534e64dec272bd2a478cc461b43d68b40b919c5c577"} [2025-12-11 13:40:25.472] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 13:40:25.472] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 13:40:25.473] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 13:40:25.473] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 13:40:25.473] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 13:40:25.473] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 13:40:25.734] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:13/output/gbm/alert.pcap.14.17610986931340.jsonl|result:{"code": 1, "total_count": 22, "alert_count": 22, "abnormal_count": 22, "normal_count": 0, "timestamp": 1765431625473, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "183.201.232.61", "protocol": "tcp", "src_port": 50406, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8074537105643911, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50488, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50299, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50509, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.114.80", "protocol": "tcp", "src_port": 50462, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50277, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.131.128.241", "protocol": "tcp", "src_port": 50628, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.6327220629300937, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 50008, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7325211921496005, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50481, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "150.171.28.10", "protocol": "tcp", "src_port": 50547, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9810893334081382, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50431, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50148, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50151, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50087, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50045, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.92", "protocol": "tcp", "src_port": 50350, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9581254078848882, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50075, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.4.224.113", "protocol": "tcp", "src_port": 49858, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.948833755868132, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.201.232.63", "protocol": "tcp", "src_port": 50185, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8623842237021218, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.45", "protocol": "tcp", "src_port": 50232, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8427978520815071, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50282, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50464, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 13:40:25.734] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 22|max_alert: 1000 [2025-12-11 13:40:25.734] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 13:40:25.734] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 13:40:25.734] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 13:40:28.597] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[1] at offset 24917 key: NULL payload: {"bucket":"2025-12-11","object":"13/output/gbm/alert.pcap.15.17610986931340.jsonl","url":"http://111.32.12.11:9000/2025-12-11/13/output/gbm/alert.pcap.15.17610986931340.jsonl?X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-SignedHeaders=host&X-Amz-Signature=92d5cc73b91c6652f8ee392b8e220f94fd7ede15f3e32cb6236ae2009e0b6a73&X-Amz-Date=20251211T054028Z&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Expires=604800"} [2025-12-11 13:40:28.597] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 13:40:28.597] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 13:40:28.597] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 13:40:28.597] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 13:40:28.597] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 13:40:28.598] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 13:40:28.850] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:13/output/gbm/alert.pcap.15.17610986931340.jsonl|result:{"code": 1, "total_count": 21, "alert_count": 21, "abnormal_count": 21, "normal_count": 0, "timestamp": 1765431628598, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "172.175.38.6", "protocol": "tcp", "src_port": 50508, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9251013815505887, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50452, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "13.89.179.10", "protocol": "tcp", "src_port": 49878, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9974829953380221, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50516, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "13.107.213.50", "protocol": "tcp", "src_port": 50090, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9195643673584233, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.46.216.189", "protocol": "tcp", "src_port": 50192, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9854409930237161, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.51.80", "protocol": "tcp", "src_port": 49914, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.165.120", "protocol": "tcp", "src_port": 50418, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9596977275034663, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50489, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50298, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.194.189.11", "protocol": "tcp", "src_port": 50426, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9895428159947536, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.194.233", "protocol": "tcp", "src_port": 50442, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9870391528574759, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50061, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50542, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.114.80", "protocol": "tcp", "src_port": 50358, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "142.250.66.78", "protocol": "tcp", "src_port": 50474, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.13.29.202", "protocol": "tcp", "src_port": 49899, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9319984670207415, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.165.120", "protocol": "tcp", "src_port": 50427, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9451570018511891, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.241.198", "protocol": "tcp", "src_port": 49881, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9908791961625715, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "124.70.37.167", "protocol": "tcp", "src_port": 50505, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8862503171336631, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.166.151", "protocol": "tcp", "src_port": 50300, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9931981638327161, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 13:40:28.850] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 21|max_alert: 1000 [2025-12-11 13:40:28.850] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 13:40:28.850] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 13:40:28.850] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 13:40:31.932] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[2] at offset 25661 key: NULL payload: {"bucket":"2025-12-11","object":"13/output/gbm/alert.pcap.16.17610986931340.jsonl","url":"http://111.32.12.11:9000/2025-12-11/13/output/gbm/alert.pcap.16.17610986931340.jsonl?X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Expires=604800&X-Amz-SignedHeaders=host&X-Amz-Signature=f0489311fe60b59e088df1b439748cf45451551fb689d5e7f9ff1331fbd76966&X-Amz-Date=20251211T054031Z&X-Amz-Algorithm=AWS4-HMAC-SHA256"} [2025-12-11 13:40:31.932] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 13:40:31.932] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 13:40:31.932] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 13:40:31.932] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 13:40:31.932] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 13:40:31.933] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 13:40:32.250] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:13/output/gbm/alert.pcap.16.17610986931340.jsonl|result:{"code": 1, "total_count": 26, "alert_count": 26, "abnormal_count": 26, "normal_count": 0, "timestamp": 1765431631934, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "172.16.92.1", "protocol": "tcp", "src_port": 49927, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50367, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50207, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50177, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.165.120", "protocol": "tcp", "src_port": 50304, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9425584919270099, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.29.14.183", "protocol": "tcp", "src_port": 49861, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9202885873733923, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50500, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.13.25.27", "protocol": "tcp", "src_port": 49953, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9999659947187012, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.4.224.113", "protocol": "tcp", "src_port": 49857, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.873642452450752, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50331, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.220.77.56", "protocol": "tcp", "src_port": 50313, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9756469161092314, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.92", "protocol": "tcp", "src_port": 50344, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.4285159353571787, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.253", "protocol": "tcp", "src_port": 50377, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9228634096625739, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "13.89.179.10", "protocol": "tcp", "src_port": 49873, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9740054173010114, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "211.151.19.148", "protocol": "tcp", "src_port": 50239, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9867736940219898, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.29.14.183", "protocol": "tcp", "src_port": 50404, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9858144175177987, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.2", "protocol": "tcp", "src_port": 49916, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50051, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.26", "protocol": "tcp", "src_port": 50053, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9859420979243508, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50496, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7047630891986135, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.219.73.130", "protocol": "tcp", "src_port": 49887, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.46.216.189", "protocol": "tcp", "src_port": 50095, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8005313339363406, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50522, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.185.134", "protocol": "tcp", "src_port": 50557, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9312191603697401, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.88.223", "protocol": "tcp", "src_port": 50262, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9920454156536166, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.32.132.48", "protocol": "tcp", "src_port": 50416, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.872489769645985, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 13:40:32.250] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 26|max_alert: 1000 [2025-12-11 13:40:32.250] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 13:40:32.250] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 13:40:32.250] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 13:40:35.393] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[2] at offset 25662 key: NULL payload: {"bucket":"2025-12-11","object":"13/output/gbm/alert.pcap.17.17610986931340.jsonl","url":"http://111.32.12.11:9000/2025-12-11/13/output/gbm/alert.pcap.17.17610986931340.jsonl?X-Amz-SignedHeaders=host&X-Amz-Date=20251211T054034Z&X-Amz-Signature=4c2f670778117a8270592968a992aa060dff83a24bed4adf7c4c32999880cca0&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Expires=604800"} [2025-12-11 13:40:35.393] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 13:40:35.393] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 13:40:35.393] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 13:40:35.393] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 13:40:35.393] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 13:40:35.394] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 13:40:35.664] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:13/output/gbm/alert.pcap.17.17610986931340.jsonl|result:{"code": 1, "total_count": 18, "alert_count": 18, "abnormal_count": 18, "normal_count": 0, "timestamp": 1765431635394, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "120.241.86.9", "protocol": "tcp", "src_port": 50012, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9956502822261911, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.122.55", "protocol": "tcp", "src_port": 50101, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9697454177805649, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50606, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9790099228201751, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.162.10.192", "protocol": "tcp", "src_port": 50103, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.5419285978798709, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50499, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.234.97.89", "protocol": "tcp", "src_port": 50409, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.733240780563495, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.114.80", "protocol": "tcp", "src_port": 50476, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.88.223", "protocol": "tcp", "src_port": 50257, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9990492370434219, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.194.233", "protocol": "tcp", "src_port": 50435, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9837705668750215, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "124.70.62.170", "protocol": "tcp", "src_port": 50395, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.999908459646488, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.27", "protocol": "tcp", "src_port": 49990, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9979995189937263, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 50225, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9087545563693218, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.27", "protocol": "tcp", "src_port": 49989, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8500557914131911, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.162.10.192", "protocol": "tcp", "src_port": 50114, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.976863610352734, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.2.16.16", "protocol": "tcp", "src_port": 49973, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9993460937257912, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "124.70.62.170", "protocol": "tcp", "src_port": 50094, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9999212365720671, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.122.55", "protocol": "tcp", "src_port": 50448, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.5769980707430126, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.38.151", "protocol": "tcp", "src_port": 49788, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 13:40:35.664] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 18|max_alert: 1000 [2025-12-11 13:40:35.664] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 13:40:35.664] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 13:40:35.664] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 13:40:38.519] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 26056 key: NULL payload: {"bucket":"2025-12-11","object":"13/output/gbm/alert.pcap.18.17610986931340.jsonl","url":"http://111.32.12.11:9000/2025-12-11/13/output/gbm/alert.pcap.18.17610986931340.jsonl?X-Amz-SignedHeaders=host&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Signature=5a3ae66c7cfec250eb424e2d812bb478bb57a8d8bc0cbc538a73c6a23763ce9e&X-Amz-Date=20251211T054038Z&X-Amz-Expires=604800&X-Amz-Algorithm=AWS4-HMAC-SHA256"} [2025-12-11 13:40:38.519] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 13:40:38.519] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 13:40:38.520] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 13:40:38.520] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 13:40:38.520] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 13:40:38.520] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 13:40:38.764] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:13/output/gbm/alert.pcap.18.17610986931340.jsonl|result:{"code": 1, "total_count": 19, "alert_count": 18, "abnormal_count": 18, "normal_count": 1, "timestamp": 1765431638520, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "36.156.39.92", "protocol": "tcp", "src_port": 50383, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7481021796885889, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.166.151", "protocol": "tcp", "src_port": 50371, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9989794701501156, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50088, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50553, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9263918774338468, "2_count": 4.0, "2_sum": 4, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50386, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50475, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9477100345633777, "2_count": 4.0, "2_sum": 4, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.253.255.38", "protocol": "tcp", "src_port": 50449, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9496389457889445, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.232.40.133", "protocol": "tcp", "src_port": 49929, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9272505117395095, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50141, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.232.40.133", "protocol": "tcp", "src_port": 49935, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8955605067471277, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50132, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 50169, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.219.73.130", "protocol": "tcp", "src_port": 49893, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.113.130.85", "protocol": "tcp", "src_port": 50373, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50220, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50650, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9941374340185456, "2_count": 4.0, "2_sum": 4, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50046, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50554, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9489417371813754, "2_count": 4.0, "2_sum": 4, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 13:40:38.764] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 18|max_alert: 1000 [2025-12-11 13:40:38.764] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 13:40:38.764] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 13:40:38.764] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 13:40:41.664] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 26057 key: NULL payload: {"bucket":"2025-12-11","object":"13/output/gbm/alert.pcap.19.17610986931340.jsonl","url":"http://111.32.12.11:9000/2025-12-11/13/output/gbm/alert.pcap.19.17610986931340.jsonl?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20251211T054041Z&X-Amz-Expires=604800&X-Amz-SignedHeaders=host&X-Amz-Signature=86e2821f1902dfca17ae89e5546a31d128c4efabf30d97c1be5ad1cbeea845df"} [2025-12-11 13:40:41.664] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 13:40:41.664] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 13:40:41.664] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 13:40:41.664] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 13:40:41.664] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 13:40:41.664] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 13:40:41.913] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:13/output/gbm/alert.pcap.19.17610986931340.jsonl|result:{"code": 1, "total_count": 17, "alert_count": 17, "abnormal_count": 17, "normal_count": 0, "timestamp": 1765431641664, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 50183, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9671683755020176, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "150.171.30.11", "protocol": "tcp", "src_port": 50623, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9724127917525347, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "13.89.179.10", "protocol": "tcp", "src_port": 49870, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9985463831905574, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.61.248", "protocol": "tcp", "src_port": 50006, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9986048917384169, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50221, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 5, "2_sum": 5, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "124.70.62.170", "protocol": "tcp", "src_port": 50385, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9998863446143573, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50651, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9127998696423738, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.26", "protocol": "tcp", "src_port": 49999, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9723690262017185, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50140, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 5, "2_sum": 5, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50267, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 5, "2_sum": 5, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.25", "protocol": "tcp", "src_port": 50345, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9053165640648995, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "106.13.244.95", "protocol": "tcp", "src_port": 50626, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.991571871695044, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50432, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 5, "2_sum": 5, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50222, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 5, "2_sum": 5, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "211.151.19.148", "protocol": "tcp", "src_port": 50321, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9840336453751718, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.131.128.241", "protocol": "tcp", "src_port": 50589, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9358989909907683, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.158.247.186", "protocol": "tcp", "src_port": 50254, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9923373572362969, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 13:40:41.913] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 17|max_alert: 1000 [2025-12-11 13:40:41.913] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 13:40:41.913] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 13:40:41.913] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 13:40:44.849] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 26058 key: NULL payload: {"bucket":"2025-12-11","object":"13/output/gbm/alert.pcap.20.17610986931340.jsonl","url":"http://111.32.12.11:9000/2025-12-11/13/output/gbm/alert.pcap.20.17610986931340.jsonl?X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Expires=604800&X-Amz-SignedHeaders=host&X-Amz-Signature=40568be20b9479614dd2628a48ba9d616e62fc914507ceb8293b509771a149d5&X-Amz-Date=20251211T054044Z&X-Amz-Algorithm=AWS4-HMAC-SHA256"} [2025-12-11 13:40:44.849] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 13:40:44.849] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 13:40:44.849] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 13:40:44.849] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 13:40:44.849] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 13:40:44.850] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 13:40:45.102] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:13/output/gbm/alert.pcap.20.17610986931340.jsonl|result:{"code": 1, "total_count": 17, "alert_count": 17, "abnormal_count": 17, "normal_count": 0, "timestamp": 1765431644850, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "183.220.151.49", "protocol": "tcp", "src_port": 49991, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9681277345350449, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "124.71.234.74", "protocol": "tcp", "src_port": 50189, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8094812727311573, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50453, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.219.73.130", "protocol": "tcp", "src_port": 49894, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.62.174.243", "protocol": "tcp", "src_port": 50555, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9719451686850884, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50616, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.981431987646444, "2_count": 3, "2_sum": 3, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50082, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.46.68.203", "protocol": "tcp", "src_port": 50096, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9610043927222635, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "142.250.66.78", "protocol": "tcp", "src_port": 49773, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "124.71.236.98", "protocol": "tcp", "src_port": 50400, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9777942042208041, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.48.172.241", "protocol": "tcp", "src_port": 50129, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9417868802887015, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.2.16.16", "protocol": "tcp", "src_port": 49970, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9999655776123294, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.9", "protocol": "tcp", "src_port": 50356, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9753376675463165, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50598, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.972751885055052, "2_count": 3, "2_sum": 3, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.253.253.233", "protocol": "tcp", "src_port": 50317, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.4786736570096651, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50622, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9949329167991451, "2_count": 3, "2_sum": 3, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.166.151", "protocol": "tcp", "src_port": 50378, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.996645095315891, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 13:40:45.102] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 17|max_alert: 1000 [2025-12-11 13:40:45.102] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 13:40:45.102] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 13:40:45.102] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 13:40:47.987] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[1] at offset 24918 key: NULL payload: {"bucket":"2025-12-11","object":"13/output/gbm/alert.pcap.21.17610986931340.jsonl","url":"http://111.32.12.11:9000/2025-12-11/13/output/gbm/alert.pcap.21.17610986931340.jsonl?X-Amz-Expires=604800&X-Amz-Date=20251211T054047Z&X-Amz-SignedHeaders=host&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Signature=d9f6c14434ca2667f40cd530da90a80e02138c62a3368461eec2294862c7c3c1"} [2025-12-11 13:40:47.987] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 13:40:47.987] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 13:40:47.987] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 13:40:47.987] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 13:40:47.987] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 13:40:47.988] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 13:40:48.240] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:13/output/gbm/alert.pcap.21.17610986931340.jsonl|result:{"code": 1, "total_count": 20, "alert_count": 20, "abnormal_count": 20, "normal_count": 0, "timestamp": 1765431647988, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "120.233.3.25", "protocol": "tcp", "src_port": 50346, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7253580536479742, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "150.171.27.10", "protocol": "tcp", "src_port": 49871, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9792783921980416, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 49933, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.983522767485445, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.18", "protocol": "tcp", "src_port": 50191, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.232.40.133", "protocol": "tcp", "src_port": 49921, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9758065422065172, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.26", "protocol": "tcp", "src_port": 50027, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8630319401034162, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.194.233", "protocol": "tcp", "src_port": 50315, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9974657537062649, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.254", "protocol": "tcp", "src_port": 50018, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9989742169573105, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.253", "protocol": "tcp", "src_port": 50348, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9663875797170431, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50574, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50076, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50086, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50330, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.234.97.89", "protocol": "tcp", "src_port": 50477, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7967743601421772, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50633, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9961574170482782, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 50211, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9942232611378077, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50389, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50407, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9700577356238725, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.27", "protocol": "tcp", "src_port": 50014, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7728545617685111, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50233, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 13:40:48.240] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 20|max_alert: 1000 [2025-12-11 13:40:48.240] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 13:40:48.240] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 13:40:48.240] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 13:40:51.176] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[2] at offset 25663 key: NULL payload: {"bucket":"2025-12-11","object":"13/output/gbm/alert.pcap.2.17610986931340.jsonl","url":"http://111.32.12.11:9000/2025-12-11/13/output/gbm/alert.pcap.2.17610986931340.jsonl?X-Amz-Signature=2ffbfb4113baa329980a036ad4472fde12d433ea625261271303e2564f4b918e&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Expires=604800&X-Amz-Date=20251211T054050Z&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-SignedHeaders=host"} [2025-12-11 13:40:51.176] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 13:40:51.176] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 13:40:51.176] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 13:40:51.176] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 13:40:51.176] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 13:40:51.177] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 13:40:51.442] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:13/output/gbm/alert.pcap.2.17610986931340.jsonl|result:{"code": 1, "total_count": 27, "alert_count": 26, "abnormal_count": 26, "normal_count": 1, "timestamp": 1765431651177, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "172.16.92.2", "protocol": "tcp", "src_port": 49821, "dest_port": 8080, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.29.14.183", "protocol": "tcp", "src_port": 50401, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9944651374268547, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.185.134", "protocol": "tcp", "src_port": 50337, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9998485770667981, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.114.80", "protocol": "tcp", "src_port": 50381, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.240.99.58", "protocol": "tcp", "src_port": 50480, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9758749087809037, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50580, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50328, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.63.215.47", "protocol": "tcp", "src_port": 49943, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9542007136130981, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.92", "protocol": "tcp", "src_port": 50398, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9866180027435798, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50278, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.29.14.183", "protocol": "tcp", "src_port": 50402, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9766503916105866, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.254", "protocol": "tcp", "src_port": 50237, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8347470129747349, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50287, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.165.120", "protocol": "tcp", "src_port": 50414, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9781294486115352, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50471, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9971823306211751, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50570, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50484, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50634, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "118.89.204.198", "protocol": "tcp", "src_port": 50648, "dest_port": 443, "y_pred": 2, "y_pred_proba_max": 0.539671673599211, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "Behinder"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.166.151", "protocol": "tcp", "src_port": 50296, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9998741851816862, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.222.152.64", "protocol": "tcp", "src_port": 50658, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7337989747885654, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.232.40.133", "protocol": "tcp", "src_port": 50004, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9448851526818528, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.26", "protocol": "tcp", "src_port": 49995, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9973271032011077, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50528, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50459, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8818531237715439, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.105", "protocol": "tcp", "src_port": 50625, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9825246278129468, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 13:40:51.442] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 26|max_alert: 1000 [2025-12-11 13:40:51.442] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 13:40:51.442] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 13:40:51.442] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 13:40:54.702] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[2] at offset 25664 key: NULL payload: {"bucket":"2025-12-11","object":"13/output/gbm/alert.pcap.22.17610986931340.jsonl","url":"http://111.32.12.11:9000/2025-12-11/13/output/gbm/alert.pcap.22.17610986931340.jsonl?X-Amz-Expires=604800&X-Amz-Date=20251211T054054Z&X-Amz-Signature=bf5ab7b8e54b7723751cdccbfaac5bc612bd7365563b6de96dbb9f057abd1bec&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-SignedHeaders=host"} [2025-12-11 13:40:54.702] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 13:40:54.702] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 13:40:54.702] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 13:40:54.702] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 13:40:54.702] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 13:40:54.703] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 13:40:54.948] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:13/output/gbm/alert.pcap.22.17610986931340.jsonl|result:{"code": 1, "total_count": 18, "alert_count": 17, "abnormal_count": 17, "normal_count": 1, "timestamp": 1765431654703, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "111.29.14.183", "protocol": "tcp", "src_port": 50026, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9986473928200259, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50118, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 3.0, "2_sum": 3, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 49925, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.5747671805046822, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.4.224.113", "protocol": "tcp", "src_port": 49854, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.5786036795604459, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.63.215.47", "protocol": "tcp", "src_port": 49944, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9869387818080411, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.62.174.243", "protocol": "tcp", "src_port": 50545, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9624252679015631, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.51.161.66", "protocol": "tcp", "src_port": 50123, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7731938946060795, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50530, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9024018957960891, "2_count": 3.0, "2_sum": 3, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.131.128.241", "protocol": "tcp", "src_port": 50585, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8249611815657307, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50662, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8871346318388157, "2_count": 3.0, "2_sum": 3, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50028, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 3.0, "2_sum": 3, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.165.120", "protocol": "tcp", "src_port": 50357, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9389862274330749, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.92", "protocol": "tcp", "src_port": 50397, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9107999416750001, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.114.80", "protocol": "tcp", "src_port": 50365, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.194.233", "protocol": "tcp", "src_port": 50440, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9902328849146982, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50612, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.965275103129727, "2_count": 3.0, "2_sum": 3, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50368, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 3.0, "2_sum": 3, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 13:40:54.948] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 17|max_alert: 1000 [2025-12-11 13:40:54.948] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 13:40:54.948] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 13:40:54.948] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 13:40:58.573] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[1] at offset 24919 key: NULL payload: {"bucket":"2025-12-11","object":"13/output/gbm/alert.pcap.23.17610986931340.jsonl","url":"http://111.32.12.11:9000/2025-12-11/13/output/gbm/alert.pcap.23.17610986931340.jsonl?X-Amz-Signature=31f391d255918afbe83c3b73cb3eee7932da4f6136658a9f10afb3125daf6ada&X-Amz-SignedHeaders=host&X-Amz-Expires=604800&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20251211T054058Z"} [2025-12-11 13:40:58.573] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 13:40:58.573] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 13:40:58.573] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 13:40:58.573] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 13:40:58.573] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 13:40:58.573] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 13:40:58.821] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:13/output/gbm/alert.pcap.23.17610986931340.jsonl|result:{"code": 1, "total_count": 21, "alert_count": 21, "abnormal_count": 21, "normal_count": 0, "timestamp": 1765431658574, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50260, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.25", "protocol": "tcp", "src_port": 50073, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9992385224413204, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50429, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50640, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.13.104.59", "protocol": "tcp", "src_port": 50627, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9944505609423887, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.122.55", "protocol": "tcp", "src_port": 50498, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9793698927690696, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.25", "protocol": "tcp", "src_port": 50382, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7011351746711142, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50168, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50149, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "13.107.246.74", "protocol": "tcp", "src_port": 50506, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9605298901417075, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50514, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50562, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.194.233", "protocol": "tcp", "src_port": 50126, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9961544144455967, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.158.247.186", "protocol": "tcp", "src_port": 50309, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.994290448467571, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.150.160.206", "protocol": "tcp", "src_port": 50124, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9747845243097288, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50064, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.222.152.64", "protocol": "tcp", "src_port": 50638, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9779043168436835, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50042, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50037, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50044, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50085, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 13:40:58.821] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 21|max_alert: 1000 [2025-12-11 13:40:58.821] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 13:40:58.821] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 13:40:58.821] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 13:41:01.809] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 26059 key: NULL payload: {"bucket":"2025-12-11","object":"13/output/gbm/alert.pcap.24.17610986931340.jsonl","url":"http://111.32.12.11:9000/2025-12-11/13/output/gbm/alert.pcap.24.17610986931340.jsonl?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20251211T054101Z&X-Amz-Expires=604800&X-Amz-SignedHeaders=host&X-Amz-Signature=6cf5a7c860ab40cf1e37431f2dcb11ad8a74dca00e8071ee755c4d4a4b6c75c2"} [2025-12-11 13:41:01.810] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 13:41:01.810] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 13:41:01.810] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 13:41:01.810] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 13:41:01.810] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 13:41:01.810] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 13:41:02.044] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:13/output/gbm/alert.pcap.24.17610986931340.jsonl|result:{"code": 1, "total_count": 18, "alert_count": 17, "abnormal_count": 17, "normal_count": 1, "timestamp": 1765431661810, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "111.13.28.21", "protocol": "tcp", "src_port": 49947, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9999415747476534, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.163.59.175", "protocol": "tcp", "src_port": 50478, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.990150959540726, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.46.68.203", "protocol": "tcp", "src_port": 50195, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9897633686170296, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50259, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.4.74", "protocol": "tcp", "src_port": 50319, "dest_port": 9000, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50482, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50034, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 50229, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7784157580153467, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.38.119", "protocol": "tcp", "src_port": 50495, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9911306060967026, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50281, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50594, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50603, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.13.104.59", "protocol": "tcp", "src_port": 50631, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9853386683896556, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50031, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.27", "protocol": "tcp", "src_port": 49985, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8652710729389349, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.163.59.175", "protocol": "tcp", "src_port": 50011, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9883959426357691, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50033, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 13:41:02.044] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 17|max_alert: 1000 [2025-12-11 13:41:02.044] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 13:41:02.044] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 13:41:02.044] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 13:41:05.232] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 26060 key: NULL payload: {"bucket":"2025-12-11","object":"13/output/gbm/alert.pcap.25.17610986931340.jsonl","url":"http://111.32.12.11:9000/2025-12-11/13/output/gbm/alert.pcap.25.17610986931340.jsonl?X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Expires=604800&X-Amz-SignedHeaders=host&X-Amz-Date=20251211T054104Z&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Signature=6b7fb8919517144679d8ccb0fa0f211655cc3d25ae3a6bfd2173240c6e2f50aa"} [2025-12-11 13:41:05.233] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 13:41:05.233] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 13:41:05.233] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 13:41:05.233] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 13:41:05.233] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 13:41:05.233] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 13:41:05.510] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:13/output/gbm/alert.pcap.25.17610986931340.jsonl|result:{"code": 1, "total_count": 18, "alert_count": 17, "abnormal_count": 17, "normal_count": 1, "timestamp": 1765431665233, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 50013, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50288, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4.0, "2_sum": 4, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.240.99.58", "protocol": "tcp", "src_port": 50641, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9750652642107684, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50038, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4.0, "2_sum": 4, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.88.223", "protocol": "tcp", "src_port": 50134, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9851867603065232, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50652, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4.0, "2_sum": 4, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "202.89.233.96", "dest_ip": "10.1.131.158", "protocol": "tcp", "src_port": 443, "dest_port": 49847, "y_pred": 1, "y_pred_proba_max": 0.9988023204669473, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.91", "protocol": "tcp", "src_port": 50334, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9530506499197517, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.201.232.63", "protocol": "tcp", "src_port": 50419, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.5238760318986195, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.232.40.133", "protocol": "tcp", "src_port": 49919, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9172603475203133, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "142.250.66.78", "protocol": "tcp", "src_port": 49742, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50551, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8059095115195145, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.88.223", "protocol": "tcp", "src_port": 50258, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9955188316394289, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.232.40.133", "protocol": "tcp", "src_port": 50005, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8427110539814073, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.155.160.140", "protocol": "tcp", "src_port": 49790, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50062, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4.0, "2_sum": 4, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.2", "protocol": "tcp", "src_port": 50125, "dest_port": 8080, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 13:41:05.510] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 17|max_alert: 1000 [2025-12-11 13:41:05.510] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 13:41:05.510] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 13:41:05.510] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 13:41:08.472] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[2] at offset 25665 key: NULL payload: {"bucket":"2025-12-11","object":"13/output/gbm/alert.pcap.26.17610986931340.jsonl","url":"http://111.32.12.11:9000/2025-12-11/13/output/gbm/alert.pcap.26.17610986931340.jsonl?X-Amz-Signature=cb03e40f865b745d425cada2d3f7a9ebfcc117472bb9a66136e3f65966885fff&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-SignedHeaders=host&X-Amz-Date=20251211T054108Z&X-Amz-Expires=604800&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request"} [2025-12-11 13:41:08.472] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 13:41:08.472] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 13:41:08.472] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 13:41:08.472] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 13:41:08.472] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 13:41:08.473] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 13:41:08.714] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:13/output/gbm/alert.pcap.26.17610986931340.jsonl|result:{"code": 1, "total_count": 23, "alert_count": 22, "abnormal_count": 22, "normal_count": 1, "timestamp": 1765431668473, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 50230, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9601621867432435, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50040, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7.0, "2_sum": 7, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.13.29.202", "protocol": "tcp", "src_port": 49897, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.99989131645703, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50512, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7.0, "2_sum": 7, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50322, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7.0, "2_sum": 7, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.194.233", "protocol": "tcp", "src_port": 50439, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9853373018252618, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.45", "protocol": "tcp", "src_port": 50445, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9894949279716366, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.13.29.134", "protocol": "tcp", "src_port": 49954, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9940003495439546, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.163.59.175", "protocol": "tcp", "src_port": 49930, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9813722275948225, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.253", "protocol": "tcp", "src_port": 50117, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9786811180845782, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50467, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7.0, "2_sum": 7, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "151.101.1.229", "protocol": "tcp", "src_port": 50316, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.5882853156839113, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.253", "protocol": "tcp", "src_port": 50347, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9363461552085169, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.27", "protocol": "tcp", "src_port": 49986, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9907578643456904, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.9", "protocol": "tcp", "src_port": 50353, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9248568229582469, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.165.120", "protocol": "tcp", "src_port": 50314, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.998447736613844, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.114.80", "protocol": "tcp", "src_port": 50375, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "43.140.12.43", "protocol": "tcp", "src_port": 50318, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9759535265977303, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.92", "protocol": "tcp", "src_port": 50362, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9737436655985068, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50463, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7.0, "2_sum": 7, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50521, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7.0, "2_sum": 7, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50593, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7.0, "2_sum": 7, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 13:41:08.714] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 22|max_alert: 1000 [2025-12-11 13:41:08.714] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 13:41:08.714] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 13:41:08.714] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 13:41:11.694] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 26061 key: NULL payload: {"bucket":"2025-12-11","object":"13/output/gbm/alert.pcap.3.17610986931340.jsonl","url":"http://111.32.12.11:9000/2025-12-11/13/output/gbm/alert.pcap.3.17610986931340.jsonl?X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-SignedHeaders=host&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Signature=bd1f8e8c6b290419d381c10cea22c00af5a37ca30358fdbf94a3cd92872c0281&X-Amz-Date=20251211T054111Z&X-Amz-Expires=604800"} [2025-12-11 13:41:11.694] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 13:41:11.694] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 13:41:11.694] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 13:41:11.694] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 13:41:11.694] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 13:41:11.695] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 13:41:11.953] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:13/output/gbm/alert.pcap.3.17610986931340.jsonl|result:{"code": 1, "total_count": 31, "alert_count": 30, "abnormal_count": 30, "normal_count": 1, "timestamp": 1765431671695, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "23.219.73.130", "protocol": "tcp", "src_port": 49889, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50041, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 50231, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9912641259791639, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50131, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50579, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "142.250.66.68", "protocol": "tcp", "src_port": 50437, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.27", "protocol": "tcp", "src_port": 49987, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9439550958667982, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.2", "protocol": "tcp", "src_port": 50143, "dest_port": 8080, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.63.215.47", "protocol": "tcp", "src_port": 49982, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9977918468988228, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50128, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.27", "protocol": "tcp", "src_port": 49983, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9683054451954104, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50468, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.13.104.59", "protocol": "tcp", "src_port": 50630, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9949141468870227, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.29.14.183", "protocol": "tcp", "src_port": 50020, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9995274668813986, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.166.151", "protocol": "tcp", "src_port": 50286, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9998887397093179, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.232.40.133", "protocol": "tcp", "src_port": 49922, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7619577796081339, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50032, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50573, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.219.73.130", "protocol": "tcp", "src_port": 49890, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 49824, "dest_port": 37527, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50390, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 50399, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.165.120", "protocol": "tcp", "src_port": 50423, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9079618105919538, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.253.253.233", "protocol": "tcp", "src_port": 50436, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8619378326923961, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.114.80", "protocol": "tcp", "src_port": 50473, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "124.70.62.170", "protocol": "tcp", "src_port": 50093, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9302011994091218, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.92", "protocol": "tcp", "src_port": 49915, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8858063837145578, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.13.104.59", "protocol": "tcp", "src_port": 50639, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.5747755261992421, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.194.189.11", "protocol": "tcp", "src_port": 50307, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9974631042458713, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50560, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9372883613254258, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 13:41:11.953] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 30|max_alert: 1000 [2025-12-11 13:41:11.953] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 13:41:11.953] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 13:41:11.953] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 13:41:14.831] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[2] at offset 25666 key: NULL payload: {"bucket":"2025-12-11","object":"13/output/gbm/alert.pcap.4.17610986931340.jsonl","url":"http://111.32.12.11:9000/2025-12-11/13/output/gbm/alert.pcap.4.17610986931340.jsonl?X-Amz-Expires=604800&X-Amz-Signature=9c0898e3c556ed0389a30484e8dcfa788e3712d376882d20f79539fdef98709e&X-Amz-Date=20251211T054114Z&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-SignedHeaders=host&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request"} [2025-12-11 13:41:14.831] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 13:41:14.831] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 13:41:14.831] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 13:41:14.831] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 13:41:14.831] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 13:41:14.831] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 13:41:15.049] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:13/output/gbm/alert.pcap.4.17610986931340.jsonl|result:{"code": 1, "total_count": 16, "alert_count": 16, "abnormal_count": 16, "normal_count": 0, "timestamp": 1765431674832, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "150.171.30.11", "protocol": "tcp", "src_port": 50007, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8576461187690411, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50170, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 9, "2_sum": 9, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50653, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 9, "2_sum": 9, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.25", "protocol": "tcp", "src_port": 50340, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9557360906725153, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.4.224.113", "protocol": "tcp", "src_port": 49860, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8325953986089363, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "142.250.66.78", "protocol": "tcp", "src_port": 49761, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50664, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 9, "2_sum": 9, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50642, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 9, "2_sum": 9, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "104.18.38.233", "protocol": "tcp", "src_port": 49696, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50428, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 9, "2_sum": 9, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.2", "protocol": "tcp", "src_port": 49815, "dest_port": 8080, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50268, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 9, "2_sum": 9, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50599, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 9, "2_sum": 9, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.131.128.241", "protocol": "tcp", "src_port": 50461, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9531336479755481, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50039, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 9, "2_sum": 9, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50271, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 9, "2_sum": 9, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 13:41:15.049] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 16|max_alert: 1000 [2025-12-11 13:41:15.049] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 13:41:15.049] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 13:41:15.049] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 13:41:18.387] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[2] at offset 25667 key: NULL payload: {"bucket":"2025-12-11","object":"13/output/gbm/alert.pcap.5.17610986931340.jsonl","url":"http://111.32.12.11:9000/2025-12-11/13/output/gbm/alert.pcap.5.17610986931340.jsonl?X-Amz-Signature=5c2e3878802be977792ac71680513687b2c938246a15c19c0c7f78277f44fe4d&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-SignedHeaders=host&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Expires=604800&X-Amz-Date=20251211T054117Z"} [2025-12-11 13:41:18.387] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 13:41:18.388] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 13:41:18.388] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 13:41:18.388] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 13:41:18.388] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 13:41:18.389] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 13:41:18.645] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:13/output/gbm/alert.pcap.5.17610986931340.jsonl|result:{"code": 1, "total_count": 19, "alert_count": 18, "abnormal_count": 18, "normal_count": 1, "timestamp": 1765431678389, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "120.46.72.204", "protocol": "tcp", "src_port": 50136, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.956663066769366, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50624, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9747306537408316, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50541, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 5.0, "2_sum": 5, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 49924, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8509806284431485, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50654, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9423199405388736, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.51.80", "protocol": "tcp", "src_port": 49902, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.163.59.175", "protocol": "tcp", "src_port": 50422, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9849394001481901, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.91", "protocol": "tcp", "src_port": 50333, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9577733114926612, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.91", "protocol": "tcp", "src_port": 50242, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9588125203903446, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50030, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 5.0, "2_sum": 5, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50119, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 5.0, "2_sum": 5, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50171, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 5.0, "2_sum": 5, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "13.89.179.10", "protocol": "tcp", "src_port": 49867, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8945460691510866, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "112.34.111.235", "protocol": "tcp", "src_port": 50587, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9795590475790195, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50564, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 5.0, "2_sum": 5, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.158.247.186", "protocol": "tcp", "src_port": 50121, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9753820447058325, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 50549, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.4.74", "protocol": "tcp", "src_port": 50320, "dest_port": 9000, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 13:41:18.645] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 18|max_alert: 1000 [2025-12-11 13:41:18.645] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 13:41:18.645] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 13:41:18.645] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 13:41:21.520] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 26062 key: NULL payload: {"bucket":"2025-12-11","object":"13/output/gbm/alert.pcap.6.17610986931340.jsonl","url":"http://111.32.12.11:9000/2025-12-11/13/output/gbm/alert.pcap.6.17610986931340.jsonl?X-Amz-Expires=604800&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Signature=1fcefab28984c46a984330ee1238752d169f70d09ee3f29b6f00f9d02973fa8b&X-Amz-SignedHeaders=host&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20251211T054120Z"} [2025-12-11 13:41:21.520] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 13:41:21.520] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 13:41:21.520] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 13:41:21.520] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 13:41:21.520] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 13:41:21.521] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 13:41:21.773] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:13/output/gbm/alert.pcap.6.17610986931340.jsonl|result:{"code": 1, "total_count": 13, "alert_count": 13, "abnormal_count": 13, "normal_count": 0, "timestamp": 1765431681521, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "120.233.3.26", "protocol": "tcp", "src_port": 50003, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8694093805364917, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50465, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.5306824619789472, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50391, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.13.28.239", "protocol": "tcp", "src_port": 49901, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.938456651589145, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "121.36.68.44", "protocol": "tcp", "src_port": 50504, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9358189956292381, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.91", "protocol": "tcp", "src_port": 50339, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.986405059765616, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "13.89.179.10", "protocol": "tcp", "src_port": 49883, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9941602682227848, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.57.94.38", "protocol": "tcp", "src_port": 49892, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9998694918181811, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "139.9.117.192", "protocol": "tcp", "src_port": 50450, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9837263446909994, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50515, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "139.9.117.192", "protocol": "tcp", "src_port": 50372, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8894850327223105, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.102.211", "protocol": "tcp", "src_port": 50413, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9734791177969814, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.2.16.16", "protocol": "tcp", "src_port": 49975, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9999376387945121, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 13:41:21.773] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 13|max_alert: 1000 [2025-12-11 13:41:21.773] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 13:41:21.773] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 13:41:21.773] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 13:41:24.712] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 26063 key: NULL payload: {"bucket":"2025-12-11","object":"13/output/gbm/alert.pcap.7.17610986931340.jsonl","url":"http://111.32.12.11:9000/2025-12-11/13/output/gbm/alert.pcap.7.17610986931340.jsonl?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Date=20251211T054124Z&X-Amz-Expires=604800&X-Amz-SignedHeaders=host&X-Amz-Signature=32576b74682979e7ff555a9ae521c31c03eb63c93009bed7ff0859de6f2c060f&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request"} [2025-12-11 13:41:24.712] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 13:41:24.712] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 13:41:24.713] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 13:41:24.713] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 13:41:24.713] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 13:41:24.713] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 13:41:24.970] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:13/output/gbm/alert.pcap.7.17610986931340.jsonl|result:{"code": 1, "total_count": 18, "alert_count": 18, "abnormal_count": 18, "normal_count": 0, "timestamp": 1765431684713, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "120.240.51.80", "protocol": "tcp", "src_port": 50010, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.27", "protocol": "tcp", "src_port": 50100, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8412893359572905, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.194.233", "protocol": "tcp", "src_port": 50255, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9107155218087142, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50270, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4, "2_sum": 4, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.194.233", "protocol": "tcp", "src_port": 50441, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9878625671600126, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.240.8.132", "protocol": "tcp", "src_port": 50227, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8897661563929269, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50156, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4, "2_sum": 4, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50663, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.719260591950917, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.26", "protocol": "tcp", "src_port": 49994, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9896285535627298, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50083, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4, "2_sum": 4, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.219.73.130", "protocol": "tcp", "src_port": 49885, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.254", "protocol": "tcp", "src_port": 50199, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9600487826290192, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.185.125.188", "protocol": "tcp", "src_port": 49872, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9978759357079158, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.4.224.113", "protocol": "tcp", "src_port": 49849, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9532634905214581, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 50116, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 50172, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9400817611226765, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "112.34.111.235", "protocol": "tcp", "src_port": 50411, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.998549290571419, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50581, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4, "2_sum": 4, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 13:41:24.970] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 18|max_alert: 1000 [2025-12-11 13:41:24.970] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 13:41:24.970] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 13:41:24.970] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 13:41:27.901] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 26064 key: NULL payload: {"bucket":"2025-12-11","object":"13/output/gbm/alert.pcap.8.17610986931340.jsonl","url":"http://111.32.12.11:9000/2025-12-11/13/output/gbm/alert.pcap.8.17610986931340.jsonl?X-Amz-Date=20251211T054127Z&X-Amz-Signature=6c0554ca7d8333b7908180452ea8c276693b3c6659da9aa7a468f657879d0cf6&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Expires=604800&X-Amz-SignedHeaders=host&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request"} [2025-12-11 13:41:27.901] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 13:41:27.901] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 13:41:27.901] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 13:41:27.901] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 13:41:27.901] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 13:41:27.902] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 13:41:28.159] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:13/output/gbm/alert.pcap.8.17610986931340.jsonl|result:{"code": 1, "total_count": 19, "alert_count": 19, "abnormal_count": 19, "normal_count": 0, "timestamp": 1765431687902, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50388, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4, "2_sum": 4, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.45", "protocol": "tcp", "src_port": 50408, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9967591338452444, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.201.232.63", "protocol": "tcp", "src_port": 50420, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9757408487177269, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "121.36.47.3", "protocol": "tcp", "src_port": 50015, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9995715118177109, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50649, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9766422035502361, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.232.40.133", "protocol": "tcp", "src_port": 49920, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9117178716777372, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50661, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.647571366572099, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 50184, "dest_port": 37527, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "202.89.233.96", "protocol": "tcp", "src_port": 49865, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9973910874567038, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50223, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4, "2_sum": 4, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.131.128.241", "protocol": "tcp", "src_port": 50591, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9050869489117033, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.63.215.47", "protocol": "tcp", "src_port": 49980, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9999657034539758, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.26", "protocol": "tcp", "src_port": 49997, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.984269050955257, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.219.73.130", "protocol": "tcp", "src_port": 49891, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50127, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4, "2_sum": 4, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "40.74.78.229", "protocol": "tcp", "src_port": 50370, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9939770881097445, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.131.139.241", "protocol": "tcp", "src_port": 50556, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9803786101644398, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50077, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4, "2_sum": 4, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 49923, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.777270406334166, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 13:41:28.159] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 19|max_alert: 1000 [2025-12-11 13:41:28.159] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 13:41:28.159] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 13:41:28.159] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 13:41:31.096] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 26065 key: NULL payload: {"bucket":"2025-12-11","object":"13/output/gbm/alert.pcap.9.17610986931340.jsonl","url":"http://111.32.12.11:9000/2025-12-11/13/output/gbm/alert.pcap.9.17610986931340.jsonl?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20251211T054130Z&X-Amz-Expires=604800&X-Amz-SignedHeaders=host&X-Amz-Signature=2c3caff072db31c68bb1a8bef441e1ec22dafe65678d9320b7248fa022c03e86"} [2025-12-11 13:41:31.096] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 13:41:31.096] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 13:41:31.096] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 13:41:31.096] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 13:41:31.096] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 13:41:31.097] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 13:41:31.343] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:13/output/gbm/alert.pcap.9.17610986931340.jsonl|result:{"code": 1, "total_count": 19, "alert_count": 19, "abnormal_count": 19, "normal_count": 0, "timestamp": 1765431691097, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50047, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50571, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "112.2.102.140", "protocol": "tcp", "src_port": 49880, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8833391308810551, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50582, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.26", "protocol": "tcp", "src_port": 49993, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.987471741326815, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50323, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "124.71.234.74", "protocol": "tcp", "src_port": 50079, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8967653329082704, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50234, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50577, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8828376373447289, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.45", "protocol": "tcp", "src_port": 50444, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9975171238915119, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.219.73.130", "protocol": "tcp", "src_port": 49895, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.163.59.175", "protocol": "tcp", "src_port": 50443, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9947042004868148, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.29.14.183", "protocol": "tcp", "src_port": 50403, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9756646950440937, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50552, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9460026832017429, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "157.148.32.174", "protocol": "tcp", "src_port": 50216, "dest_port": 8106, "y_pred": 1, "y_pred_proba_max": 0.7815374741509655, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 49928, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9931314740190077, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50279, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50387, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "150.171.30.11", "protocol": "tcp", "src_port": 50434, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.975176941910785, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 13:41:31.343] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 19|max_alert: 1000 [2025-12-11 13:41:31.343] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 13:41:31.343] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 13:41:31.343] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 13:41:34.413] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[2] at offset 25668 key: NULL payload: {"bucket":"2025-12-11","object":"13/output/gbm/alert.pcap.9.1765431648.jsonl","url":"http://111.32.12.11:9000/2025-12-11/13/output/gbm/alert.pcap.9.1765431648.jsonl?X-Amz-Signature=081e60fd897876a99eb8d6a342deeb2b233566c10c46abe6fcc81b7852082134&X-Amz-SignedHeaders=host&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Date=20251211T054134Z&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Expires=604800"} [2025-12-11 13:41:34.413] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 13:41:34.413] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 13:41:34.413] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 13:41:34.413] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 13:41:34.413] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 13:41:34.414] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 13:41:34.420] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:13/output/gbm/alert.pcap.9.1765431648.jsonl|result:{"code": 0, "total_count": 0, "alert_count": 0, "abnormal_count": 0, "normal_count": 0, "timestamp": 1765431694414, "module": "anquanchu", "alerted": false, "details": []} [2025-12-11 13:41:34.420] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 0|max_alert: 1000 [2025-12-11 13:41:34.420] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 13:50:09.494] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 26066 key: NULL payload: {"bucket":"2025-12-11","object":"13/output/gbm/alert.pcap.10.17610986931350.jsonl","url":"http://111.32.12.11:9000/2025-12-11/13/output/gbm/alert.pcap.10.17610986931350.jsonl?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Signature=59698ff69e59414cd75e557c3e211e7faca32a0885d7ae71d88c8ce17bebdf60&X-Amz-SignedHeaders=host&X-Amz-Expires=604800&X-Amz-Date=20251211T055009Z"} [2025-12-11 13:50:09.494] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 13:50:09.494] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 13:50:09.494] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 13:50:09.494] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 13:50:09.495] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 13:50:09.496] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 13:50:09.804] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:13/output/gbm/alert.pcap.10.17610986931350.jsonl|result:{"code": 1, "total_count": 18, "alert_count": 18, "abnormal_count": 18, "normal_count": 0, "timestamp": 1765432209496, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "124.70.62.170", "protocol": "tcp", "src_port": 50384, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9944584265644585, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.194.233", "protocol": "tcp", "src_port": 50251, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.6458299041355519, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50155, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50202, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 49802, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "112.34.113.250", "protocol": "tcp", "src_port": 50417, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9871899379387804, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "124.70.37.167", "protocol": "tcp", "src_port": 50497, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9671327905226952, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50510, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.162.10.192", "protocol": "tcp", "src_port": 50106, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7891251009837256, "2_count": 3, "2_sum": 3, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.162.10.192", "protocol": "tcp", "src_port": 50105, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8497049935950336, "2_count": 3, "2_sum": 3, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50527, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.240.8.132", "protocol": "tcp", "src_port": 49942, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9833686131374094, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50197, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50180, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.162.10.192", "protocol": "tcp", "src_port": 50102, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9628606284766527, "2_count": 3, "2_sum": 3, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50247, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.9", "protocol": "tcp", "src_port": 50354, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9266852516381958, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.38.119", "protocol": "tcp", "src_port": 50490, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9986222879414073, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 13:50:09.804] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 18|max_alert: 1000 [2025-12-11 13:50:09.804] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 13:50:09.804] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 13:50:09.804] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 13:50:12.651] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[1] at offset 24920 key: NULL payload: {"bucket":"2025-12-11","object":"13/output/gbm/alert.pcap.11.17610986931350.jsonl","url":"http://111.32.12.11:9000/2025-12-11/13/output/gbm/alert.pcap.11.17610986931350.jsonl?X-Amz-SignedHeaders=host&X-Amz-Signature=9be8292b17ca8de6c14fd3fd5933a1513029a7d16c51642cb484c7f095e4c152&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Date=20251211T055012Z&X-Amz-Expires=604800"} [2025-12-11 13:50:12.651] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 13:50:12.651] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 13:50:12.651] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 13:50:12.652] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 13:50:12.652] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 13:50:12.652] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 13:50:12.938] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:13/output/gbm/alert.pcap.11.17610986931350.jsonl|result:{"code": 1, "total_count": 20, "alert_count": 20, "abnormal_count": 20, "normal_count": 0, "timestamp": 1765432212652, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "39.156.8.45", "protocol": "tcp", "src_port": 50438, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9837569544664104, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50179, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "57.155.120.218", "protocol": "tcp", "src_port": 50415, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9227656751828837, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.45", "protocol": "tcp", "src_port": 50447, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9871209269901958, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "106.52.100.183", "protocol": "tcp", "src_port": 50502, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9858931570717602, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.165.120", "protocol": "tcp", "src_port": 50305, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9986466602684037, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50050, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.25", "protocol": "tcp", "src_port": 50379, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8940216726975259, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.122.55", "protocol": "tcp", "src_port": 50503, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9854062911109006, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.143.199.172", "protocol": "tcp", "src_port": 50142, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9881503019491974, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50519, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.131.139.241", "protocol": "tcp", "src_port": 50546, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8893268365633519, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50561, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 49811, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50176, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "13.107.253.49", "protocol": "tcp", "src_port": 50479, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9204671188927631, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.57.94.38", "protocol": "tcp", "src_port": 49888, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8913583475272854, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50523, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.38.119", "protocol": "tcp", "src_port": 50494, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9837251088220053, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50520, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 13:50:12.938] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 20|max_alert: 1000 [2025-12-11 13:50:12.938] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 13:50:12.938] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 13:50:12.938] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 13:50:15.811] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[2] at offset 25669 key: NULL payload: {"bucket":"2025-12-11","object":"13/output/gbm/alert.pcap.1.17610986931350.jsonl","url":"http://111.32.12.11:9000/2025-12-11/13/output/gbm/alert.pcap.1.17610986931350.jsonl?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Expires=604800&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-SignedHeaders=host&X-Amz-Signature=fdce25dccad17a6b1fdfec64906bc679350f69ec17a88581c725791b0a7eef40&X-Amz-Date=20251211T055015Z"} [2025-12-11 13:50:15.811] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 13:50:15.811] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 13:50:15.811] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 13:50:15.811] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 13:50:15.811] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 13:50:15.812] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 13:50:16.072] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:13/output/gbm/alert.pcap.1.17610986931350.jsonl|result:{"code": 1, "total_count": 23, "alert_count": 22, "abnormal_count": 22, "normal_count": 1, "timestamp": 1765432215812, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "120.233.38.119", "protocol": "tcp", "src_port": 50487, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9993624819729473, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.114.80", "protocol": "tcp", "src_port": 50380, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.254", "protocol": "tcp", "src_port": 50236, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8758576397939718, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.9", "protocol": "tcp", "src_port": 50352, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9822856114799795, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.254", "protocol": "tcp", "src_port": 50161, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9861184497791043, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "123.249.12.207", "protocol": "tcp", "src_port": 50349, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9517653518955267, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50635, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50511, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50660, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.5160756214892233, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50451, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9935841069204537, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50246, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50196, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50203, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.18", "protocol": "tcp", "src_port": 50607, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "104.18.38.233", "protocol": "tcp", "src_port": 49694, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50154, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.2.16.16", "protocol": "tcp", "src_port": 49978, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9999741330258014, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.2.16.16", "protocol": "tcp", "src_port": 49977, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9997183616258911, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.18", "protocol": "tcp", "src_port": 50526, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.166.151", "protocol": "tcp", "src_port": 50297, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.99961990187526, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.131.139.241", "protocol": "tcp", "src_port": 50548, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9166098868921807, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.9", "protocol": "tcp", "src_port": 50355, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9178209457268623, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 13:50:16.072] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 22|max_alert: 1000 [2025-12-11 13:50:16.072] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 13:50:16.072] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 13:50:16.072] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 13:50:19.015] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[2] at offset 25670 key: NULL payload: {"bucket":"2025-12-11","object":"13/output/gbm/alert.pcap.12.17610986931350.jsonl","url":"http://111.32.12.11:9000/2025-12-11/13/output/gbm/alert.pcap.12.17610986931350.jsonl?X-Amz-SignedHeaders=host&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Expires=604800&X-Amz-Signature=018423afa793d3a83ad315a7ab43765beb24aaf4163f3fcc323a685a146841af&X-Amz-Date=20251211T055018Z"} [2025-12-11 13:50:19.015] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 13:50:19.016] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 13:50:19.016] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 13:50:19.016] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 13:50:19.016] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 13:50:19.017] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 13:50:19.280] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:13/output/gbm/alert.pcap.12.17610986931350.jsonl|result:{"code": 1, "total_count": 23, "alert_count": 23, "abnormal_count": 23, "normal_count": 0, "timestamp": 1765432219017, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50563, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 10, "2_sum": 10, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.32.132.48", "protocol": "tcp", "src_port": 50596, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8736367684939467, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.88.223", "protocol": "tcp", "src_port": 50256, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9952297098413537, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "43.132.242.154", "protocol": "tcp", "src_port": 49882, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9890063873624129, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.91", "protocol": "tcp", "src_port": 50325, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9723471895815434, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50048, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 10, "2_sum": 10, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50524, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 10, "2_sum": 10, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50327, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 10, "2_sum": 10, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "150.171.28.10", "protocol": "tcp", "src_port": 50098, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.979476406385797, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50517, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 10, "2_sum": 10, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 50446, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.232.40.133", "protocol": "tcp", "src_port": 49918, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9434178651974208, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50036, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 10, "2_sum": 10, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50063, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 10, "2_sum": 10, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.46.51.20", "protocol": "tcp", "src_port": 50273, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8949209220998952, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50289, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 10, "2_sum": 10, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.253", "protocol": "tcp", "src_port": 50374, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9124107711631884, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 49801, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50043, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 10, "2_sum": 10, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.162.10.192", "protocol": "tcp", "src_port": 50115, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9982562146170709, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.88.223", "protocol": "tcp", "src_port": 50135, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9151737736531406, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50290, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 10, "2_sum": 10, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.91", "protocol": "tcp", "src_port": 50312, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8775283158754487, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 13:50:19.280] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 23|max_alert: 1000 [2025-12-11 13:50:19.280] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 13:50:19.280] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 13:50:19.280] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 13:50:22.184] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[1] at offset 24921 key: NULL payload: {"bucket":"2025-12-11","object":"13/output/gbm/alert.pcap.13.17610986931350.jsonl","url":"http://111.32.12.11:9000/2025-12-11/13/output/gbm/alert.pcap.13.17610986931350.jsonl?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-SignedHeaders=host&X-Amz-Signature=5fd4c0820d867d3a7d3e4c29580d39c94d0298d5680f65a56e4594366afc2565&X-Amz-Date=20251211T055021Z&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Expires=604800"} [2025-12-11 13:50:22.185] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 13:50:22.185] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 13:50:22.185] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 13:50:22.185] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 13:50:22.185] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 13:50:22.185] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 13:50:22.428] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:13/output/gbm/alert.pcap.13.17610986931350.jsonl|result:{"code": 1, "total_count": 25, "alert_count": 25, "abnormal_count": 25, "normal_count": 0, "timestamp": 1765432222185, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50602, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "150.171.30.11", "protocol": "tcp", "src_port": 50629, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9221505003231499, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.163.59.175", "protocol": "tcp", "src_port": 50009, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9898052087615025, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50276, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.38.119", "protocol": "tcp", "src_port": 50493, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9895604510076603, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50657, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9858390475712154, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50206, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50483, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50280, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50283, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "142.250.66.78", "protocol": "tcp", "src_port": 49939, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50029, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.4.224.113", "protocol": "tcp", "src_port": 49856, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.6505383816340582, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.22.3", "protocol": "tcp", "src_port": 49941, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9027507773608666, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "150.171.29.11", "protocol": "tcp", "src_port": 50366, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9811379852086798, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.38.119", "protocol": "tcp", "src_port": 50507, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.992095265861976, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50167, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "202.89.233.96", "protocol": "tcp", "src_port": 49842, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50153, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50035, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50074, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 50550, "dest_port": 37527, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50150, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.114.80", "protocol": "tcp", "src_port": 50364, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.185.134", "protocol": "tcp", "src_port": 50405, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9906477192719227, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 13:50:22.428] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 25|max_alert: 1000 [2025-12-11 13:50:22.428] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 13:50:22.428] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 13:50:22.428] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 13:50:25.563] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 26067 key: NULL payload: {"bucket":"2025-12-11","object":"13/output/gbm/alert.pcap.14.17610986931350.jsonl","url":"http://111.32.12.11:9000/2025-12-11/13/output/gbm/alert.pcap.14.17610986931350.jsonl?X-Amz-Expires=604800&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Date=20251211T055025Z&X-Amz-Signature=937b6bf6cd54da3de9b1ec8b782c6c6318fa25015a88e626e116695feb00588d&X-Amz-SignedHeaders=host"} [2025-12-11 13:50:25.563] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 13:50:25.563] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 13:50:25.563] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 13:50:25.563] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 13:50:25.563] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 13:50:25.563] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 13:50:25.821] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:13/output/gbm/alert.pcap.14.17610986931350.jsonl|result:{"code": 1, "total_count": 22, "alert_count": 22, "abnormal_count": 22, "normal_count": 0, "timestamp": 1765432225564, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50075, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50282, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50509, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.114.80", "protocol": "tcp", "src_port": 50462, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50045, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50151, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50277, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50431, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50464, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50488, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "150.171.28.10", "protocol": "tcp", "src_port": 50547, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9810893334081382, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.201.232.63", "protocol": "tcp", "src_port": 50185, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8623842237021218, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.131.128.241", "protocol": "tcp", "src_port": 50628, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.6327220629300937, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 50008, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7325211921496005, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50148, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50087, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.92", "protocol": "tcp", "src_port": 50350, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9581254078848882, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50299, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.201.232.61", "protocol": "tcp", "src_port": 50406, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8074537105643911, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.4.224.113", "protocol": "tcp", "src_port": 49858, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.948833755868132, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50481, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.45", "protocol": "tcp", "src_port": 50232, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8427978520815071, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 13:50:25.822] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 22|max_alert: 1000 [2025-12-11 13:50:25.822] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 13:50:25.822] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 13:50:25.822] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 13:50:28.688] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[1] at offset 24922 key: NULL payload: {"bucket":"2025-12-11","object":"13/output/gbm/alert.pcap.15.17610986931350.jsonl","url":"http://111.32.12.11:9000/2025-12-11/13/output/gbm/alert.pcap.15.17610986931350.jsonl?X-Amz-SignedHeaders=host&X-Amz-Date=20251211T055028Z&X-Amz-Expires=604800&X-Amz-Signature=b320919adfe3a78d941be09844ca52c0e33299ec4b41938ebbf334d385d31621&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Algorithm=AWS4-HMAC-SHA256"} [2025-12-11 13:50:28.688] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 13:50:28.688] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 13:50:28.688] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 13:50:28.688] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 13:50:28.688] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 13:50:28.688] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 13:50:28.938] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:13/output/gbm/alert.pcap.15.17610986931350.jsonl|result:{"code": 1, "total_count": 21, "alert_count": 21, "abnormal_count": 21, "normal_count": 0, "timestamp": 1765432228688, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50452, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "124.70.37.167", "protocol": "tcp", "src_port": 50505, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8862503171336631, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.166.151", "protocol": "tcp", "src_port": 50300, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9931981638327161, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.114.80", "protocol": "tcp", "src_port": 50358, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50516, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.51.80", "protocol": "tcp", "src_port": 49914, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50061, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "13.89.179.10", "protocol": "tcp", "src_port": 49878, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9974829953380221, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.165.120", "protocol": "tcp", "src_port": 50418, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9596977275034663, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.241.198", "protocol": "tcp", "src_port": 49881, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9908791961625715, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.13.29.202", "protocol": "tcp", "src_port": 49899, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9319984670207415, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50489, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.194.189.11", "protocol": "tcp", "src_port": 50426, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9895428159947536, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50542, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.46.216.189", "protocol": "tcp", "src_port": 50192, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9854409930237161, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.194.233", "protocol": "tcp", "src_port": 50442, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9870391528574759, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "142.250.66.78", "protocol": "tcp", "src_port": 50474, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.175.38.6", "protocol": "tcp", "src_port": 50508, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9251013815505887, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.165.120", "protocol": "tcp", "src_port": 50427, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9451570018511891, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50298, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "13.107.213.50", "protocol": "tcp", "src_port": 50090, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9195643673584233, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 13:50:28.938] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 21|max_alert: 1000 [2025-12-11 13:50:28.938] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 13:50:28.938] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 13:50:28.938] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 13:50:32.016] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[2] at offset 25671 key: NULL payload: {"bucket":"2025-12-11","object":"13/output/gbm/alert.pcap.16.17610986931350.jsonl","url":"http://111.32.12.11:9000/2025-12-11/13/output/gbm/alert.pcap.16.17610986931350.jsonl?X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20251211T055031Z&X-Amz-Signature=84f0b4a39f466ee5af191ba7f149af8c165cb2b17652776d6292beab4d1180b7&X-Amz-Expires=604800&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-SignedHeaders=host"} [2025-12-11 13:50:32.016] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 13:50:32.016] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 13:50:32.016] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 13:50:32.016] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 13:50:32.016] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 13:50:32.017] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 13:50:32.283] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:13/output/gbm/alert.pcap.16.17610986931350.jsonl|result:{"code": 1, "total_count": 26, "alert_count": 26, "abnormal_count": 26, "normal_count": 0, "timestamp": 1765432232017, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "172.16.92.2", "protocol": "tcp", "src_port": 49916, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.26", "protocol": "tcp", "src_port": 50053, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9859420979243508, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50207, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.88.223", "protocol": "tcp", "src_port": 50262, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9920454156536166, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50367, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.32.132.48", "protocol": "tcp", "src_port": 50416, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.872489769645985, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "13.89.179.10", "protocol": "tcp", "src_port": 49873, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9740054173010114, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "211.151.19.148", "protocol": "tcp", "src_port": 50239, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9867736940219898, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50522, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.185.134", "protocol": "tcp", "src_port": 50557, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9312191603697401, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50177, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.13.25.27", "protocol": "tcp", "src_port": 49953, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9999659947187012, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.165.120", "protocol": "tcp", "src_port": 50304, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9425584919270099, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.219.73.130", "protocol": "tcp", "src_port": 49887, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50500, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.1", "protocol": "tcp", "src_port": 49927, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50051, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.253", "protocol": "tcp", "src_port": 50377, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9228634096625739, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50496, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7047630891986135, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50331, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.46.216.189", "protocol": "tcp", "src_port": 50095, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8005313339363406, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.4.224.113", "protocol": "tcp", "src_port": 49857, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.873642452450752, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.220.77.56", "protocol": "tcp", "src_port": 50313, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9756469161092314, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.92", "protocol": "tcp", "src_port": 50344, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.4285159353571787, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.29.14.183", "protocol": "tcp", "src_port": 50404, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9858144175177987, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.29.14.183", "protocol": "tcp", "src_port": 49861, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9202885873733923, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 13:50:32.283] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 26|max_alert: 1000 [2025-12-11 13:50:32.283] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 13:50:32.283] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 13:50:32.283] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 13:50:35.474] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[1] at offset 24923 key: NULL payload: {"bucket":"2025-12-11","object":"13/output/gbm/alert.pcap.17.17610986931350.jsonl","url":"http://111.32.12.11:9000/2025-12-11/13/output/gbm/alert.pcap.17.17610986931350.jsonl?X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Expires=604800&X-Amz-Signature=584f65f483bd95165a85095abab78b9d6cbc7544240d9b80e386f5ef17dee816&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Date=20251211T055035Z&X-Amz-SignedHeaders=host"} [2025-12-11 13:50:35.474] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 13:50:35.474] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 13:50:35.474] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 13:50:35.474] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 13:50:35.474] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 13:50:35.475] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 13:50:35.740] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:13/output/gbm/alert.pcap.17.17610986931350.jsonl|result:{"code": 1, "total_count": 18, "alert_count": 18, "abnormal_count": 18, "normal_count": 0, "timestamp": 1765432235476, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "111.31.122.55", "protocol": "tcp", "src_port": 50101, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9697454177805649, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50606, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9790099228201751, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.9", "protocol": "tcp", "src_port": 50012, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9956502822261911, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "124.70.62.170", "protocol": "tcp", "src_port": 50395, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.999908459646488, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50499, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.162.10.192", "protocol": "tcp", "src_port": 50114, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.976863610352734, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.88.223", "protocol": "tcp", "src_port": 50257, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9990492370434219, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.114.80", "protocol": "tcp", "src_port": 50476, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.27", "protocol": "tcp", "src_port": 49990, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9979995189937263, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "124.70.62.170", "protocol": "tcp", "src_port": 50094, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9999212365720671, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.122.55", "protocol": "tcp", "src_port": 50448, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.5769980707430126, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.194.233", "protocol": "tcp", "src_port": 50435, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9837705668750215, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.2.16.16", "protocol": "tcp", "src_port": 49973, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9993460937257912, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.38.151", "protocol": "tcp", "src_port": 49788, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 50225, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9087545563693218, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.27", "protocol": "tcp", "src_port": 49989, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8500557914131911, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.162.10.192", "protocol": "tcp", "src_port": 50103, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.5419285978798709, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.234.97.89", "protocol": "tcp", "src_port": 50409, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.733240780563495, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 13:50:35.740] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 18|max_alert: 1000 [2025-12-11 13:50:35.740] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 13:50:35.740] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 13:50:35.740] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 13:50:38.608] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 26068 key: NULL payload: {"bucket":"2025-12-11","object":"13/output/gbm/alert.pcap.18.17610986931350.jsonl","url":"http://111.32.12.11:9000/2025-12-11/13/output/gbm/alert.pcap.18.17610986931350.jsonl?X-Amz-Expires=604800&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-SignedHeaders=host&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Signature=61197d8c7e2d9aa45a67150e4d86fab8d33fe5bf8a927ed9180b14b156e481d9&X-Amz-Date=20251211T055038Z"} [2025-12-11 13:50:38.608] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 13:50:38.608] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 13:50:38.609] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 13:50:38.609] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 13:50:38.609] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 13:50:38.609] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 13:50:38.840] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:13/output/gbm/alert.pcap.18.17610986931350.jsonl|result:{"code": 1, "total_count": 19, "alert_count": 18, "abnormal_count": 18, "normal_count": 1, "timestamp": 1765432238609, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50475, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9477100345633777, "2_count": 4.0, "2_sum": 4, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.232.40.133", "protocol": "tcp", "src_port": 49935, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8955605067471277, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50650, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9941374340185456, "2_count": 4.0, "2_sum": 4, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50386, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.219.73.130", "protocol": "tcp", "src_port": 49893, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.253.255.38", "protocol": "tcp", "src_port": 50449, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9496389457889445, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50220, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.166.151", "protocol": "tcp", "src_port": 50371, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9989794701501156, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50046, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50088, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50553, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9263918774338468, "2_count": 4.0, "2_sum": 4, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50141, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.232.40.133", "protocol": "tcp", "src_port": 49929, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9272505117395095, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50132, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.113.130.85", "protocol": "tcp", "src_port": 50373, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.92", "protocol": "tcp", "src_port": 50383, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7481021796885889, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 50169, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50554, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9489417371813754, "2_count": 4.0, "2_sum": 4, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 13:50:38.840] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 18|max_alert: 1000 [2025-12-11 13:50:38.840] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 13:50:38.840] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 13:50:38.840] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 13:50:41.767] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[1] at offset 24924 key: NULL payload: {"bucket":"2025-12-11","object":"13/output/gbm/alert.pcap.19.17610986931350.jsonl","url":"http://111.32.12.11:9000/2025-12-11/13/output/gbm/alert.pcap.19.17610986931350.jsonl?X-Amz-Date=20251211T055041Z&X-Amz-Expires=604800&X-Amz-SignedHeaders=host&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Signature=cf85980f69125461f1397a6861c12274c93dbf41ea9afb3b3bc4dd58960b69fd"} [2025-12-11 13:50:41.767] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 13:50:41.767] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 13:50:41.767] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 13:50:41.767] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 13:50:41.767] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 13:50:41.768] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 13:50:42.008] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:13/output/gbm/alert.pcap.19.17610986931350.jsonl|result:{"code": 1, "total_count": 17, "alert_count": 17, "abnormal_count": 17, "normal_count": 0, "timestamp": 1765432241768, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50140, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 5, "2_sum": 5, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "124.70.62.170", "protocol": "tcp", "src_port": 50385, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9998863446143573, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50432, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 5, "2_sum": 5, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.26", "protocol": "tcp", "src_port": 49999, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9723690262017185, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.158.247.186", "protocol": "tcp", "src_port": 50254, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9923373572362969, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "211.151.19.148", "protocol": "tcp", "src_port": 50321, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9840336453751718, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "13.89.179.10", "protocol": "tcp", "src_port": 49870, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9985463831905574, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 50183, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9671683755020176, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50651, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9127998696423738, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50222, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 5, "2_sum": 5, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "150.171.30.11", "protocol": "tcp", "src_port": 50623, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9724127917525347, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.25", "protocol": "tcp", "src_port": 50345, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9053165640648995, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50267, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 5, "2_sum": 5, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.131.128.241", "protocol": "tcp", "src_port": 50589, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9358989909907683, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50221, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 5, "2_sum": 5, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "106.13.244.95", "protocol": "tcp", "src_port": 50626, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.991571871695044, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.61.248", "protocol": "tcp", "src_port": 50006, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9986048917384169, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 13:50:42.009] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 17|max_alert: 1000 [2025-12-11 13:50:42.009] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 13:50:42.009] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 13:50:42.009] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 13:50:44.968] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 26069 key: NULL payload: {"bucket":"2025-12-11","object":"13/output/gbm/alert.pcap.20.17610986931350.jsonl","url":"http://111.32.12.11:9000/2025-12-11/13/output/gbm/alert.pcap.20.17610986931350.jsonl?X-Amz-SignedHeaders=host&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Expires=604800&X-Amz-Signature=c2d8edfcbcb1d3798e5434b2deaf6fd210adafe44e46acd5f88d16daff13ab9d&X-Amz-Date=20251211T055044Z&X-Amz-Algorithm=AWS4-HMAC-SHA256"} [2025-12-11 13:50:44.968] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 13:50:44.968] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 13:50:44.968] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 13:50:44.968] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 13:50:44.968] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 13:50:44.969] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 13:50:45.243] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:13/output/gbm/alert.pcap.20.17610986931350.jsonl|result:{"code": 1, "total_count": 17, "alert_count": 17, "abnormal_count": 17, "normal_count": 0, "timestamp": 1765432244969, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50622, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9949329167991451, "2_count": 3, "2_sum": 3, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50082, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.220.151.49", "protocol": "tcp", "src_port": 49991, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9681277345350449, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.62.174.243", "protocol": "tcp", "src_port": 50555, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9719451686850884, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "142.250.66.78", "protocol": "tcp", "src_port": 49773, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50616, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.981431987646444, "2_count": 3, "2_sum": 3, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.2.16.16", "protocol": "tcp", "src_port": 49970, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9999655776123294, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.46.68.203", "protocol": "tcp", "src_port": 50096, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9610043927222635, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.48.172.241", "protocol": "tcp", "src_port": 50129, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9417868802887015, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "124.71.236.98", "protocol": "tcp", "src_port": 50400, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9777942042208041, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "124.71.234.74", "protocol": "tcp", "src_port": 50189, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8094812727311573, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50598, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.972751885055052, "2_count": 3, "2_sum": 3, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.219.73.130", "protocol": "tcp", "src_port": 49894, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.253.253.233", "protocol": "tcp", "src_port": 50317, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.4786736570096651, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.9", "protocol": "tcp", "src_port": 50356, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9753376675463165, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50453, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.166.151", "protocol": "tcp", "src_port": 50378, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.996645095315891, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 13:50:45.243] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 17|max_alert: 1000 [2025-12-11 13:50:45.243] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 13:50:45.243] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 13:50:45.243] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 13:50:48.102] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 26070 key: NULL payload: {"bucket":"2025-12-11","object":"13/output/gbm/alert.pcap.21.17610986931350.jsonl","url":"http://111.32.12.11:9000/2025-12-11/13/output/gbm/alert.pcap.21.17610986931350.jsonl?X-Amz-Date=20251211T055047Z&X-Amz-SignedHeaders=host&X-Amz-Signature=f79c5cdfca5793b256759b968db1386deab8eaf39888ef2970a7f2c1a2199797&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Expires=604800&X-Amz-Algorithm=AWS4-HMAC-SHA256"} [2025-12-11 13:50:48.102] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 13:50:48.102] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 13:50:48.102] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 13:50:48.103] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 13:50:48.103] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 13:50:48.103] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 13:50:48.356] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:13/output/gbm/alert.pcap.21.17610986931350.jsonl|result:{"code": 1, "total_count": 20, "alert_count": 20, "abnormal_count": 20, "normal_count": 0, "timestamp": 1765432248104, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "120.233.3.27", "protocol": "tcp", "src_port": 50014, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7728545617685111, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 50211, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9942232611378077, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 49933, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.983522767485445, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50389, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50076, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.232.40.133", "protocol": "tcp", "src_port": 49921, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9758065422065172, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.253", "protocol": "tcp", "src_port": 50348, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9663875797170431, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50330, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.18", "protocol": "tcp", "src_port": 50191, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50086, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.26", "protocol": "tcp", "src_port": 50027, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8630319401034162, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50574, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50233, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.194.233", "protocol": "tcp", "src_port": 50315, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9974657537062649, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50407, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9700577356238725, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.234.97.89", "protocol": "tcp", "src_port": 50477, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7967743601421772, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50633, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9961574170482782, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.25", "protocol": "tcp", "src_port": 50346, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7253580536479742, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.254", "protocol": "tcp", "src_port": 50018, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9989742169573105, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "150.171.27.10", "protocol": "tcp", "src_port": 49871, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9792783921980416, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 13:50:48.356] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 20|max_alert: 1000 [2025-12-11 13:50:48.356] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 13:50:48.356] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 13:50:48.356] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 13:50:51.297] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 26071 key: NULL payload: {"bucket":"2025-12-11","object":"13/output/gbm/alert.pcap.2.17610986931350.jsonl","url":"http://111.32.12.11:9000/2025-12-11/13/output/gbm/alert.pcap.2.17610986931350.jsonl?X-Amz-Signature=c19e7fbd7b6c5936edf063c7aadcc1944919cc886699aeee7ef54e399af88d73&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-SignedHeaders=host&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20251211T055050Z&X-Amz-Expires=604800"} [2025-12-11 13:50:51.297] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 13:50:51.297] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 13:50:51.297] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 13:50:51.297] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 13:50:51.297] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 13:50:51.298] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 13:50:51.547] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:13/output/gbm/alert.pcap.2.17610986931350.jsonl|result:{"code": 1, "total_count": 27, "alert_count": 26, "abnormal_count": 26, "normal_count": 1, "timestamp": 1765432251298, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "120.226.165.120", "protocol": "tcp", "src_port": 50414, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9781294486115352, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50570, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.166.151", "protocol": "tcp", "src_port": 50296, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9998741851816862, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50634, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "118.89.204.198", "protocol": "tcp", "src_port": 50648, "dest_port": 443, "y_pred": 2, "y_pred_proba_max": 0.539671673599211, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "Behinder"}, {"src_ip": "10.1.131.158", "dest_ip": "111.63.215.47", "protocol": "tcp", "src_port": 49943, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9542007136130981, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.254", "protocol": "tcp", "src_port": 50237, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8347470129747349, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.240.99.58", "protocol": "tcp", "src_port": 50480, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9758749087809037, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.92", "protocol": "tcp", "src_port": 50398, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9866180027435798, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.232.40.133", "protocol": "tcp", "src_port": 50004, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9448851526818528, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.2", "protocol": "tcp", "src_port": 49821, "dest_port": 8080, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50471, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9971823306211751, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50484, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50528, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.105", "protocol": "tcp", "src_port": 50625, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9825246278129468, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50278, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.185.134", "protocol": "tcp", "src_port": 50337, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9998485770667981, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50328, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50459, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8818531237715439, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.222.152.64", "protocol": "tcp", "src_port": 50658, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7337989747885654, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.29.14.183", "protocol": "tcp", "src_port": 50401, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9944651374268547, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.26", "protocol": "tcp", "src_port": 49995, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9973271032011077, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50287, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.114.80", "protocol": "tcp", "src_port": 50381, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.29.14.183", "protocol": "tcp", "src_port": 50402, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9766503916105866, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50580, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 13:50:51.548] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 26|max_alert: 1000 [2025-12-11 13:50:51.548] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 13:50:51.548] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 13:50:51.548] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 13:50:54.813] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 26072 key: NULL payload: {"bucket":"2025-12-11","object":"13/output/gbm/alert.pcap.22.17610986931350.jsonl","url":"http://111.32.12.11:9000/2025-12-11/13/output/gbm/alert.pcap.22.17610986931350.jsonl?X-Amz-Date=20251211T055054Z&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-SignedHeaders=host&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Expires=604800&X-Amz-Signature=28462e8bc6a0b4809ce7feef8049dea20acff1402a168c348044fe0f01dccc8d"} [2025-12-11 13:50:54.813] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 13:50:54.813] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 13:50:54.813] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 13:50:54.813] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 13:50:54.813] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 13:50:54.814] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 13:50:55.074] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:13/output/gbm/alert.pcap.22.17610986931350.jsonl|result:{"code": 1, "total_count": 18, "alert_count": 17, "abnormal_count": 17, "normal_count": 1, "timestamp": 1765432254814, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "111.51.161.66", "protocol": "tcp", "src_port": 50123, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7731938946060795, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50612, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.965275103129727, "2_count": 3.0, "2_sum": 3, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.29.14.183", "protocol": "tcp", "src_port": 50026, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9986473928200259, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50028, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 3.0, "2_sum": 3, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.62.174.243", "protocol": "tcp", "src_port": 50545, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9624252679015631, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.4.224.113", "protocol": "tcp", "src_port": 49854, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.5786036795604459, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50368, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 3.0, "2_sum": 3, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 49925, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.5747671805046822, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.114.80", "protocol": "tcp", "src_port": 50365, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.194.233", "protocol": "tcp", "src_port": 50440, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9902328849146982, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.92", "protocol": "tcp", "src_port": 50397, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9107999416750001, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.165.120", "protocol": "tcp", "src_port": 50357, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9389862274330749, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.63.215.47", "protocol": "tcp", "src_port": 49944, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9869387818080411, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50118, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 3.0, "2_sum": 3, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50662, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8871346318388157, "2_count": 3.0, "2_sum": 3, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50530, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9024018957960891, "2_count": 3.0, "2_sum": 3, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.131.128.241", "protocol": "tcp", "src_port": 50585, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8249611815657307, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 13:50:55.074] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 17|max_alert: 1000 [2025-12-11 13:50:55.074] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 13:50:55.074] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 13:50:55.074] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 13:50:58.660] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 26073 key: NULL payload: {"bucket":"2025-12-11","object":"13/output/gbm/alert.pcap.23.17610986931350.jsonl","url":"http://111.32.12.11:9000/2025-12-11/13/output/gbm/alert.pcap.23.17610986931350.jsonl?X-Amz-Signature=e14bf8de84b91a6d3581a942c9b12c270095c52bc5c41bb4592965d70bcc5324&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20251211T055058Z&X-Amz-Expires=604800&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-SignedHeaders=host"} [2025-12-11 13:50:58.660] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 13:50:58.660] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 13:50:58.661] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 13:50:58.661] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 13:50:58.661] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 13:50:58.662] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 13:50:58.913] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:13/output/gbm/alert.pcap.23.17610986931350.jsonl|result:{"code": 1, "total_count": 21, "alert_count": 21, "abnormal_count": 21, "normal_count": 0, "timestamp": 1765432258662, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50064, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50085, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50429, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.122.55", "protocol": "tcp", "src_port": 50498, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9793698927690696, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.158.247.186", "protocol": "tcp", "src_port": 50309, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.994290448467571, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50044, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "13.107.246.74", "protocol": "tcp", "src_port": 50506, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9605298901417075, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50168, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.13.104.59", "protocol": "tcp", "src_port": 50627, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9944505609423887, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.222.152.64", "protocol": "tcp", "src_port": 50638, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9779043168436835, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50149, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50260, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50640, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50562, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.150.160.206", "protocol": "tcp", "src_port": 50124, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9747845243097288, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50037, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.194.233", "protocol": "tcp", "src_port": 50126, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9961544144455967, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50042, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.25", "protocol": "tcp", "src_port": 50073, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9992385224413204, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.25", "protocol": "tcp", "src_port": 50382, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7011351746711142, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50514, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 13:50:58.913] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 21|max_alert: 1000 [2025-12-11 13:50:58.913] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 13:50:58.913] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 13:50:58.913] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 13:51:01.887] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[1] at offset 24925 key: NULL payload: {"bucket":"2025-12-11","object":"13/output/gbm/alert.pcap.24.17610986931350.jsonl","url":"http://111.32.12.11:9000/2025-12-11/13/output/gbm/alert.pcap.24.17610986931350.jsonl?X-Amz-SignedHeaders=host&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Date=20251211T055101Z&X-Amz-Expires=604800&X-Amz-Signature=bad1af5bd30637b848905e2b9740ce93cc144b75c6d8dcac0c0af026c2cd5a31"} [2025-12-11 13:51:01.887] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 13:51:01.887] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 13:51:01.887] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 13:51:01.887] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 13:51:01.887] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 13:51:01.887] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 13:51:02.132] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:13/output/gbm/alert.pcap.24.17610986931350.jsonl|result:{"code": 1, "total_count": 18, "alert_count": 17, "abnormal_count": 17, "normal_count": 1, "timestamp": 1765432261887, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50281, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.163.59.175", "protocol": "tcp", "src_port": 50011, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9883959426357691, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.4.74", "protocol": "tcp", "src_port": 50319, "dest_port": 9000, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.46.68.203", "protocol": "tcp", "src_port": 50195, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9897633686170296, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50033, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.13.28.21", "protocol": "tcp", "src_port": 49947, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9999415747476534, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50031, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50259, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50482, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50594, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50603, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50034, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.27", "protocol": "tcp", "src_port": 49985, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8652710729389349, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.163.59.175", "protocol": "tcp", "src_port": 50478, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.990150959540726, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 50229, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7784157580153467, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.13.104.59", "protocol": "tcp", "src_port": 50631, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9853386683896556, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.38.119", "protocol": "tcp", "src_port": 50495, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9911306060967026, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 13:51:02.132] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 17|max_alert: 1000 [2025-12-11 13:51:02.132] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 13:51:02.132] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 13:51:02.132] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 13:51:05.321] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 26074 key: NULL payload: {"bucket":"2025-12-11","object":"13/output/gbm/alert.pcap.25.17610986931350.jsonl","url":"http://111.32.12.11:9000/2025-12-11/13/output/gbm/alert.pcap.25.17610986931350.jsonl?X-Amz-SignedHeaders=host&X-Amz-Signature=30e80399c41c2a24a75c9f9417e8a9c7624e3b86d52e329ab53fcfada75fe3a5&X-Amz-Date=20251211T055104Z&X-Amz-Expires=604800&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request"} [2025-12-11 13:51:05.321] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 13:51:05.321] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 13:51:05.322] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 13:51:05.322] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 13:51:05.322] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 13:51:05.322] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 13:51:05.580] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:13/output/gbm/alert.pcap.25.17610986931350.jsonl|result:{"code": 1, "total_count": 18, "alert_count": 17, "abnormal_count": 17, "normal_count": 1, "timestamp": 1765432265322, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "120.232.40.133", "protocol": "tcp", "src_port": 49919, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9172603475203133, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "202.89.233.96", "dest_ip": "10.1.131.158", "protocol": "tcp", "src_port": 443, "dest_port": 49847, "y_pred": 1, "y_pred_proba_max": 0.9988023204669473, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "142.250.66.78", "protocol": "tcp", "src_port": 49742, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50038, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4.0, "2_sum": 4, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.88.223", "protocol": "tcp", "src_port": 50134, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9851867603065232, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.240.99.58", "protocol": "tcp", "src_port": 50641, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9750652642107684, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.91", "protocol": "tcp", "src_port": 50334, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9530506499197517, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50652, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4.0, "2_sum": 4, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.155.160.140", "protocol": "tcp", "src_port": 49790, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50288, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4.0, "2_sum": 4, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50062, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4.0, "2_sum": 4, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.2", "protocol": "tcp", "src_port": 50125, "dest_port": 8080, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.232.40.133", "protocol": "tcp", "src_port": 50005, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8427110539814073, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.88.223", "protocol": "tcp", "src_port": 50258, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9955188316394289, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.201.232.63", "protocol": "tcp", "src_port": 50419, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.5238760318986195, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50551, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8059095115195145, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 50013, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 13:51:05.580] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 17|max_alert: 1000 [2025-12-11 13:51:05.580] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 13:51:05.580] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 13:51:05.580] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 13:51:08.571] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 26075 key: NULL payload: {"bucket":"2025-12-11","object":"13/output/gbm/alert.pcap.26.17610986931350.jsonl","url":"http://111.32.12.11:9000/2025-12-11/13/output/gbm/alert.pcap.26.17610986931350.jsonl?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-SignedHeaders=host&X-Amz-Date=20251211T055108Z&X-Amz-Expires=604800&X-Amz-Signature=5cab9cc1182e842aa9e5e00c3270831730d998332ab302181509786fa27408f7&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request"} [2025-12-11 13:51:08.572] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 13:51:08.572] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 13:51:08.572] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 13:51:08.572] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 13:51:08.572] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 13:51:08.572] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 13:51:08.837] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:13/output/gbm/alert.pcap.26.17610986931350.jsonl|result:{"code": 1, "total_count": 23, "alert_count": 22, "abnormal_count": 22, "normal_count": 1, "timestamp": 1765432268572, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "36.156.39.92", "protocol": "tcp", "src_port": 50362, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9737436655985068, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 50230, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9601621867432435, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.194.233", "protocol": "tcp", "src_port": 50439, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9853373018252618, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50512, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7.0, "2_sum": 7, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.13.29.134", "protocol": "tcp", "src_port": 49954, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9940003495439546, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.45", "protocol": "tcp", "src_port": 50445, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9894949279716366, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.253", "protocol": "tcp", "src_port": 50117, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9786811180845782, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "43.140.12.43", "protocol": "tcp", "src_port": 50318, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9759535265977303, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.9", "protocol": "tcp", "src_port": 50353, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9248568229582469, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50463, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7.0, "2_sum": 7, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50467, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7.0, "2_sum": 7, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50521, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7.0, "2_sum": 7, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50593, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7.0, "2_sum": 7, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.27", "protocol": "tcp", "src_port": 49986, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9907578643456904, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50040, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7.0, "2_sum": 7, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50322, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7.0, "2_sum": 7, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.163.59.175", "protocol": "tcp", "src_port": 49930, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9813722275948225, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.13.29.202", "protocol": "tcp", "src_port": 49897, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.99989131645703, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.165.120", "protocol": "tcp", "src_port": 50314, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.998447736613844, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.253", "protocol": "tcp", "src_port": 50347, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9363461552085169, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "151.101.1.229", "protocol": "tcp", "src_port": 50316, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.5882853156839113, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.114.80", "protocol": "tcp", "src_port": 50375, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 13:51:08.837] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 22|max_alert: 1000 [2025-12-11 13:51:08.837] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 13:51:08.837] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 13:51:08.837] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 13:51:11.800] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 26076 key: NULL payload: {"bucket":"2025-12-11","object":"13/output/gbm/alert.pcap.3.17610986931350.jsonl","url":"http://111.32.12.11:9000/2025-12-11/13/output/gbm/alert.pcap.3.17610986931350.jsonl?X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Expires=604800&X-Amz-SignedHeaders=host&X-Amz-Signature=16a1c7f1f50909711734d02b06c3efed61a9c933d59b88aa5b28ff1ec39888fe&X-Amz-Date=20251211T055111Z&X-Amz-Algorithm=AWS4-HMAC-SHA256"} [2025-12-11 13:51:11.801] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 13:51:11.801] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 13:51:11.801] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 13:51:11.801] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 13:51:11.801] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 13:51:11.802] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 13:51:12.068] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:13/output/gbm/alert.pcap.3.17610986931350.jsonl|result:{"code": 1, "total_count": 31, "alert_count": 30, "abnormal_count": 30, "normal_count": 1, "timestamp": 1765432271802, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50579, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.13.104.59", "protocol": "tcp", "src_port": 50630, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9949141468870227, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 50231, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9912641259791639, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.2", "protocol": "tcp", "src_port": 50143, "dest_port": 8080, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "124.70.62.170", "protocol": "tcp", "src_port": 50093, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9302011994091218, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.166.151", "protocol": "tcp", "src_port": 50286, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9998887397093179, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.92", "protocol": "tcp", "src_port": 49915, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8858063837145578, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.194.189.11", "protocol": "tcp", "src_port": 50307, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9974631042458713, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.13.104.59", "protocol": "tcp", "src_port": 50639, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.5747755261992421, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.253.253.233", "protocol": "tcp", "src_port": 50436, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8619378326923961, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50131, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.165.120", "protocol": "tcp", "src_port": 50423, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9079618105919538, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50573, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "142.250.66.68", "protocol": "tcp", "src_port": 50437, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 49824, "dest_port": 37527, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50560, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9372883613254258, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.219.73.130", "protocol": "tcp", "src_port": 49889, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.27", "protocol": "tcp", "src_port": 49987, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9439550958667982, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.27", "protocol": "tcp", "src_port": 49983, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9683054451954104, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.232.40.133", "protocol": "tcp", "src_port": 49922, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7619577796081339, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 50399, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50468, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.29.14.183", "protocol": "tcp", "src_port": 50020, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9995274668813986, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.114.80", "protocol": "tcp", "src_port": 50473, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50041, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50390, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.63.215.47", "protocol": "tcp", "src_port": 49982, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9977918468988228, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50032, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.219.73.130", "protocol": "tcp", "src_port": 49890, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50128, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 13:51:12.068] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 30|max_alert: 1000 [2025-12-11 13:51:12.068] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 13:51:12.068] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 13:51:12.068] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 13:51:14.930] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[2] at offset 25672 key: NULL payload: {"bucket":"2025-12-11","object":"13/output/gbm/alert.pcap.4.17610986931350.jsonl","url":"http://111.32.12.11:9000/2025-12-11/13/output/gbm/alert.pcap.4.17610986931350.jsonl?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-SignedHeaders=host&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Signature=39c99eb04e733a0a05806a7467bd927b6c51b5fa476d54d2028c0e9cc5a49214&X-Amz-Expires=604800&X-Amz-Date=20251211T055114Z"} [2025-12-11 13:51:14.930] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 13:51:14.930] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 13:51:14.930] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 13:51:14.930] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 13:51:14.930] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 13:51:14.930] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 13:51:15.106] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:13/output/gbm/alert.pcap.4.17610986931350.jsonl|result:{"code": 1, "total_count": 16, "alert_count": 16, "abnormal_count": 16, "normal_count": 0, "timestamp": 1765432274930, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "142.250.66.78", "protocol": "tcp", "src_port": 49761, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50642, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 9, "2_sum": 9, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50664, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 9, "2_sum": 9, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.2", "protocol": "tcp", "src_port": 49815, "dest_port": 8080, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50170, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 9, "2_sum": 9, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50268, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 9, "2_sum": 9, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50271, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 9, "2_sum": 9, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.25", "protocol": "tcp", "src_port": 50340, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9557360906725153, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50428, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 9, "2_sum": 9, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "104.18.38.233", "protocol": "tcp", "src_port": 49696, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "150.171.30.11", "protocol": "tcp", "src_port": 50007, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8576461187690411, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50599, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 9, "2_sum": 9, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50653, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 9, "2_sum": 9, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.4.224.113", "protocol": "tcp", "src_port": 49860, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8325953986089363, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.131.128.241", "protocol": "tcp", "src_port": 50461, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9531336479755481, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50039, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 9, "2_sum": 9, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 13:51:15.106] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 16|max_alert: 1000 [2025-12-11 13:51:15.106] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 13:51:15.106] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 13:51:15.106] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 13:51:18.469] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[1] at offset 24926 key: NULL payload: {"bucket":"2025-12-11","object":"13/output/gbm/alert.pcap.5.17610986931350.jsonl","url":"http://111.32.12.11:9000/2025-12-11/13/output/gbm/alert.pcap.5.17610986931350.jsonl?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-SignedHeaders=host&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Signature=f4e2a838ce7b42f6a2ea5c4acc9eaf25e6aa99a2c125c8f55c6b77cc35f5b3c6&X-Amz-Expires=604800&X-Amz-Date=20251211T055118Z"} [2025-12-11 13:51:18.469] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 13:51:18.469] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 13:51:18.469] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 13:51:18.469] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 13:51:18.469] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 13:51:18.469] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 13:51:18.686] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:13/output/gbm/alert.pcap.5.17610986931350.jsonl|result:{"code": 1, "total_count": 19, "alert_count": 18, "abnormal_count": 18, "normal_count": 1, "timestamp": 1765432278469, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50541, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 5.0, "2_sum": 5, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.91", "protocol": "tcp", "src_port": 50333, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9577733114926612, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "13.89.179.10", "protocol": "tcp", "src_port": 49867, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8945460691510866, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50119, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 5.0, "2_sum": 5, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "112.34.111.235", "protocol": "tcp", "src_port": 50587, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9795590475790195, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.46.72.204", "protocol": "tcp", "src_port": 50136, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.956663066769366, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50030, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 5.0, "2_sum": 5, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50171, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 5.0, "2_sum": 5, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 49924, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8509806284431485, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.91", "protocol": "tcp", "src_port": 50242, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9588125203903446, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.4.74", "protocol": "tcp", "src_port": 50320, "dest_port": 9000, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50654, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9423199405388736, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.163.59.175", "protocol": "tcp", "src_port": 50422, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9849394001481901, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50624, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9747306537408316, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.158.247.186", "protocol": "tcp", "src_port": 50121, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9753820447058325, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 50549, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.51.80", "protocol": "tcp", "src_port": 49902, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50564, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 5.0, "2_sum": 5, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 13:51:18.686] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 18|max_alert: 1000 [2025-12-11 13:51:18.686] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 13:51:18.686] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 13:51:18.686] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 13:51:21.611] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 26077 key: NULL payload: {"bucket":"2025-12-11","object":"13/output/gbm/alert.pcap.6.17610986931350.jsonl","url":"http://111.32.12.11:9000/2025-12-11/13/output/gbm/alert.pcap.6.17610986931350.jsonl?X-Amz-Signature=60c4f661c813bb6a891d09e4227ccb21d1d0ab84261af3cbcb03778fc8c98b91&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Expires=604800&X-Amz-SignedHeaders=host&X-Amz-Date=20251211T055121Z&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request"} [2025-12-11 13:51:21.611] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 13:51:21.611] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 13:51:21.611] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 13:51:21.611] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 13:51:21.611] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 13:51:21.612] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 13:51:21.795] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:13/output/gbm/alert.pcap.6.17610986931350.jsonl|result:{"code": 1, "total_count": 13, "alert_count": 13, "abnormal_count": 13, "normal_count": 0, "timestamp": 1765432281612, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "111.31.102.211", "protocol": "tcp", "src_port": 50413, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9734791177969814, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.2.16.16", "protocol": "tcp", "src_port": 49975, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9999376387945121, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.13.28.239", "protocol": "tcp", "src_port": 49901, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.938456651589145, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.91", "protocol": "tcp", "src_port": 50339, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.986405059765616, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "139.9.117.192", "protocol": "tcp", "src_port": 50372, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8894850327223105, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "13.89.179.10", "protocol": "tcp", "src_port": 49883, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9941602682227848, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.57.94.38", "protocol": "tcp", "src_port": 49892, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9998694918181811, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50465, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.5306824619789472, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50515, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50391, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "121.36.68.44", "protocol": "tcp", "src_port": 50504, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9358189956292381, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "139.9.117.192", "protocol": "tcp", "src_port": 50450, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9837263446909994, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.26", "protocol": "tcp", "src_port": 50003, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8694093805364917, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 13:51:21.795] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 13|max_alert: 1000 [2025-12-11 13:51:21.795] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 13:51:21.795] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 13:51:21.795] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 13:51:24.816] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[2] at offset 25673 key: NULL payload: {"bucket":"2025-12-11","object":"13/output/gbm/alert.pcap.7.17610986931350.jsonl","url":"http://111.32.12.11:9000/2025-12-11/13/output/gbm/alert.pcap.7.17610986931350.jsonl?X-Amz-Signature=ff79f7cfcd971e6d0fd457ab179d3a9dc8be99c6548c693e8023d79009141959&X-Amz-SignedHeaders=host&X-Amz-Expires=604800&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20251211T055124Z"} [2025-12-11 13:51:24.816] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 13:51:24.816] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 13:51:24.816] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 13:51:24.816] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 13:51:24.816] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 13:51:24.817] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 13:51:25.011] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:13/output/gbm/alert.pcap.7.17610986931350.jsonl|result:{"code": 1, "total_count": 18, "alert_count": 18, "abnormal_count": 18, "normal_count": 0, "timestamp": 1765432284817, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "120.233.3.27", "protocol": "tcp", "src_port": 50100, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8412893359572905, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.254", "protocol": "tcp", "src_port": 50199, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9600487826290192, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "112.34.111.235", "protocol": "tcp", "src_port": 50411, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.998549290571419, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 50116, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50083, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4, "2_sum": 4, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.219.73.130", "protocol": "tcp", "src_port": 49885, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.26", "protocol": "tcp", "src_port": 49994, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9896285535627298, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50270, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4, "2_sum": 4, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50663, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.719260591950917, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.4.224.113", "protocol": "tcp", "src_port": 49849, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9532634905214581, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.51.80", "protocol": "tcp", "src_port": 50010, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 50172, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9400817611226765, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50581, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4, "2_sum": 4, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.185.125.188", "protocol": "tcp", "src_port": 49872, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9978759357079158, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.194.233", "protocol": "tcp", "src_port": 50441, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9878625671600126, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50156, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4, "2_sum": 4, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.194.233", "protocol": "tcp", "src_port": 50255, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9107155218087142, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.240.8.132", "protocol": "tcp", "src_port": 50227, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8897661563929269, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 13:51:25.011] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 18|max_alert: 1000 [2025-12-11 13:51:25.011] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 13:51:25.011] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 13:51:25.011] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 13:51:28.004] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[2] at offset 25674 key: NULL payload: {"bucket":"2025-12-11","object":"13/output/gbm/alert.pcap.8.17610986931350.jsonl","url":"http://111.32.12.11:9000/2025-12-11/13/output/gbm/alert.pcap.8.17610986931350.jsonl?X-Amz-Date=20251211T055127Z&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Signature=fa9275f5fd1ba2775db988436a1713a3075b7437fb2d9dd6eb44ebc20b2ed4c3&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-SignedHeaders=host&X-Amz-Expires=604800"} [2025-12-11 13:51:28.004] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 13:51:28.005] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 13:51:28.005] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 13:51:28.005] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 13:51:28.005] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 13:51:28.005] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 13:51:28.191] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:13/output/gbm/alert.pcap.8.17610986931350.jsonl|result:{"code": 1, "total_count": 19, "alert_count": 19, "abnormal_count": 19, "normal_count": 0, "timestamp": 1765432288005, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50388, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4, "2_sum": 4, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.45", "protocol": "tcp", "src_port": 50408, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9967591338452444, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "40.74.78.229", "protocol": "tcp", "src_port": 50370, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9939770881097445, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.232.40.133", "protocol": "tcp", "src_port": 49920, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9117178716777372, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.63.215.47", "protocol": "tcp", "src_port": 49980, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9999657034539758, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 50184, "dest_port": 37527, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.26", "protocol": "tcp", "src_port": 49997, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.984269050955257, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50127, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4, "2_sum": 4, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.219.73.130", "protocol": "tcp", "src_port": 49891, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50077, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4, "2_sum": 4, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.201.232.63", "protocol": "tcp", "src_port": 50420, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9757408487177269, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.131.128.241", "protocol": "tcp", "src_port": 50591, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9050869489117033, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50661, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.647571366572099, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "121.36.47.3", "protocol": "tcp", "src_port": 50015, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9995715118177109, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50223, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4, "2_sum": 4, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 49923, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.777270406334166, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.131.139.241", "protocol": "tcp", "src_port": 50556, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9803786101644398, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "202.89.233.96", "protocol": "tcp", "src_port": 49865, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9973910874567038, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50649, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9766422035502361, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 13:51:28.191] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 19|max_alert: 1000 [2025-12-11 13:51:28.191] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 13:51:28.191] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 13:51:28.191] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 13:51:31.198] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[2] at offset 25675 key: NULL payload: {"bucket":"2025-12-11","object":"13/output/gbm/alert.pcap.9.17610986931350.jsonl","url":"http://111.32.12.11:9000/2025-12-11/13/output/gbm/alert.pcap.9.17610986931350.jsonl?X-Amz-Signature=900fb2deeb2ffe3a578b9a73c911f70c9a6c3391c2c732416165b53e075515b5&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20251211T055130Z&X-Amz-Expires=604800&X-Amz-SignedHeaders=host"} [2025-12-11 13:51:31.198] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 13:51:31.198] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 13:51:31.198] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 13:51:31.198] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 13:51:31.198] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 13:51:31.199] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 13:51:31.493] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:13/output/gbm/alert.pcap.9.17610986931350.jsonl|result:{"code": 1, "total_count": 19, "alert_count": 19, "abnormal_count": 19, "normal_count": 0, "timestamp": 1765432291199, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50047, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.219.73.130", "protocol": "tcp", "src_port": 49895, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50279, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.29.14.183", "protocol": "tcp", "src_port": 50403, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9756646950440937, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50234, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "157.148.32.174", "protocol": "tcp", "src_port": 50216, "dest_port": 8106, "y_pred": 1, "y_pred_proba_max": 0.7815374741509655, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "124.71.234.74", "protocol": "tcp", "src_port": 50079, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8967653329082704, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "150.171.30.11", "protocol": "tcp", "src_port": 50434, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.975176941910785, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.163.59.175", "protocol": "tcp", "src_port": 50443, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9947042004868148, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50552, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9460026832017429, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 49928, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9931314740190077, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50571, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50577, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8828376373447289, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50582, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.26", "protocol": "tcp", "src_port": 49993, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.987471741326815, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50387, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "112.2.102.140", "protocol": "tcp", "src_port": 49880, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8833391308810551, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.45", "protocol": "tcp", "src_port": 50444, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9975171238915119, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50323, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 13:51:31.493] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 19|max_alert: 1000 [2025-12-11 13:51:31.493] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 13:51:31.493] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 13:51:31.493] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 13:55:56.782] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 26078 key: NULL payload: {"bucket":"2025-12-11","object":"13/output/gbm/alert.pcap.9.1765432549.jsonl","url":"http://111.32.12.11:9000/2025-12-11/13/output/gbm/alert.pcap.9.1765432549.jsonl?X-Amz-Signature=ee37d4620a23f758509620f06af1bfab78fc9f5c7696842b1d997ded4c3de41f&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20251211T055556Z&X-Amz-Expires=604800&X-Amz-SignedHeaders=host&X-Amz-Algorithm=AWS4-HMAC-SHA256"} [2025-12-11 13:55:56.782] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 13:55:56.782] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 13:55:56.782] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 13:55:56.782] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 13:55:56.783] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 13:55:56.783] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 13:55:56.794] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:13/output/gbm/alert.pcap.9.1765432549.jsonl|result:{"code": 0, "total_count": 0, "alert_count": 0, "abnormal_count": 0, "normal_count": 0, "timestamp": 1765432556784, "module": "anquanchu", "alerted": false, "details": []} [2025-12-11 13:55:56.794] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 0|max_alert: 1000 [2025-12-11 13:55:56.794] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 14:01:00.874] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 26079 key: NULL payload: {"bucket":"2025-12-11","object":"14/output/gbm/alert.pcap.5.17610986931400.jsonl","url":"http://111.32.12.11:9000/2025-12-11/14/output/gbm/alert.pcap.5.17610986931400.jsonl?X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Expires=604800&X-Amz-SignedHeaders=host&X-Amz-Signature=196ffd586ff4cc210507008a3f7a5a9e01bed8e97b00bf7fe00d5a9d6c3cd106&X-Amz-Date=20251211T060100Z&X-Amz-Algorithm=AWS4-HMAC-SHA256"} [2025-12-11 14:01:00.874] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 14:01:00.874] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 14:01:00.874] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 14:01:00.874] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 14:01:00.874] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 14:01:00.875] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 14:01:01.129] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:14/output/gbm/alert.pcap.5.17610986931400.jsonl|result:{"code": 1, "total_count": 19, "alert_count": 18, "abnormal_count": 18, "normal_count": 1, "timestamp": 1765432860875, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50119, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 5.0, "2_sum": 5, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 50549, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50564, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 5.0, "2_sum": 5, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50624, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9747306537408316, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.4.74", "protocol": "tcp", "src_port": 50320, "dest_port": 9000, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.163.59.175", "protocol": "tcp", "src_port": 50422, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9849394001481901, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.46.72.204", "protocol": "tcp", "src_port": 50136, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.956663066769366, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.91", "protocol": "tcp", "src_port": 50333, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9577733114926612, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.51.80", "protocol": "tcp", "src_port": 49902, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50654, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9423199405388736, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 49924, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8509806284431485, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50171, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 5.0, "2_sum": 5, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.158.247.186", "protocol": "tcp", "src_port": 50121, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9753820447058325, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "112.34.111.235", "protocol": "tcp", "src_port": 50587, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9795590475790195, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "13.89.179.10", "protocol": "tcp", "src_port": 49867, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8945460691510866, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50030, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 5.0, "2_sum": 5, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.91", "protocol": "tcp", "src_port": 50242, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9588125203903446, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50541, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 5.0, "2_sum": 5, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 14:01:01.129] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 18|max_alert: 1000 [2025-12-11 14:01:01.129] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 14:01:01.129] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 14:01:01.129] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 14:01:01.783] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[1] at offset 24927 key: NULL payload: {"bucket":"2025-12-11","object":"14/output/gbm/alert.pcap.20.17610986931400.jsonl","url":"http://111.32.12.11:9000/2025-12-11/14/output/gbm/alert.pcap.20.17610986931400.jsonl?X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Expires=604800&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Date=20251211T060101Z&X-Amz-SignedHeaders=host&X-Amz-Signature=d592f93aabe358e84ecc446d17a7309399143824d652fa5df5e43f2327b9d50a"} [2025-12-11 14:01:01.783] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 14:01:01.783] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 14:01:01.783] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 14:01:01.783] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 14:01:01.783] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 14:01:01.784] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 14:01:02.023] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:14/output/gbm/alert.pcap.20.17610986931400.jsonl|result:{"code": 1, "total_count": 17, "alert_count": 17, "abnormal_count": 17, "normal_count": 0, "timestamp": 1765432861784, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "111.62.174.243", "protocol": "tcp", "src_port": 50555, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9719451686850884, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "142.250.66.78", "protocol": "tcp", "src_port": 49773, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50453, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50616, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.981431987646444, "2_count": 3, "2_sum": 3, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50598, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.972751885055052, "2_count": 3, "2_sum": 3, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.219.73.130", "protocol": "tcp", "src_port": 49894, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.2.16.16", "protocol": "tcp", "src_port": 49970, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9999655776123294, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.253.253.233", "protocol": "tcp", "src_port": 50317, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.4786736570096651, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.48.172.241", "protocol": "tcp", "src_port": 50129, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9417868802887015, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.166.151", "protocol": "tcp", "src_port": 50378, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.996645095315891, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "124.71.236.98", "protocol": "tcp", "src_port": 50400, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9777942042208041, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.9", "protocol": "tcp", "src_port": 50356, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9753376675463165, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "124.71.234.74", "protocol": "tcp", "src_port": 50189, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8094812727311573, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50622, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9949329167991451, "2_count": 3, "2_sum": 3, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.220.151.49", "protocol": "tcp", "src_port": 49991, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9681277345350449, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.46.68.203", "protocol": "tcp", "src_port": 50096, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9610043927222635, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50082, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 14:01:02.023] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 17|max_alert: 1000 [2025-12-11 14:01:02.023] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 14:01:02.023] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 14:01:02.023] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 14:01:02.316] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 26080 key: NULL payload: {"bucket":"2025-12-11","object":"14/output/gbm/alert.pcap.26.17610986931400.jsonl","url":"http://111.32.12.11:9000/2025-12-11/14/output/gbm/alert.pcap.26.17610986931400.jsonl?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Expires=604800&X-Amz-SignedHeaders=host&X-Amz-Signature=fbf3b9cc3e5f293a2ee9e7def3385331dfe4d8ab4554b5cc6b44f7004b7ec3e6&X-Amz-Date=20251211T060102Z"} [2025-12-11 14:01:02.316] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 14:01:02.316] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 14:01:02.316] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 14:01:02.316] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 14:01:02.316] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 14:01:02.316] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 14:01:02.559] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:14/output/gbm/alert.pcap.26.17610986931400.jsonl|result:{"code": 1, "total_count": 23, "alert_count": 22, "abnormal_count": 22, "normal_count": 1, "timestamp": 1765432862316, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "36.156.39.92", "protocol": "tcp", "src_port": 50362, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9737436655985068, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.9", "protocol": "tcp", "src_port": 50353, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9248568229582469, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.13.29.202", "protocol": "tcp", "src_port": 49897, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.99989131645703, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50463, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7.0, "2_sum": 7, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.114.80", "protocol": "tcp", "src_port": 50375, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50467, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7.0, "2_sum": 7, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50521, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7.0, "2_sum": 7, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.194.233", "protocol": "tcp", "src_port": 50439, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9853373018252618, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.45", "protocol": "tcp", "src_port": 50445, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9894949279716366, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.13.29.134", "protocol": "tcp", "src_port": 49954, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9940003495439546, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50512, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7.0, "2_sum": 7, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.165.120", "protocol": "tcp", "src_port": 50314, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.998447736613844, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50593, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7.0, "2_sum": 7, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 50230, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9601621867432435, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50322, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7.0, "2_sum": 7, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50040, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7.0, "2_sum": 7, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "43.140.12.43", "protocol": "tcp", "src_port": 50318, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9759535265977303, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.27", "protocol": "tcp", "src_port": 49986, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9907578643456904, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "151.101.1.229", "protocol": "tcp", "src_port": 50316, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.5882853156839113, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.253", "protocol": "tcp", "src_port": 50347, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9363461552085169, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.253", "protocol": "tcp", "src_port": 50117, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9786811180845782, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.163.59.175", "protocol": "tcp", "src_port": 49930, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9813722275948225, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 14:01:02.559] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 22|max_alert: 1000 [2025-12-11 14:01:02.559] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 14:01:02.559] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 14:01:02.559] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 14:01:03.064] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 26081 key: NULL payload: {"bucket":"2025-12-11","object":"14/output/gbm/alert.pcap.14.17610986931400.jsonl","url":"http://111.32.12.11:9000/2025-12-11/14/output/gbm/alert.pcap.14.17610986931400.jsonl?X-Amz-SignedHeaders=host&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Date=20251211T060103Z&X-Amz-Expires=604800&X-Amz-Signature=babc76239787598265d68695eb3be1678f635acb0b717888bbb396af24d901ac"} [2025-12-11 14:01:03.065] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 14:01:03.065] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 14:01:03.065] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 14:01:03.065] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 14:01:03.065] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 14:01:03.066] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 14:01:03.378] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:14/output/gbm/alert.pcap.14.17610986931400.jsonl|result:{"code": 1, "total_count": 22, "alert_count": 22, "abnormal_count": 22, "normal_count": 0, "timestamp": 1765432863066, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50481, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50282, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.131.128.241", "protocol": "tcp", "src_port": 50628, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.6327220629300937, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50299, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50075, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50148, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.201.232.63", "protocol": "tcp", "src_port": 50185, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8623842237021218, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.92", "protocol": "tcp", "src_port": 50350, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9581254078848882, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50488, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.4.224.113", "protocol": "tcp", "src_port": 49858, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.948833755868132, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50045, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50277, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.201.232.61", "protocol": "tcp", "src_port": 50406, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8074537105643911, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "150.171.28.10", "protocol": "tcp", "src_port": 50547, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9810893334081382, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50464, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50151, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50509, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50087, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.114.80", "protocol": "tcp", "src_port": 50462, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 50008, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7325211921496005, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.45", "protocol": "tcp", "src_port": 50232, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8427978520815071, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50431, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 14:01:03.378] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 22|max_alert: 1000 [2025-12-11 14:01:03.378] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 14:01:03.378] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 14:01:03.378] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 14:01:03.790] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[1] at offset 24928 key: NULL payload: {"bucket":"2025-12-11","object":"14/output/gbm/alert.pcap.8.17610986931400.jsonl","url":"http://111.32.12.11:9000/2025-12-11/14/output/gbm/alert.pcap.8.17610986931400.jsonl?X-Amz-Signature=49f35ca2b77a7b4de57d14750c1f378ce01b71590126a4f02d238e264f2b438a&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20251211T060103Z&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Expires=604800&X-Amz-SignedHeaders=host"} [2025-12-11 14:01:03.790] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 14:01:03.790] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 14:01:03.790] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 14:01:03.790] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 14:01:03.790] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 14:01:03.790] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 14:01:04.022] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:14/output/gbm/alert.pcap.8.17610986931400.jsonl|result:{"code": 1, "total_count": 19, "alert_count": 19, "abnormal_count": 19, "normal_count": 0, "timestamp": 1765432863790, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "39.156.8.45", "protocol": "tcp", "src_port": 50408, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9967591338452444, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "202.89.233.96", "protocol": "tcp", "src_port": 49865, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9973910874567038, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50223, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4, "2_sum": 4, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.26", "protocol": "tcp", "src_port": 49997, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.984269050955257, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "40.74.78.229", "protocol": "tcp", "src_port": 50370, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9939770881097445, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.131.139.241", "protocol": "tcp", "src_port": 50556, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9803786101644398, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50649, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9766422035502361, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50077, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4, "2_sum": 4, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "121.36.47.3", "protocol": "tcp", "src_port": 50015, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9995715118177109, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 50184, "dest_port": 37527, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50127, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4, "2_sum": 4, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.63.215.47", "protocol": "tcp", "src_port": 49980, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9999657034539758, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 49923, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.777270406334166, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50388, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4, "2_sum": 4, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.201.232.63", "protocol": "tcp", "src_port": 50420, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9757408487177269, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.131.128.241", "protocol": "tcp", "src_port": 50591, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9050869489117033, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.219.73.130", "protocol": "tcp", "src_port": 49891, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50661, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.647571366572099, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.232.40.133", "protocol": "tcp", "src_port": 49920, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9117178716777372, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 14:01:04.022] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 19|max_alert: 1000 [2025-12-11 14:01:04.022] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 14:01:04.022] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 14:01:04.022] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 14:01:04.339] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 26082 key: NULL payload: {"bucket":"2025-12-11","object":"14/output/gbm/alert.pcap.22.17610986931400.jsonl","url":"http://111.32.12.11:9000/2025-12-11/14/output/gbm/alert.pcap.22.17610986931400.jsonl?X-Amz-Date=20251211T060104Z&X-Amz-Signature=fb5886b82d6cce2c5e13ea5c6750ca0263a270ea28faf004bbe0935cce378010&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-SignedHeaders=host&X-Amz-Expires=604800&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request"} [2025-12-11 14:01:04.339] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 14:01:04.339] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 14:01:04.339] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 14:01:04.339] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 14:01:04.339] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 14:01:04.339] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 14:01:04.575] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:14/output/gbm/alert.pcap.22.17610986931400.jsonl|result:{"code": 1, "total_count": 18, "alert_count": 17, "abnormal_count": 17, "normal_count": 1, "timestamp": 1765432864339, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "111.31.114.80", "protocol": "tcp", "src_port": 50365, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.131.128.241", "protocol": "tcp", "src_port": 50585, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8249611815657307, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50028, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 3.0, "2_sum": 3, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.29.14.183", "protocol": "tcp", "src_port": 50026, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9986473928200259, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.165.120", "protocol": "tcp", "src_port": 50357, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9389862274330749, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.194.233", "protocol": "tcp", "src_port": 50440, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9902328849146982, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.51.161.66", "protocol": "tcp", "src_port": 50123, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7731938946060795, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.4.224.113", "protocol": "tcp", "src_port": 49854, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.5786036795604459, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50368, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 3.0, "2_sum": 3, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50662, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8871346318388157, "2_count": 3.0, "2_sum": 3, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50612, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.965275103129727, "2_count": 3.0, "2_sum": 3, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50530, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9024018957960891, "2_count": 3.0, "2_sum": 3, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50118, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 3.0, "2_sum": 3, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.92", "protocol": "tcp", "src_port": 50397, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9107999416750001, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 49925, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.5747671805046822, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.63.215.47", "protocol": "tcp", "src_port": 49944, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9869387818080411, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.62.174.243", "protocol": "tcp", "src_port": 50545, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9624252679015631, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 14:01:04.575] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 17|max_alert: 1000 [2025-12-11 14:01:04.575] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 14:01:04.575] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 14:01:04.575] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 14:01:04.986] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 26083 key: NULL payload: {"bucket":"2025-12-11","object":"14/output/gbm/alert.pcap.25.17610986931400.jsonl","url":"http://111.32.12.11:9000/2025-12-11/14/output/gbm/alert.pcap.25.17610986931400.jsonl?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20251211T060104Z&X-Amz-Expires=604800&X-Amz-SignedHeaders=host&X-Amz-Signature=6250437f360521252a6daf8fc8edb4861b78fb0eb7c09a4561d99538d4174bdf"} [2025-12-11 14:01:04.986] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 14:01:04.986] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 14:01:04.987] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 14:01:04.987] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 14:01:04.987] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 14:01:04.988] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 14:01:05.238] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:14/output/gbm/alert.pcap.25.17610986931400.jsonl|result:{"code": 1, "total_count": 18, "alert_count": 17, "abnormal_count": 17, "normal_count": 1, "timestamp": 1765432864988, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "142.250.66.78", "protocol": "tcp", "src_port": 49742, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "202.89.233.96", "dest_ip": "10.1.131.158", "protocol": "tcp", "src_port": 443, "dest_port": 49847, "y_pred": 1, "y_pred_proba_max": 0.9988023204669473, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.232.40.133", "protocol": "tcp", "src_port": 50005, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8427110539814073, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.240.99.58", "protocol": "tcp", "src_port": 50641, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9750652642107684, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50551, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8059095115195145, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.88.223", "protocol": "tcp", "src_port": 50134, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9851867603065232, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.2", "protocol": "tcp", "src_port": 50125, "dest_port": 8080, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.91", "protocol": "tcp", "src_port": 50334, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9530506499197517, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.232.40.133", "protocol": "tcp", "src_port": 49919, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9172603475203133, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.88.223", "protocol": "tcp", "src_port": 50258, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9955188316394289, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50288, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4.0, "2_sum": 4, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.155.160.140", "protocol": "tcp", "src_port": 49790, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50652, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4.0, "2_sum": 4, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50062, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4.0, "2_sum": 4, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50038, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4.0, "2_sum": 4, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 50013, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.201.232.63", "protocol": "tcp", "src_port": 50419, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.5238760318986195, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 14:01:05.238] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 17|max_alert: 1000 [2025-12-11 14:01:05.238] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 14:01:05.238] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 14:01:05.238] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 14:01:05.569] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[2] at offset 25676 key: NULL payload: {"bucket":"2025-12-11","object":"14/output/gbm/alert.pcap.17.17610986931400.jsonl","url":"http://111.32.12.11:9000/2025-12-11/14/output/gbm/alert.pcap.17.17610986931400.jsonl?X-Amz-Date=20251211T060105Z&X-Amz-SignedHeaders=host&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Signature=548ef5465aeb0d1bf169826a4952a47a70f6fce8a6154326f55239ff1bb5edd8&X-Amz-Expires=604800"} [2025-12-11 14:01:05.569] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 14:01:05.569] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 14:01:05.569] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 14:01:05.569] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 14:01:05.569] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 14:01:05.570] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 14:01:05.804] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:14/output/gbm/alert.pcap.17.17610986931400.jsonl|result:{"code": 1, "total_count": 18, "alert_count": 18, "abnormal_count": 18, "normal_count": 0, "timestamp": 1765432865570, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "124.70.62.170", "protocol": "tcp", "src_port": 50395, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.999908459646488, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.162.10.192", "protocol": "tcp", "src_port": 50103, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.5419285978798709, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.162.10.192", "protocol": "tcp", "src_port": 50114, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.976863610352734, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 50225, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9087545563693218, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.9", "protocol": "tcp", "src_port": 50012, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9956502822261911, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.114.80", "protocol": "tcp", "src_port": 50476, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.194.233", "protocol": "tcp", "src_port": 50435, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9837705668750215, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "124.70.62.170", "protocol": "tcp", "src_port": 50094, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9999212365720671, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50499, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.27", "protocol": "tcp", "src_port": 49989, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8500557914131911, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.234.97.89", "protocol": "tcp", "src_port": 50409, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.733240780563495, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50606, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9790099228201751, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.122.55", "protocol": "tcp", "src_port": 50101, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9697454177805649, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.27", "protocol": "tcp", "src_port": 49990, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9979995189937263, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.88.223", "protocol": "tcp", "src_port": 50257, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9990492370434219, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.122.55", "protocol": "tcp", "src_port": 50448, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.5769980707430126, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.38.151", "protocol": "tcp", "src_port": 49788, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.2.16.16", "protocol": "tcp", "src_port": 49973, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9993460937257912, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 14:01:05.804] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 18|max_alert: 1000 [2025-12-11 14:01:05.804] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 14:01:05.804] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 14:01:05.804] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 14:01:06.148] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[2] at offset 25677 key: NULL payload: {"bucket":"2025-12-11","object":"14/output/gbm/alert.pcap.21.17610986931400.jsonl","url":"http://111.32.12.11:9000/2025-12-11/14/output/gbm/alert.pcap.21.17610986931400.jsonl?X-Amz-Date=20251211T060106Z&X-Amz-Signature=56b1275926754c9dae77538fff1fbe446533d448947744c8e0846684abfc1f69&X-Amz-SignedHeaders=host&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Expires=604800&X-Amz-Algorithm=AWS4-HMAC-SHA256"} [2025-12-11 14:01:06.148] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 14:01:06.148] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 14:01:06.148] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 14:01:06.148] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 14:01:06.148] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 14:01:06.148] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 14:01:06.384] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:14/output/gbm/alert.pcap.21.17610986931400.jsonl|result:{"code": 1, "total_count": 20, "alert_count": 20, "abnormal_count": 20, "normal_count": 0, "timestamp": 1765432866149, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "120.233.3.26", "protocol": "tcp", "src_port": 50027, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8630319401034162, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50389, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50330, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50086, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50407, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9700577356238725, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.25", "protocol": "tcp", "src_port": 50346, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7253580536479742, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.254", "protocol": "tcp", "src_port": 50018, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9989742169573105, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50076, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50233, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.232.40.133", "protocol": "tcp", "src_port": 49921, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9758065422065172, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.18", "protocol": "tcp", "src_port": 50191, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "150.171.27.10", "protocol": "tcp", "src_port": 49871, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9792783921980416, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 49933, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.983522767485445, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.253", "protocol": "tcp", "src_port": 50348, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9663875797170431, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.234.97.89", "protocol": "tcp", "src_port": 50477, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7967743601421772, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50574, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.27", "protocol": "tcp", "src_port": 50014, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7728545617685111, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.194.233", "protocol": "tcp", "src_port": 50315, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9974657537062649, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 50211, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9942232611378077, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50633, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9961574170482782, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 14:01:06.384] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 20|max_alert: 1000 [2025-12-11 14:01:06.384] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 14:01:06.384] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 14:01:06.384] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 14:01:06.743] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[2] at offset 25678 key: NULL payload: {"bucket":"2025-12-11","object":"14/output/gbm/alert.pcap.15.17610986931400.jsonl","url":"http://111.32.12.11:9000/2025-12-11/14/output/gbm/alert.pcap.15.17610986931400.jsonl?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Expires=604800&X-Amz-SignedHeaders=host&X-Amz-Signature=489c4c522919c1b3dd27e16d9ebee88594a0868cb07b48e9f22d7ae4b76ab58e&X-Amz-Date=20251211T060106Z"} [2025-12-11 14:01:06.743] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 14:01:06.743] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 14:01:06.743] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 14:01:06.743] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 14:01:06.743] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 14:01:06.743] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 14:01:06.977] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:14/output/gbm/alert.pcap.15.17610986931400.jsonl|result:{"code": 1, "total_count": 21, "alert_count": 21, "abnormal_count": 21, "normal_count": 0, "timestamp": 1765432866743, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50516, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.51.80", "protocol": "tcp", "src_port": 49914, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.13.29.202", "protocol": "tcp", "src_port": 49899, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9319984670207415, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50489, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.241.198", "protocol": "tcp", "src_port": 49881, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9908791961625715, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "124.70.37.167", "protocol": "tcp", "src_port": 50505, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8862503171336631, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.165.120", "protocol": "tcp", "src_port": 50418, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9596977275034663, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50061, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50452, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.175.38.6", "protocol": "tcp", "src_port": 50508, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9251013815505887, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50298, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.114.80", "protocol": "tcp", "src_port": 50358, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.166.151", "protocol": "tcp", "src_port": 50300, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9931981638327161, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.194.233", "protocol": "tcp", "src_port": 50442, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9870391528574759, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.165.120", "protocol": "tcp", "src_port": 50427, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9451570018511891, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "142.250.66.78", "protocol": "tcp", "src_port": 50474, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.46.216.189", "protocol": "tcp", "src_port": 50192, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9854409930237161, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "13.107.213.50", "protocol": "tcp", "src_port": 50090, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9195643673584233, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.194.189.11", "protocol": "tcp", "src_port": 50426, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9895428159947536, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "13.89.179.10", "protocol": "tcp", "src_port": 49878, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9974829953380221, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50542, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 14:01:06.977] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 21|max_alert: 1000 [2025-12-11 14:01:06.977] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 14:01:06.977] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 14:01:06.977] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 14:01:07.288] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[2] at offset 25679 key: NULL payload: {"bucket":"2025-12-11","object":"14/output/gbm/alert.pcap.4.17610986931400.jsonl","url":"http://111.32.12.11:9000/2025-12-11/14/output/gbm/alert.pcap.4.17610986931400.jsonl?X-Amz-Date=20251211T060107Z&X-Amz-Expires=604800&X-Amz-Signature=7027d1a4c8d969f957e93737a74a17d24ba23313454a3c52ad953d5784552dd2&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-SignedHeaders=host"} [2025-12-11 14:01:07.288] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 14:01:07.288] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 14:01:07.288] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 14:01:07.288] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 14:01:07.289] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 14:01:07.289] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 14:01:07.523] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:14/output/gbm/alert.pcap.4.17610986931400.jsonl|result:{"code": 1, "total_count": 16, "alert_count": 16, "abnormal_count": 16, "normal_count": 0, "timestamp": 1765432867289, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50428, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 9, "2_sum": 9, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.2", "protocol": "tcp", "src_port": 49815, "dest_port": 8080, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "150.171.30.11", "protocol": "tcp", "src_port": 50007, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8576461187690411, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50268, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 9, "2_sum": 9, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "104.18.38.233", "protocol": "tcp", "src_port": 49696, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50271, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 9, "2_sum": 9, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50599, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 9, "2_sum": 9, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50039, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 9, "2_sum": 9, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "142.250.66.78", "protocol": "tcp", "src_port": 49761, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.131.128.241", "protocol": "tcp", "src_port": 50461, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9531336479755481, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50664, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 9, "2_sum": 9, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50170, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 9, "2_sum": 9, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50653, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 9, "2_sum": 9, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.25", "protocol": "tcp", "src_port": 50340, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9557360906725153, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50642, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 9, "2_sum": 9, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.4.224.113", "protocol": "tcp", "src_port": 49860, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8325953986089363, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 14:01:07.523] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 16|max_alert: 1000 [2025-12-11 14:01:07.523] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 14:01:07.523] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 14:01:07.523] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 14:01:07.804] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 26084 key: NULL payload: {"bucket":"2025-12-11","object":"14/output/gbm/alert.pcap.19.17610986931400.jsonl","url":"http://111.32.12.11:9000/2025-12-11/14/output/gbm/alert.pcap.19.17610986931400.jsonl?X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-SignedHeaders=host&X-Amz-Expires=604800&X-Amz-Signature=863698334e34fed0189177036b8f5678a8a1d80c4c4218f8ee8e3290bceda8a1&X-Amz-Date=20251211T060107Z&X-Amz-Algorithm=AWS4-HMAC-SHA256"} [2025-12-11 14:01:07.804] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 14:01:07.804] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 14:01:07.804] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 14:01:07.804] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 14:01:07.804] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 14:01:07.804] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 14:01:08.058] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:14/output/gbm/alert.pcap.19.17610986931400.jsonl|result:{"code": 1, "total_count": 17, "alert_count": 17, "abnormal_count": 17, "normal_count": 0, "timestamp": 1765432867804, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "120.233.3.25", "protocol": "tcp", "src_port": 50345, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9053165640648995, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.131.128.241", "protocol": "tcp", "src_port": 50589, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9358989909907683, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "150.171.30.11", "protocol": "tcp", "src_port": 50623, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9724127917525347, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50432, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 5, "2_sum": 5, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50267, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 5, "2_sum": 5, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.158.247.186", "protocol": "tcp", "src_port": 50254, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9923373572362969, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.61.248", "protocol": "tcp", "src_port": 50006, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9986048917384169, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50140, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 5, "2_sum": 5, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 50183, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9671683755020176, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50651, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9127998696423738, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50222, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 5, "2_sum": 5, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "106.13.244.95", "protocol": "tcp", "src_port": 50626, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.991571871695044, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "13.89.179.10", "protocol": "tcp", "src_port": 49870, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9985463831905574, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50221, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 5, "2_sum": 5, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "211.151.19.148", "protocol": "tcp", "src_port": 50321, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9840336453751718, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "124.70.62.170", "protocol": "tcp", "src_port": 50385, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9998863446143573, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.26", "protocol": "tcp", "src_port": 49999, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9723690262017185, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 14:01:08.058] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 17|max_alert: 1000 [2025-12-11 14:01:08.058] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 14:01:08.058] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 14:01:08.058] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 14:01:08.438] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 26085 key: NULL payload: {"bucket":"2025-12-11","object":"14/output/gbm/alert.pcap.10.17610986931400.jsonl","url":"http://111.32.12.11:9000/2025-12-11/14/output/gbm/alert.pcap.10.17610986931400.jsonl?X-Amz-Signature=2b98219bf0fbf600ab84e110764205197102a8693f3c6a5edffaa118fbf1f7b0&X-Amz-Date=20251211T060108Z&X-Amz-Expires=604800&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-SignedHeaders=host"} [2025-12-11 14:01:08.438] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 14:01:08.438] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 14:01:08.438] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 14:01:08.438] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 14:01:08.438] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 14:01:08.438] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 14:01:08.669] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:14/output/gbm/alert.pcap.10.17610986931400.jsonl|result:{"code": 1, "total_count": 18, "alert_count": 18, "abnormal_count": 18, "normal_count": 0, "timestamp": 1765432868438, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "124.70.37.167", "protocol": "tcp", "src_port": 50497, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9671327905226952, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.240.8.132", "protocol": "tcp", "src_port": 49942, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9833686131374094, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50202, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.194.233", "protocol": "tcp", "src_port": 50251, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.6458299041355519, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "124.70.62.170", "protocol": "tcp", "src_port": 50384, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9944584265644585, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50155, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.38.119", "protocol": "tcp", "src_port": 50490, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9986222879414073, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.162.10.192", "protocol": "tcp", "src_port": 50102, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9628606284766527, "2_count": 3, "2_sum": 3, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50510, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50527, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.9", "protocol": "tcp", "src_port": 50354, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9266852516381958, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50197, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50180, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "112.34.113.250", "protocol": "tcp", "src_port": 50417, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9871899379387804, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 49802, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50247, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.162.10.192", "protocol": "tcp", "src_port": 50106, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7891251009837256, "2_count": 3, "2_sum": 3, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.162.10.192", "protocol": "tcp", "src_port": 50105, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8497049935950336, "2_count": 3, "2_sum": 3, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 14:01:08.669] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 18|max_alert: 1000 [2025-12-11 14:01:08.669] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 14:01:08.669] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 14:01:08.669] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 14:01:09.020] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 26086 key: NULL payload: {"bucket":"2025-12-11","object":"14/output/gbm/alert.pcap.13.17610986931400.jsonl","url":"http://111.32.12.11:9000/2025-12-11/14/output/gbm/alert.pcap.13.17610986931400.jsonl?X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20251211T060109Z&X-Amz-Expires=604800&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-SignedHeaders=host&X-Amz-Signature=a0399a98ff5f97c45ec2c28b41331b936b8abfcb15ee31d4a07022d81f7d9970"} [2025-12-11 14:01:09.020] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 14:01:09.020] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 14:01:09.020] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 14:01:09.020] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 14:01:09.020] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 14:01:09.020] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 14:01:09.261] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:14/output/gbm/alert.pcap.13.17610986931400.jsonl|result:{"code": 1, "total_count": 25, "alert_count": 25, "abnormal_count": 25, "normal_count": 0, "timestamp": 1765432869020, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "111.31.22.3", "protocol": "tcp", "src_port": 49941, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9027507773608666, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 50550, "dest_port": 37527, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50153, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "150.171.30.11", "protocol": "tcp", "src_port": 50629, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9221505003231499, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50657, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9858390475712154, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.114.80", "protocol": "tcp", "src_port": 50364, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50206, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50280, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50283, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50074, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.185.134", "protocol": "tcp", "src_port": 50405, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9906477192719227, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "202.89.233.96", "protocol": "tcp", "src_port": 49842, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "150.171.29.11", "protocol": "tcp", "src_port": 50366, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9811379852086798, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.38.119", "protocol": "tcp", "src_port": 50507, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.992095265861976, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50602, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50167, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50483, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "142.250.66.78", "protocol": "tcp", "src_port": 49939, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.38.119", "protocol": "tcp", "src_port": 50493, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9895604510076603, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50276, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50035, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.4.224.113", "protocol": "tcp", "src_port": 49856, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.6505383816340582, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.163.59.175", "protocol": "tcp", "src_port": 50009, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9898052087615025, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50150, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50029, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 14:01:09.261] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 25|max_alert: 1000 [2025-12-11 14:01:09.261] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 14:01:09.261] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 14:01:09.261] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 14:01:09.604] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[2] at offset 25680 key: NULL payload: {"bucket":"2025-12-11","object":"14/output/gbm/alert.pcap.6.17610986931400.jsonl","url":"http://111.32.12.11:9000/2025-12-11/14/output/gbm/alert.pcap.6.17610986931400.jsonl?X-Amz-SignedHeaders=host&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Signature=5e031100a72d8eae8632f0622e6bb4828253362d5b8174ec815662ee0230679c&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20251211T060109Z&X-Amz-Expires=604800"} [2025-12-11 14:01:09.604] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 14:01:09.604] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 14:01:09.604] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 14:01:09.604] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 14:01:09.604] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 14:01:09.605] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 14:01:09.844] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:14/output/gbm/alert.pcap.6.17610986931400.jsonl|result:{"code": 1, "total_count": 13, "alert_count": 13, "abnormal_count": 13, "normal_count": 0, "timestamp": 1765432869605, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "36.156.39.91", "protocol": "tcp", "src_port": 50339, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.986405059765616, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "13.89.179.10", "protocol": "tcp", "src_port": 49883, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9941602682227848, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.13.28.239", "protocol": "tcp", "src_port": 49901, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.938456651589145, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.2.16.16", "protocol": "tcp", "src_port": 49975, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9999376387945121, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "121.36.68.44", "protocol": "tcp", "src_port": 50504, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9358189956292381, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.57.94.38", "protocol": "tcp", "src_port": 49892, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9998694918181811, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50515, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50391, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "139.9.117.192", "protocol": "tcp", "src_port": 50372, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8894850327223105, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50465, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.5306824619789472, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.102.211", "protocol": "tcp", "src_port": 50413, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9734791177969814, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.26", "protocol": "tcp", "src_port": 50003, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8694093805364917, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "139.9.117.192", "protocol": "tcp", "src_port": 50450, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9837263446909994, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 14:01:09.844] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 13|max_alert: 1000 [2025-12-11 14:01:09.844] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 14:01:09.844] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 14:01:09.844] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 14:01:10.135] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[1] at offset 24929 key: NULL payload: {"bucket":"2025-12-11","object":"14/output/gbm/alert.pcap.18.17610986931400.jsonl","url":"http://111.32.12.11:9000/2025-12-11/14/output/gbm/alert.pcap.18.17610986931400.jsonl?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Date=20251211T060110Z&X-Amz-Expires=604800&X-Amz-SignedHeaders=host&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Signature=b0d5147eda5150af87abd17a81b84281b178f8c47ac12e1fe0261206238a956b"} [2025-12-11 14:01:10.136] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 14:01:10.136] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 14:01:10.136] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 14:01:10.136] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 14:01:10.136] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 14:01:10.136] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 14:01:10.367] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:14/output/gbm/alert.pcap.18.17610986931400.jsonl|result:{"code": 1, "total_count": 19, "alert_count": 18, "abnormal_count": 18, "normal_count": 1, "timestamp": 1765432870136, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "120.232.40.133", "protocol": "tcp", "src_port": 49929, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9272505117395095, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 50169, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50046, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50088, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50220, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.113.130.85", "protocol": "tcp", "src_port": 50373, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50475, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9477100345633777, "2_count": 4.0, "2_sum": 4, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50553, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9263918774338468, "2_count": 4.0, "2_sum": 4, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50650, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9941374340185456, "2_count": 4.0, "2_sum": 4, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50132, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.253.255.38", "protocol": "tcp", "src_port": 50449, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9496389457889445, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.219.73.130", "protocol": "tcp", "src_port": 49893, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50386, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50554, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9489417371813754, "2_count": 4.0, "2_sum": 4, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50141, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.166.151", "protocol": "tcp", "src_port": 50371, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9989794701501156, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.232.40.133", "protocol": "tcp", "src_port": 49935, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8955605067471277, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.92", "protocol": "tcp", "src_port": 50383, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7481021796885889, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 14:01:10.368] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 18|max_alert: 1000 [2025-12-11 14:01:10.368] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 14:01:10.368] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 14:01:10.368] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 14:01:10.758] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 26087 key: NULL payload: {"bucket":"2025-12-11","object":"14/output/gbm/alert.pcap.3.17610986931400.jsonl","url":"http://111.32.12.11:9000/2025-12-11/14/output/gbm/alert.pcap.3.17610986931400.jsonl?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Expires=604800&X-Amz-Date=20251211T060110Z&X-Amz-SignedHeaders=host&X-Amz-Signature=9084df48b5cd243e9acdcd976ed9d7ab1ed49be89723fe1dd67db22d8330dbf0"} [2025-12-11 14:01:10.759] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 14:01:10.759] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 14:01:10.759] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 14:01:10.759] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 14:01:10.759] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 14:01:10.759] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 14:01:11.042] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:14/output/gbm/alert.pcap.3.17610986931400.jsonl|result:{"code": 1, "total_count": 31, "alert_count": 30, "abnormal_count": 30, "normal_count": 1, "timestamp": 1765432870759, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "111.29.14.183", "protocol": "tcp", "src_port": 50020, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9995274668813986, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50131, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.165.120", "protocol": "tcp", "src_port": 50423, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9079618105919538, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "124.70.62.170", "protocol": "tcp", "src_port": 50093, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9302011994091218, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50560, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9372883613254258, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.92", "protocol": "tcp", "src_port": 49915, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8858063837145578, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 50231, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9912641259791639, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50128, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50579, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.194.189.11", "protocol": "tcp", "src_port": 50307, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9974631042458713, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.219.73.130", "protocol": "tcp", "src_port": 49889, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.253.253.233", "protocol": "tcp", "src_port": 50436, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8619378326923961, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 50399, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.27", "protocol": "tcp", "src_port": 49987, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9439550958667982, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.114.80", "protocol": "tcp", "src_port": 50473, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.13.104.59", "protocol": "tcp", "src_port": 50639, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.5747755261992421, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50390, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.27", "protocol": "tcp", "src_port": 49983, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9683054451954104, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50041, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50573, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 49824, "dest_port": 37527, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.166.151", "protocol": "tcp", "src_port": 50286, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9998887397093179, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50032, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.219.73.130", "protocol": "tcp", "src_port": 49890, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "142.250.66.68", "protocol": "tcp", "src_port": 50437, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.232.40.133", "protocol": "tcp", "src_port": 49922, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7619577796081339, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.13.104.59", "protocol": "tcp", "src_port": 50630, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9949141468870227, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.63.215.47", "protocol": "tcp", "src_port": 49982, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9977918468988228, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50468, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.2", "protocol": "tcp", "src_port": 50143, "dest_port": 8080, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 14:01:11.042] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 30|max_alert: 1000 [2025-12-11 14:01:11.042] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 14:01:11.042] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 14:01:11.042] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 14:01:11.365] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 26088 key: NULL payload: {"bucket":"2025-12-11","object":"14/output/gbm/alert.pcap.23.17610986931400.jsonl","url":"http://111.32.12.11:9000/2025-12-11/14/output/gbm/alert.pcap.23.17610986931400.jsonl?X-Amz-Date=20251211T060111Z&X-Amz-Signature=e76935895b18bee3e29579756133c6044c1fbc0aade6d3eeec815ec46f345ddc&X-Amz-SignedHeaders=host&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Expires=604800&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request"} [2025-12-11 14:01:11.365] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 14:01:11.365] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 14:01:11.365] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 14:01:11.365] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 14:01:11.365] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 14:01:11.366] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 14:01:11.600] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:14/output/gbm/alert.pcap.23.17610986931400.jsonl|result:{"code": 1, "total_count": 21, "alert_count": 21, "abnormal_count": 21, "normal_count": 0, "timestamp": 1765432871366, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "111.31.122.55", "protocol": "tcp", "src_port": 50498, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9793698927690696, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50042, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50044, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.25", "protocol": "tcp", "src_port": 50382, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7011351746711142, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50064, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50168, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.25", "protocol": "tcp", "src_port": 50073, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9992385224413204, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.150.160.206", "protocol": "tcp", "src_port": 50124, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9747845243097288, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50514, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.194.233", "protocol": "tcp", "src_port": 50126, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9961544144455967, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50149, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.13.104.59", "protocol": "tcp", "src_port": 50627, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9944505609423887, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.158.247.186", "protocol": "tcp", "src_port": 50309, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.994290448467571, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50085, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50429, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50260, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "13.107.246.74", "protocol": "tcp", "src_port": 50506, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9605298901417075, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50562, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50037, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50640, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.222.152.64", "protocol": "tcp", "src_port": 50638, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9779043168436835, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 14:01:11.600] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 21|max_alert: 1000 [2025-12-11 14:01:11.600] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 14:01:11.600] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 14:01:11.600] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 14:01:11.953] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[1] at offset 24930 key: NULL payload: {"bucket":"2025-12-11","object":"14/output/gbm/alert.pcap.9.17610986931400.jsonl","url":"http://111.32.12.11:9000/2025-12-11/14/output/gbm/alert.pcap.9.17610986931400.jsonl?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Date=20251211T060111Z&X-Amz-SignedHeaders=host&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Expires=604800&X-Amz-Signature=2c8d3bc8d31bf3b493767e316a9565355bdbc8e859526e1de19554f7735f71a2"} [2025-12-11 14:01:11.953] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 14:01:11.953] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 14:01:11.954] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 14:01:11.954] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 14:01:11.954] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 14:01:11.954] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 14:01:12.187] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:14/output/gbm/alert.pcap.9.17610986931400.jsonl|result:{"code": 1, "total_count": 19, "alert_count": 19, "abnormal_count": 19, "normal_count": 0, "timestamp": 1765432871954, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50582, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.219.73.130", "protocol": "tcp", "src_port": 49895, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50571, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 49928, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9931314740190077, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50047, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "157.148.32.174", "protocol": "tcp", "src_port": 50216, "dest_port": 8106, "y_pred": 1, "y_pred_proba_max": 0.7815374741509655, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.45", "protocol": "tcp", "src_port": 50444, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9975171238915119, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "112.2.102.140", "protocol": "tcp", "src_port": 49880, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8833391308810551, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50323, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.29.14.183", "protocol": "tcp", "src_port": 50403, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9756646950440937, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.26", "protocol": "tcp", "src_port": 49993, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.987471741326815, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50387, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "124.71.234.74", "protocol": "tcp", "src_port": 50079, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8967653329082704, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "150.171.30.11", "protocol": "tcp", "src_port": 50434, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.975176941910785, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.163.59.175", "protocol": "tcp", "src_port": 50443, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9947042004868148, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50552, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9460026832017429, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50234, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50279, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50577, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8828376373447289, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 14:01:12.187] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 19|max_alert: 1000 [2025-12-11 14:01:12.187] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 14:01:12.187] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 14:01:12.187] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 14:01:12.645] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[1] at offset 24931 key: NULL payload: {"bucket":"2025-12-11","object":"14/output/gbm/alert.pcap.16.17610986931400.jsonl","url":"http://111.32.12.11:9000/2025-12-11/14/output/gbm/alert.pcap.16.17610986931400.jsonl?X-Amz-Expires=604800&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20251211T060112Z&X-Amz-Signature=7ac37aa75fb80a8e76c127fcee2740b9442a55cdad9020fb72f7e9e4f5e12eef&X-Amz-SignedHeaders=host"} [2025-12-11 14:01:12.646] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 14:01:12.646] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 14:01:12.646] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 14:01:12.646] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 14:01:12.646] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 14:01:12.646] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 14:01:12.908] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:14/output/gbm/alert.pcap.16.17610986931400.jsonl|result:{"code": 1, "total_count": 26, "alert_count": 26, "abnormal_count": 26, "normal_count": 0, "timestamp": 1765432872646, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50177, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.92", "protocol": "tcp", "src_port": 50344, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.4285159353571787, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.29.14.183", "protocol": "tcp", "src_port": 50404, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9858144175177987, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50367, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.219.73.130", "protocol": "tcp", "src_port": 49887, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.13.25.27", "protocol": "tcp", "src_port": 49953, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9999659947187012, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.1", "protocol": "tcp", "src_port": 49927, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.4.224.113", "protocol": "tcp", "src_port": 49857, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.873642452450752, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50051, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50496, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7047630891986135, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50500, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50522, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.46.216.189", "protocol": "tcp", "src_port": 50095, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8005313339363406, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50331, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.29.14.183", "protocol": "tcp", "src_port": 49861, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9202885873733923, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "211.151.19.148", "protocol": "tcp", "src_port": 50239, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9867736940219898, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.185.134", "protocol": "tcp", "src_port": 50557, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9312191603697401, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.253", "protocol": "tcp", "src_port": 50377, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9228634096625739, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50207, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.220.77.56", "protocol": "tcp", "src_port": 50313, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9756469161092314, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.2", "protocol": "tcp", "src_port": 49916, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "13.89.179.10", "protocol": "tcp", "src_port": 49873, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9740054173010114, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.88.223", "protocol": "tcp", "src_port": 50262, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9920454156536166, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.26", "protocol": "tcp", "src_port": 50053, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9859420979243508, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.32.132.48", "protocol": "tcp", "src_port": 50416, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.872489769645985, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.165.120", "protocol": "tcp", "src_port": 50304, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9425584919270099, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 14:01:12.908] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 26|max_alert: 1000 [2025-12-11 14:01:12.908] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 14:01:12.908] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 14:01:12.909] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 14:01:13.202] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 26089 key: NULL payload: {"bucket":"2025-12-11","object":"14/output/gbm/alert.pcap.11.17610986931400.jsonl","url":"http://111.32.12.11:9000/2025-12-11/14/output/gbm/alert.pcap.11.17610986931400.jsonl?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Date=20251211T060113Z&X-Amz-Expires=604800&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-SignedHeaders=host&X-Amz-Signature=0bca3093ca09fbca175f53f914300088311d47a2c054fe086e7be2fb62429c81"} [2025-12-11 14:01:13.202] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 14:01:13.202] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 14:01:13.202] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 14:01:13.202] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 14:01:13.202] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 14:01:13.203] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 14:01:13.432] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:14/output/gbm/alert.pcap.11.17610986931400.jsonl|result:{"code": 1, "total_count": 20, "alert_count": 20, "abnormal_count": 20, "normal_count": 0, "timestamp": 1765432873203, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50179, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50561, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50523, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "13.107.253.49", "protocol": "tcp", "src_port": 50479, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9204671188927631, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.45", "protocol": "tcp", "src_port": 50447, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9871209269901958, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.25", "protocol": "tcp", "src_port": 50379, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8940216726975259, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.38.119", "protocol": "tcp", "src_port": 50494, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9837251088220053, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50176, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50050, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.143.199.172", "protocol": "tcp", "src_port": 50142, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9881503019491974, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "106.52.100.183", "protocol": "tcp", "src_port": 50502, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9858931570717602, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50519, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "57.155.120.218", "protocol": "tcp", "src_port": 50415, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9227656751828837, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.45", "protocol": "tcp", "src_port": 50438, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9837569544664104, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.122.55", "protocol": "tcp", "src_port": 50503, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9854062911109006, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 49811, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.131.139.241", "protocol": "tcp", "src_port": 50546, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8893268365633519, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.165.120", "protocol": "tcp", "src_port": 50305, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9986466602684037, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50520, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.57.94.38", "protocol": "tcp", "src_port": 49888, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8913583475272854, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 14:01:13.432] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 20|max_alert: 1000 [2025-12-11 14:01:13.432] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 14:01:13.432] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 14:01:13.432] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 14:01:13.812] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[2] at offset 25681 key: NULL payload: {"bucket":"2025-12-11","object":"14/output/gbm/alert.pcap.1.17610986931400.jsonl","url":"http://111.32.12.11:9000/2025-12-11/14/output/gbm/alert.pcap.1.17610986931400.jsonl?X-Amz-Date=20251211T060113Z&X-Amz-Expires=604800&X-Amz-SignedHeaders=host&X-Amz-Signature=427ef5e96687e8418411a57e5be320b54e8aaf6c7a0c4f9f6424e18811a2055e&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Algorithm=AWS4-HMAC-SHA256"} [2025-12-11 14:01:13.813] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 14:01:13.813] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 14:01:13.813] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 14:01:13.813] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 14:01:13.813] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 14:01:13.814] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 14:01:14.055] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:14/output/gbm/alert.pcap.1.17610986931400.jsonl|result:{"code": 1, "total_count": 23, "alert_count": 22, "abnormal_count": 22, "normal_count": 1, "timestamp": 1765432873814, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "104.18.38.233", "protocol": "tcp", "src_port": 49694, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.38.119", "protocol": "tcp", "src_port": 50487, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9993624819729473, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50451, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9935841069204537, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.2.16.16", "protocol": "tcp", "src_port": 49978, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9999741330258014, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.9", "protocol": "tcp", "src_port": 50352, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9822856114799795, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50196, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.131.139.241", "protocol": "tcp", "src_port": 50548, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9166098868921807, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "123.249.12.207", "protocol": "tcp", "src_port": 50349, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9517653518955267, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.254", "protocol": "tcp", "src_port": 50236, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8758576397939718, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.254", "protocol": "tcp", "src_port": 50161, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9861184497791043, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.18", "protocol": "tcp", "src_port": 50607, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.2.16.16", "protocol": "tcp", "src_port": 49977, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9997183616258911, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.114.80", "protocol": "tcp", "src_port": 50380, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50511, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.9", "protocol": "tcp", "src_port": 50355, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9178209457268623, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50154, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50203, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.166.151", "protocol": "tcp", "src_port": 50297, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.99961990187526, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50635, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50660, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.5160756214892233, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50246, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.18", "protocol": "tcp", "src_port": 50526, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 14:01:14.055] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 22|max_alert: 1000 [2025-12-11 14:01:14.055] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 14:01:14.055] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 14:01:14.055] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 14:01:14.414] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[2] at offset 25682 key: NULL payload: {"bucket":"2025-12-11","object":"14/output/gbm/alert.pcap.2.17610986931400.jsonl","url":"http://111.32.12.11:9000/2025-12-11/14/output/gbm/alert.pcap.2.17610986931400.jsonl?X-Amz-Expires=604800&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-SignedHeaders=host&X-Amz-Date=20251211T060114Z&X-Amz-Signature=37b129bd79eee1aee1f03c868304b7c69a4d9b4f03078c0041aaf708cbf57903&X-Amz-Algorithm=AWS4-HMAC-SHA256"} [2025-12-11 14:01:14.414] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 14:01:14.414] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 14:01:14.414] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 14:01:14.414] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 14:01:14.414] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 14:01:14.415] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 14:01:14.670] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:14/output/gbm/alert.pcap.2.17610986931400.jsonl|result:{"code": 1, "total_count": 27, "alert_count": 26, "abnormal_count": 26, "normal_count": 1, "timestamp": 1765432874415, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "111.29.14.183", "protocol": "tcp", "src_port": 50401, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9944651374268547, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50528, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50634, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.222.152.64", "protocol": "tcp", "src_port": 50658, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7337989747885654, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50328, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.26", "protocol": "tcp", "src_port": 49995, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9973271032011077, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.2", "protocol": "tcp", "src_port": 49821, "dest_port": 8080, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50278, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50570, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.63.215.47", "protocol": "tcp", "src_port": 49943, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9542007136130981, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.166.151", "protocol": "tcp", "src_port": 50296, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9998741851816862, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.114.80", "protocol": "tcp", "src_port": 50381, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50580, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.92", "protocol": "tcp", "src_port": 50398, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9866180027435798, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.105", "protocol": "tcp", "src_port": 50625, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9825246278129468, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "118.89.204.198", "protocol": "tcp", "src_port": 50648, "dest_port": 443, "y_pred": 2, "y_pred_proba_max": 0.539671673599211, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "Behinder"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50471, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9971823306211751, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.254", "protocol": "tcp", "src_port": 50237, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8347470129747349, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.185.134", "protocol": "tcp", "src_port": 50337, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9998485770667981, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50287, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.232.40.133", "protocol": "tcp", "src_port": 50004, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9448851526818528, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.29.14.183", "protocol": "tcp", "src_port": 50402, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9766503916105866, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50459, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8818531237715439, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.165.120", "protocol": "tcp", "src_port": 50414, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9781294486115352, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.240.99.58", "protocol": "tcp", "src_port": 50480, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9758749087809037, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50484, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 14:01:14.670] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 26|max_alert: 1000 [2025-12-11 14:01:14.670] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 14:01:14.670] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 14:01:14.670] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 14:01:15.130] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[1] at offset 24932 key: NULL payload: {"bucket":"2025-12-11","object":"14/output/gbm/alert.pcap.24.17610986931400.jsonl","url":"http://111.32.12.11:9000/2025-12-11/14/output/gbm/alert.pcap.24.17610986931400.jsonl?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-SignedHeaders=host&X-Amz-Expires=604800&X-Amz-Signature=1cd5eb7d0344cdc1d32ad8eaeacb9c9869778648c5a42bc046f7a2872e0cec5d&X-Amz-Date=20251211T060115Z&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request"} [2025-12-11 14:01:15.131] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 14:01:15.131] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 14:01:15.131] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 14:01:15.131] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 14:01:15.131] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 14:01:15.131] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 14:01:15.358] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:14/output/gbm/alert.pcap.24.17610986931400.jsonl|result:{"code": 1, "total_count": 18, "alert_count": 17, "abnormal_count": 17, "normal_count": 1, "timestamp": 1765432875131, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "117.163.59.175", "protocol": "tcp", "src_port": 50478, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.990150959540726, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50482, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50034, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.163.59.175", "protocol": "tcp", "src_port": 50011, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9883959426357691, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.38.119", "protocol": "tcp", "src_port": 50495, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9911306060967026, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.4.74", "protocol": "tcp", "src_port": 50319, "dest_port": 9000, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.13.28.21", "protocol": "tcp", "src_port": 49947, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9999415747476534, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50033, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.46.68.203", "protocol": "tcp", "src_port": 50195, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9897633686170296, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 50229, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7784157580153467, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50031, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50259, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50281, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.13.104.59", "protocol": "tcp", "src_port": 50631, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9853386683896556, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.27", "protocol": "tcp", "src_port": 49985, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8652710729389349, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50594, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50603, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 14:01:15.358] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 17|max_alert: 1000 [2025-12-11 14:01:15.358] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 14:01:15.358] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 14:01:15.358] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 14:01:15.719] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[2] at offset 25683 key: NULL payload: {"bucket":"2025-12-11","object":"14/output/gbm/alert.pcap.12.17610986931400.jsonl","url":"http://111.32.12.11:9000/2025-12-11/14/output/gbm/alert.pcap.12.17610986931400.jsonl?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-SignedHeaders=host&X-Amz-Date=20251211T060115Z&X-Amz-Expires=604800&X-Amz-Signature=658a21537cfad5fa94290cac7ef5d3a38d8c39e395edda5af7793e4b605762f3&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request"} [2025-12-11 14:01:15.719] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 14:01:15.719] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 14:01:15.720] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 14:01:15.720] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 14:01:15.720] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 14:01:15.720] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 14:01:15.958] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:14/output/gbm/alert.pcap.12.17610986931400.jsonl|result:{"code": 1, "total_count": 23, "alert_count": 23, "abnormal_count": 23, "normal_count": 0, "timestamp": 1765432875720, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "223.111.88.223", "protocol": "tcp", "src_port": 50135, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9151737736531406, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.91", "protocol": "tcp", "src_port": 50312, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8775283158754487, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.232.40.133", "protocol": "tcp", "src_port": 49918, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9434178651974208, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50048, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 10, "2_sum": 10, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.162.10.192", "protocol": "tcp", "src_port": 50115, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9982562146170709, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 49801, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.46.51.20", "protocol": "tcp", "src_port": 50273, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8949209220998952, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50517, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 10, "2_sum": 10, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50524, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 10, "2_sum": 10, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50290, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 10, "2_sum": 10, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50063, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 10, "2_sum": 10, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50327, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 10, "2_sum": 10, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50563, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 10, "2_sum": 10, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50289, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 10, "2_sum": 10, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.253", "protocol": "tcp", "src_port": 50374, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9124107711631884, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 50446, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50043, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 10, "2_sum": 10, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.32.132.48", "protocol": "tcp", "src_port": 50596, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8736367684939467, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "43.132.242.154", "protocol": "tcp", "src_port": 49882, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9890063873624129, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.91", "protocol": "tcp", "src_port": 50325, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9723471895815434, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50036, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 10, "2_sum": 10, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "150.171.28.10", "protocol": "tcp", "src_port": 50098, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.979476406385797, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.88.223", "protocol": "tcp", "src_port": 50256, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9952297098413537, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 14:01:15.959] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 23|max_alert: 1000 [2025-12-11 14:01:15.959] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 14:01:15.959] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 14:01:15.959] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 14:01:16.401] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 26090 key: NULL payload: {"bucket":"2025-12-11","object":"14/output/gbm/alert.pcap.7.17610986931400.jsonl","url":"http://111.32.12.11:9000/2025-12-11/14/output/gbm/alert.pcap.7.17610986931400.jsonl?X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Signature=08eecd0eb254428a2dc3bdb242dbf03586693cac4b453ba49bd19d9523dad52d&X-Amz-Date=20251211T060116Z&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-SignedHeaders=host&X-Amz-Expires=604800"} [2025-12-11 14:01:16.401] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 14:01:16.401] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 14:01:16.401] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 14:01:16.401] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 14:01:16.401] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 14:01:16.401] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 14:01:16.627] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:14/output/gbm/alert.pcap.7.17610986931400.jsonl|result:{"code": 1, "total_count": 18, "alert_count": 18, "abnormal_count": 18, "normal_count": 0, "timestamp": 1765432876402, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 50172, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9400817611226765, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.240.8.132", "protocol": "tcp", "src_port": 50227, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8897661563929269, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.219.73.130", "protocol": "tcp", "src_port": 49885, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50156, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4, "2_sum": 4, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.185.125.188", "protocol": "tcp", "src_port": 49872, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9978759357079158, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.27", "protocol": "tcp", "src_port": 50100, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8412893359572905, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.194.233", "protocol": "tcp", "src_port": 50255, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9107155218087142, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.194.233", "protocol": "tcp", "src_port": 50441, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9878625671600126, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50581, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4, "2_sum": 4, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.254", "protocol": "tcp", "src_port": 50199, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9600487826290192, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.51.80", "protocol": "tcp", "src_port": 50010, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50270, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4, "2_sum": 4, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50663, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.719260591950917, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 50116, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.26", "protocol": "tcp", "src_port": 49994, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9896285535627298, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.4.224.113", "protocol": "tcp", "src_port": 49849, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9532634905214581, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50083, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4, "2_sum": 4, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "112.34.111.235", "protocol": "tcp", "src_port": 50411, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.998549290571419, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 14:01:16.627] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 18|max_alert: 1000 [2025-12-11 14:01:16.627] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 14:01:16.627] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 14:01:16.627] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 14:10:20.153] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 26091 key: NULL payload: {"bucket":"2025-12-11","object":"14/output/gbm/alert.pcap.10.17610986931410.jsonl","url":"http://111.32.12.11:9000/2025-12-11/14/output/gbm/alert.pcap.10.17610986931410.jsonl?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Signature=5bd1495b828fdda3e67475d5248de2b9b1181ce6241bf17dfef0683617df5e36&X-Amz-Expires=604800&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20251211T061020Z&X-Amz-SignedHeaders=host"} [2025-12-11 14:10:20.153] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 14:10:20.153] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 14:10:20.153] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 14:10:20.153] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 14:10:20.153] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 14:10:20.154] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 14:10:20.461] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:14/output/gbm/alert.pcap.10.17610986931410.jsonl|result:{"code": 1, "total_count": 18, "alert_count": 18, "abnormal_count": 18, "normal_count": 0, "timestamp": 1765433420154, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "223.111.194.233", "protocol": "tcp", "src_port": 50251, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.6458299041355519, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "124.70.62.170", "protocol": "tcp", "src_port": 50384, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9944584265644585, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.38.119", "protocol": "tcp", "src_port": 50490, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9986222879414073, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.9", "protocol": "tcp", "src_port": 50354, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9266852516381958, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50510, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50155, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "124.70.37.167", "protocol": "tcp", "src_port": 50497, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9671327905226952, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50527, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 49802, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.240.8.132", "protocol": "tcp", "src_port": 49942, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9833686131374094, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "112.34.113.250", "protocol": "tcp", "src_port": 50417, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9871899379387804, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.162.10.192", "protocol": "tcp", "src_port": 50105, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8497049935950336, "2_count": 3, "2_sum": 3, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.162.10.192", "protocol": "tcp", "src_port": 50106, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7891251009837256, "2_count": 3, "2_sum": 3, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50197, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50247, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.162.10.192", "protocol": "tcp", "src_port": 50102, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9628606284766527, "2_count": 3, "2_sum": 3, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50180, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50202, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 14:10:20.461] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 18|max_alert: 1000 [2025-12-11 14:10:20.461] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 14:10:20.461] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 14:10:20.461] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 14:10:23.298] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[1] at offset 24933 key: NULL payload: {"bucket":"2025-12-11","object":"14/output/gbm/alert.pcap.11.17610986931410.jsonl","url":"http://111.32.12.11:9000/2025-12-11/14/output/gbm/alert.pcap.11.17610986931410.jsonl?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20251211T061022Z&X-Amz-Signature=f6b790fc5d03ab4edcdccc2a8415cce6415b49f1a8be4b35a4dfeba6d89fc69c&X-Amz-Expires=604800&X-Amz-SignedHeaders=host"} [2025-12-11 14:10:23.298] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 14:10:23.299] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 14:10:23.299] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 14:10:23.299] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 14:10:23.299] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 14:10:23.299] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 14:10:23.538] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:14/output/gbm/alert.pcap.11.17610986931410.jsonl|result:{"code": 1, "total_count": 20, "alert_count": 20, "abnormal_count": 20, "normal_count": 0, "timestamp": 1765433423299, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "23.57.94.38", "protocol": "tcp", "src_port": 49888, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8913583475272854, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.165.120", "protocol": "tcp", "src_port": 50305, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9986466602684037, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.38.119", "protocol": "tcp", "src_port": 50494, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9837251088220053, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.131.139.241", "protocol": "tcp", "src_port": 50546, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8893268365633519, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 49811, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50050, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50179, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.25", "protocol": "tcp", "src_port": 50379, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8940216726975259, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50523, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50561, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "57.155.120.218", "protocol": "tcp", "src_port": 50415, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9227656751828837, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.143.199.172", "protocol": "tcp", "src_port": 50142, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9881503019491974, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50519, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.122.55", "protocol": "tcp", "src_port": 50503, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9854062911109006, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50176, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "13.107.253.49", "protocol": "tcp", "src_port": 50479, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9204671188927631, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.45", "protocol": "tcp", "src_port": 50438, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9837569544664104, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50520, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "106.52.100.183", "protocol": "tcp", "src_port": 50502, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9858931570717602, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.45", "protocol": "tcp", "src_port": 50447, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9871209269901958, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 14:10:23.538] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 20|max_alert: 1000 [2025-12-11 14:10:23.538] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 14:10:23.538] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 14:10:23.538] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 14:10:26.473] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 26092 key: NULL payload: {"bucket":"2025-12-11","object":"14/output/gbm/alert.pcap.1.17610986931410.jsonl","url":"http://111.32.12.11:9000/2025-12-11/14/output/gbm/alert.pcap.1.17610986931410.jsonl?X-Amz-Date=20251211T061026Z&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Expires=604800&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-SignedHeaders=host&X-Amz-Signature=856e2c5598309a8709d9575b7b396b5d93ceee36219a5887cd904a3c06d0af5e"} [2025-12-11 14:10:26.474] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 14:10:26.474] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 14:10:26.474] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 14:10:26.474] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 14:10:26.474] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 14:10:26.475] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 14:10:26.716] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:14/output/gbm/alert.pcap.1.17610986931410.jsonl|result:{"code": 1, "total_count": 23, "alert_count": 22, "abnormal_count": 22, "normal_count": 1, "timestamp": 1765433426475, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "10.1.9.18", "protocol": "tcp", "src_port": 50526, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50660, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.5160756214892233, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.9", "protocol": "tcp", "src_port": 50352, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9822856114799795, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50246, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50196, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.114.80", "protocol": "tcp", "src_port": 50380, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.2.16.16", "protocol": "tcp", "src_port": 49977, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9997183616258911, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50451, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9935841069204537, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50511, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.9", "protocol": "tcp", "src_port": 50355, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9178209457268623, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "104.18.38.233", "protocol": "tcp", "src_port": 49694, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.254", "protocol": "tcp", "src_port": 50236, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8758576397939718, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.131.139.241", "protocol": "tcp", "src_port": 50548, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9166098868921807, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.18", "protocol": "tcp", "src_port": 50607, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "123.249.12.207", "protocol": "tcp", "src_port": 50349, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9517653518955267, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.166.151", "protocol": "tcp", "src_port": 50297, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.99961990187526, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50154, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50203, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.2.16.16", "protocol": "tcp", "src_port": 49978, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9999741330258014, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50635, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.254", "protocol": "tcp", "src_port": 50161, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9861184497791043, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.38.119", "protocol": "tcp", "src_port": 50487, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9993624819729473, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 14:10:26.716] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 22|max_alert: 1000 [2025-12-11 14:10:26.716] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 14:10:26.716] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 14:10:26.716] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 14:10:29.678] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 26093 key: NULL payload: {"bucket":"2025-12-11","object":"14/output/gbm/alert.pcap.12.17610986931410.jsonl","url":"http://111.32.12.11:9000/2025-12-11/14/output/gbm/alert.pcap.12.17610986931410.jsonl?X-Amz-Signature=8aaa70357f52fa4e8c9e067bfc7ca01f56d1249aaa9388c1d97fbc50c64e06ab&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Date=20251211T061029Z&X-Amz-Expires=604800&X-Amz-SignedHeaders=host"} [2025-12-11 14:10:29.679] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 14:10:29.679] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 14:10:29.679] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 14:10:29.679] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 14:10:29.679] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 14:10:29.679] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 14:10:29.915] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:14/output/gbm/alert.pcap.12.17610986931410.jsonl|result:{"code": 1, "total_count": 23, "alert_count": 23, "abnormal_count": 23, "normal_count": 0, "timestamp": 1765433429679, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "36.156.39.91", "protocol": "tcp", "src_port": 50325, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9723471895815434, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50517, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 10, "2_sum": 10, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50290, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 10, "2_sum": 10, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.232.40.133", "protocol": "tcp", "src_port": 49918, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9434178651974208, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50063, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 10, "2_sum": 10, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50036, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 10, "2_sum": 10, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "43.132.242.154", "protocol": "tcp", "src_port": 49882, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9890063873624129, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50048, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 10, "2_sum": 10, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.46.51.20", "protocol": "tcp", "src_port": 50273, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8949209220998952, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50043, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 10, "2_sum": 10, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.253", "protocol": "tcp", "src_port": 50374, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9124107711631884, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.88.223", "protocol": "tcp", "src_port": 50135, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9151737736531406, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.88.223", "protocol": "tcp", "src_port": 50256, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9952297098413537, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50524, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 10, "2_sum": 10, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.91", "protocol": "tcp", "src_port": 50312, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8775283158754487, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50289, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 10, "2_sum": 10, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 50446, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 49801, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "150.171.28.10", "protocol": "tcp", "src_port": 50098, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.979476406385797, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50563, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 10, "2_sum": 10, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.32.132.48", "protocol": "tcp", "src_port": 50596, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8736367684939467, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50327, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 10, "2_sum": 10, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.162.10.192", "protocol": "tcp", "src_port": 50115, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9982562146170709, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 14:10:29.915] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 23|max_alert: 1000 [2025-12-11 14:10:29.915] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 14:10:29.915] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 14:10:29.915] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 14:10:32.899] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[1] at offset 24934 key: NULL payload: {"bucket":"2025-12-11","object":"14/output/gbm/alert.pcap.13.17610986931410.jsonl","url":"http://111.32.12.11:9000/2025-12-11/14/output/gbm/alert.pcap.13.17610986931410.jsonl?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20251211T061032Z&X-Amz-SignedHeaders=host&X-Amz-Signature=d97c7f5f12593374f9be4f1b483d015063505e72133d1c304950052b6215d3fc&X-Amz-Expires=604800"} [2025-12-11 14:10:32.899] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 14:10:32.899] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 14:10:32.900] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 14:10:32.900] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 14:10:32.900] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 14:10:32.900] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 14:10:33.208] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:14/output/gbm/alert.pcap.13.17610986931410.jsonl|result:{"code": 1, "total_count": 25, "alert_count": 25, "abnormal_count": 25, "normal_count": 0, "timestamp": 1765433432900, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "150.171.29.11", "protocol": "tcp", "src_port": 50366, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9811379852086798, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "142.250.66.78", "protocol": "tcp", "src_port": 49939, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.22.3", "protocol": "tcp", "src_port": 49941, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9027507773608666, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50153, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50206, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50276, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50150, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.114.80", "protocol": "tcp", "src_port": 50364, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50167, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50280, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.38.119", "protocol": "tcp", "src_port": 50493, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9895604510076603, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.185.134", "protocol": "tcp", "src_port": 50405, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9906477192719227, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.38.119", "protocol": "tcp", "src_port": 50507, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.992095265861976, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50657, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9858390475712154, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50035, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50483, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "150.171.30.11", "protocol": "tcp", "src_port": 50629, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9221505003231499, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50029, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.163.59.175", "protocol": "tcp", "src_port": 50009, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9898052087615025, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50283, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50602, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "202.89.233.96", "protocol": "tcp", "src_port": 49842, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 50550, "dest_port": 37527, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.4.224.113", "protocol": "tcp", "src_port": 49856, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.6505383816340582, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50074, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 14:10:33.208] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 25|max_alert: 1000 [2025-12-11 14:10:33.208] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 14:10:33.208] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 14:10:33.208] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 14:10:36.297] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[1] at offset 24935 key: NULL payload: {"bucket":"2025-12-11","object":"14/output/gbm/alert.pcap.14.17610986931410.jsonl","url":"http://111.32.12.11:9000/2025-12-11/14/output/gbm/alert.pcap.14.17610986931410.jsonl?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Signature=827fddbf9d7bca3069613eed4d574db55245a220ed6c6b7ad4177f18792afd49&X-Amz-Date=20251211T061035Z&X-Amz-Expires=604800&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-SignedHeaders=host"} [2025-12-11 14:10:36.297] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 14:10:36.297] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 14:10:36.297] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 14:10:36.297] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 14:10:36.297] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 14:10:36.298] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 14:10:36.555] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:14/output/gbm/alert.pcap.14.17610986931410.jsonl|result:{"code": 1, "total_count": 22, "alert_count": 22, "abnormal_count": 22, "normal_count": 0, "timestamp": 1765433436298, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "150.171.28.10", "protocol": "tcp", "src_port": 50547, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9810893334081382, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50148, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50488, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50045, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50087, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.45", "protocol": "tcp", "src_port": 50232, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8427978520815071, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50509, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50299, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 50008, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7325211921496005, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.201.232.63", "protocol": "tcp", "src_port": 50185, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8623842237021218, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50481, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50277, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.4.224.113", "protocol": "tcp", "src_port": 49858, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.948833755868132, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50464, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.114.80", "protocol": "tcp", "src_port": 50462, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50075, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50151, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.201.232.61", "protocol": "tcp", "src_port": 50406, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8074537105643911, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50282, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50431, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.131.128.241", "protocol": "tcp", "src_port": 50628, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.6327220629300937, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.92", "protocol": "tcp", "src_port": 50350, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9581254078848882, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 14:10:36.555] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 22|max_alert: 1000 [2025-12-11 14:10:36.555] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 14:10:36.555] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 14:10:36.555] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 14:10:39.422] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[1] at offset 24936 key: NULL payload: {"bucket":"2025-12-11","object":"14/output/gbm/alert.pcap.15.17610986931410.jsonl","url":"http://111.32.12.11:9000/2025-12-11/14/output/gbm/alert.pcap.15.17610986931410.jsonl?X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-SignedHeaders=host&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Expires=604800&X-Amz-Signature=d9df04d03ae1f6189f749432e9e3372226066ab706529e9beb7cd2696b269e54&X-Amz-Date=20251211T061038Z"} [2025-12-11 14:10:39.422] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 14:10:39.422] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 14:10:39.422] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 14:10:39.422] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 14:10:39.422] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 14:10:39.422] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 14:10:39.660] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:14/output/gbm/alert.pcap.15.17610986931410.jsonl|result:{"code": 1, "total_count": 21, "alert_count": 21, "abnormal_count": 21, "normal_count": 0, "timestamp": 1765433439423, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "111.31.241.198", "protocol": "tcp", "src_port": 49881, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9908791961625715, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50542, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.13.29.202", "protocol": "tcp", "src_port": 49899, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9319984670207415, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.51.80", "protocol": "tcp", "src_port": 49914, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50298, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "142.250.66.78", "protocol": "tcp", "src_port": 50474, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50489, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.194.233", "protocol": "tcp", "src_port": 50442, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9870391528574759, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50061, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "13.89.179.10", "protocol": "tcp", "src_port": 49878, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9974829953380221, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "124.70.37.167", "protocol": "tcp", "src_port": 50505, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8862503171336631, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.194.189.11", "protocol": "tcp", "src_port": 50426, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9895428159947536, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.165.120", "protocol": "tcp", "src_port": 50418, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9596977275034663, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.165.120", "protocol": "tcp", "src_port": 50427, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9451570018511891, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50452, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "13.107.213.50", "protocol": "tcp", "src_port": 50090, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9195643673584233, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50516, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.166.151", "protocol": "tcp", "src_port": 50300, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9931981638327161, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.114.80", "protocol": "tcp", "src_port": 50358, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.46.216.189", "protocol": "tcp", "src_port": 50192, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9854409930237161, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.175.38.6", "protocol": "tcp", "src_port": 50508, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9251013815505887, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 14:10:39.661] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 21|max_alert: 1000 [2025-12-11 14:10:39.661] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 14:10:39.661] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 14:10:39.661] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 14:10:42.765] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[2] at offset 25684 key: NULL payload: {"bucket":"2025-12-11","object":"14/output/gbm/alert.pcap.16.17610986931410.jsonl","url":"http://111.32.12.11:9000/2025-12-11/14/output/gbm/alert.pcap.16.17610986931410.jsonl?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Date=20251211T061042Z&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Expires=604800&X-Amz-Signature=e0f49293be3e085c1e49e24dcf3e65ad8e24ad8bf7a9b9c7409504f1c70004b7&X-Amz-SignedHeaders=host"} [2025-12-11 14:10:42.766] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 14:10:42.766] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 14:10:42.766] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 14:10:42.766] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 14:10:42.766] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 14:10:42.767] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 14:10:43.027] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:14/output/gbm/alert.pcap.16.17610986931410.jsonl|result:{"code": 1, "total_count": 26, "alert_count": 26, "abnormal_count": 26, "normal_count": 0, "timestamp": 1765433442767, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "111.29.14.183", "protocol": "tcp", "src_port": 50404, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9858144175177987, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.32.132.48", "protocol": "tcp", "src_port": 50416, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.872489769645985, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.92", "protocol": "tcp", "src_port": 50344, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.4285159353571787, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50367, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50500, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.220.77.56", "protocol": "tcp", "src_port": 50313, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9756469161092314, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50496, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7047630891986135, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.88.223", "protocol": "tcp", "src_port": 50262, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9920454156536166, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "211.151.19.148", "protocol": "tcp", "src_port": 50239, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9867736940219898, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.13.25.27", "protocol": "tcp", "src_port": 49953, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9999659947187012, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.4.224.113", "protocol": "tcp", "src_port": 49857, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.873642452450752, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50177, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50207, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.29.14.183", "protocol": "tcp", "src_port": 49861, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9202885873733923, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50331, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.185.134", "protocol": "tcp", "src_port": 50557, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9312191603697401, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.2", "protocol": "tcp", "src_port": 49916, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "13.89.179.10", "protocol": "tcp", "src_port": 49873, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9740054173010114, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50522, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.46.216.189", "protocol": "tcp", "src_port": 50095, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8005313339363406, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.26", "protocol": "tcp", "src_port": 50053, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9859420979243508, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.253", "protocol": "tcp", "src_port": 50377, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9228634096625739, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.165.120", "protocol": "tcp", "src_port": 50304, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9425584919270099, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50051, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.219.73.130", "protocol": "tcp", "src_port": 49887, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.1", "protocol": "tcp", "src_port": 49927, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 14:10:43.027] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 26|max_alert: 1000 [2025-12-11 14:10:43.027] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 14:10:43.027] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 14:10:43.027] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 14:10:46.238] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 26094 key: NULL payload: {"bucket":"2025-12-11","object":"14/output/gbm/alert.pcap.17.17610986931410.jsonl","url":"http://111.32.12.11:9000/2025-12-11/14/output/gbm/alert.pcap.17.17610986931410.jsonl?X-Amz-Date=20251211T061045Z&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Expires=604800&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Signature=375f19f29e3833623df8bcea9bf59103fa5e9c30310f6012d192d99bd09e8389&X-Amz-SignedHeaders=host"} [2025-12-11 14:10:46.238] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 14:10:46.238] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 14:10:46.238] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 14:10:46.238] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 14:10:46.238] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 14:10:46.239] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 14:10:46.491] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:14/output/gbm/alert.pcap.17.17610986931410.jsonl|result:{"code": 1, "total_count": 18, "alert_count": 18, "abnormal_count": 18, "normal_count": 0, "timestamp": 1765433446239, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "124.70.62.170", "protocol": "tcp", "src_port": 50395, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.999908459646488, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50606, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9790099228201751, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.27", "protocol": "tcp", "src_port": 49989, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8500557914131911, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.122.55", "protocol": "tcp", "src_port": 50101, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9697454177805649, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 50225, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9087545563693218, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.162.10.192", "protocol": "tcp", "src_port": 50103, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.5419285978798709, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.194.233", "protocol": "tcp", "src_port": 50435, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9837705668750215, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50499, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.88.223", "protocol": "tcp", "src_port": 50257, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9990492370434219, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "124.70.62.170", "protocol": "tcp", "src_port": 50094, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9999212365720671, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.27", "protocol": "tcp", "src_port": 49990, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9979995189937263, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.234.97.89", "protocol": "tcp", "src_port": 50409, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.733240780563495, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.122.55", "protocol": "tcp", "src_port": 50448, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.5769980707430126, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.114.80", "protocol": "tcp", "src_port": 50476, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.9", "protocol": "tcp", "src_port": 50012, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9956502822261911, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.2.16.16", "protocol": "tcp", "src_port": 49973, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9993460937257912, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.38.151", "protocol": "tcp", "src_port": 49788, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.162.10.192", "protocol": "tcp", "src_port": 50114, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.976863610352734, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 14:10:46.491] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 18|max_alert: 1000 [2025-12-11 14:10:46.491] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 14:10:46.491] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 14:10:46.491] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 14:10:49.373] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[1] at offset 24937 key: NULL payload: {"bucket":"2025-12-11","object":"14/output/gbm/alert.pcap.18.17610986931410.jsonl","url":"http://111.32.12.11:9000/2025-12-11/14/output/gbm/alert.pcap.18.17610986931410.jsonl?X-Amz-SignedHeaders=host&X-Amz-Signature=10ef81d0eb182aa4e4b7cd0ec26c66f1d306daa696ff865e504d450562e76c7d&X-Amz-Expires=604800&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20251211T061048Z"} [2025-12-11 14:10:49.374] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 14:10:49.374] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 14:10:49.374] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 14:10:49.374] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 14:10:49.374] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 14:10:49.374] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 14:10:49.628] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:14/output/gbm/alert.pcap.18.17610986931410.jsonl|result:{"code": 1, "total_count": 19, "alert_count": 18, "abnormal_count": 18, "normal_count": 1, "timestamp": 1765433449374, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50386, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.232.40.133", "protocol": "tcp", "src_port": 49929, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9272505117395095, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50554, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9489417371813754, "2_count": 4.0, "2_sum": 4, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50475, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9477100345633777, "2_count": 4.0, "2_sum": 4, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.166.151", "protocol": "tcp", "src_port": 50371, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9989794701501156, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.92", "protocol": "tcp", "src_port": 50383, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7481021796885889, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50141, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50132, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.232.40.133", "protocol": "tcp", "src_port": 49935, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8955605067471277, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.219.73.130", "protocol": "tcp", "src_port": 49893, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50650, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9941374340185456, "2_count": 4.0, "2_sum": 4, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.253.255.38", "protocol": "tcp", "src_port": 50449, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9496389457889445, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50046, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50220, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50553, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9263918774338468, "2_count": 4.0, "2_sum": 4, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 50169, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.113.130.85", "protocol": "tcp", "src_port": 50373, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50088, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 14:10:49.628] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 18|max_alert: 1000 [2025-12-11 14:10:49.628] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 14:10:49.628] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 14:10:49.628] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 14:10:52.511] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[2] at offset 25685 key: NULL payload: {"bucket":"2025-12-11","object":"14/output/gbm/alert.pcap.19.17610986931410.jsonl","url":"http://111.32.12.11:9000/2025-12-11/14/output/gbm/alert.pcap.19.17610986931410.jsonl?X-Amz-Expires=604800&X-Amz-Date=20251211T061052Z&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-SignedHeaders=host&X-Amz-Signature=9a7824f37322b5893526e24077a007bf5f17cc1fee2befce987bbbdec9ca66d4"} [2025-12-11 14:10:52.511] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 14:10:52.511] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 14:10:52.511] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 14:10:52.511] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 14:10:52.512] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 14:10:52.512] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 14:10:52.786] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:14/output/gbm/alert.pcap.19.17610986931410.jsonl|result:{"code": 1, "total_count": 17, "alert_count": 17, "abnormal_count": 17, "normal_count": 0, "timestamp": 1765433452512, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "120.233.3.26", "protocol": "tcp", "src_port": 49999, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9723690262017185, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50222, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 5, "2_sum": 5, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "106.13.244.95", "protocol": "tcp", "src_port": 50626, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.991571871695044, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50140, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 5, "2_sum": 5, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50221, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 5, "2_sum": 5, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.158.247.186", "protocol": "tcp", "src_port": 50254, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9923373572362969, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "13.89.179.10", "protocol": "tcp", "src_port": 49870, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9985463831905574, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50432, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 5, "2_sum": 5, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.131.128.241", "protocol": "tcp", "src_port": 50589, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9358989909907683, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.61.248", "protocol": "tcp", "src_port": 50006, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9986048917384169, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "124.70.62.170", "protocol": "tcp", "src_port": 50385, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9998863446143573, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50267, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 5, "2_sum": 5, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 50183, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9671683755020176, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "211.151.19.148", "protocol": "tcp", "src_port": 50321, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9840336453751718, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "150.171.30.11", "protocol": "tcp", "src_port": 50623, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9724127917525347, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50651, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9127998696423738, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.25", "protocol": "tcp", "src_port": 50345, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9053165640648995, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 14:10:52.787] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 17|max_alert: 1000 [2025-12-11 14:10:52.787] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 14:10:52.787] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 14:10:52.787] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 14:10:55.693] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[2] at offset 25686 key: NULL payload: {"bucket":"2025-12-11","object":"14/output/gbm/alert.pcap.20.17610986931410.jsonl","url":"http://111.32.12.11:9000/2025-12-11/14/output/gbm/alert.pcap.20.17610986931410.jsonl?X-Amz-Signature=5d988d4fe4e3a3d9bc5197530a9eeda58f980c5a67eec27821871c824b770413&X-Amz-Date=20251211T061055Z&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Expires=604800&X-Amz-SignedHeaders=host"} [2025-12-11 14:10:55.693] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 14:10:55.693] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 14:10:55.693] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 14:10:55.693] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 14:10:55.693] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 14:10:55.693] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 14:10:55.878] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:14/output/gbm/alert.pcap.20.17610986931410.jsonl|result:{"code": 1, "total_count": 17, "alert_count": 17, "abnormal_count": 17, "normal_count": 0, "timestamp": 1765433455693, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "23.219.73.130", "protocol": "tcp", "src_port": 49894, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50598, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.972751885055052, "2_count": 3, "2_sum": 3, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.62.174.243", "protocol": "tcp", "src_port": 50555, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9719451686850884, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50082, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.2.16.16", "protocol": "tcp", "src_port": 49970, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9999655776123294, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "142.250.66.78", "protocol": "tcp", "src_port": 49773, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50453, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50616, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.981431987646444, "2_count": 3, "2_sum": 3, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.220.151.49", "protocol": "tcp", "src_port": 49991, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9681277345350449, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50622, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9949329167991451, "2_count": 3, "2_sum": 3, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.166.151", "protocol": "tcp", "src_port": 50378, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.996645095315891, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "124.71.236.98", "protocol": "tcp", "src_port": 50400, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9777942042208041, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "124.71.234.74", "protocol": "tcp", "src_port": 50189, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8094812727311573, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.48.172.241", "protocol": "tcp", "src_port": 50129, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9417868802887015, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.253.253.233", "protocol": "tcp", "src_port": 50317, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.4786736570096651, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.46.68.203", "protocol": "tcp", "src_port": 50096, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9610043927222635, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.9", "protocol": "tcp", "src_port": 50356, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9753376675463165, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 14:10:55.878] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 17|max_alert: 1000 [2025-12-11 14:10:55.878] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 14:10:55.878] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 14:10:55.878] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 14:10:58.838] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[1] at offset 24938 key: NULL payload: {"bucket":"2025-12-11","object":"14/output/gbm/alert.pcap.21.17610986931410.jsonl","url":"http://111.32.12.11:9000/2025-12-11/14/output/gbm/alert.pcap.21.17610986931410.jsonl?X-Amz-Expires=604800&X-Amz-SignedHeaders=host&X-Amz-Signature=fa043369a5a9d1e7413c84eeed36869f0341d5805876677f9d2b1f0249098bfb&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20251211T061058Z"} [2025-12-11 14:10:58.839] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 14:10:58.839] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 14:10:58.839] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 14:10:58.839] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 14:10:58.839] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 14:10:58.839] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 14:10:59.026] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:14/output/gbm/alert.pcap.21.17610986931410.jsonl|result:{"code": 1, "total_count": 20, "alert_count": 20, "abnormal_count": 20, "normal_count": 0, "timestamp": 1765433458839, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 49933, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.983522767485445, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50086, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.253", "protocol": "tcp", "src_port": 50348, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9663875797170431, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "150.171.27.10", "protocol": "tcp", "src_port": 49871, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9792783921980416, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.25", "protocol": "tcp", "src_port": 50346, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7253580536479742, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.27", "protocol": "tcp", "src_port": 50014, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7728545617685111, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50233, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.232.40.133", "protocol": "tcp", "src_port": 49921, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9758065422065172, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.194.233", "protocol": "tcp", "src_port": 50315, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9974657537062649, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50076, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50389, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.18", "protocol": "tcp", "src_port": 50191, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50407, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9700577356238725, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.234.97.89", "protocol": "tcp", "src_port": 50477, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7967743601421772, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 50211, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9942232611378077, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.26", "protocol": "tcp", "src_port": 50027, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8630319401034162, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50574, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50330, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.254", "protocol": "tcp", "src_port": 50018, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9989742169573105, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50633, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9961574170482782, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 14:10:59.026] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 20|max_alert: 1000 [2025-12-11 14:10:59.026] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 14:10:59.026] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 14:10:59.026] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 14:11:02.037] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[2] at offset 25687 key: NULL payload: {"bucket":"2025-12-11","object":"14/output/gbm/alert.pcap.2.17610986931410.jsonl","url":"http://111.32.12.11:9000/2025-12-11/14/output/gbm/alert.pcap.2.17610986931410.jsonl?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Date=20251211T061101Z&X-Amz-Expires=604800&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-SignedHeaders=host&X-Amz-Signature=a57a43e59edf6d10be261e54a7bc89690a10c349832767ce71eb86d8ae5cbc59"} [2025-12-11 14:11:02.037] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 14:11:02.037] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 14:11:02.037] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 14:11:02.037] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 14:11:02.037] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 14:11:02.038] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 14:11:02.240] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:14/output/gbm/alert.pcap.2.17610986931410.jsonl|result:{"code": 1, "total_count": 27, "alert_count": 26, "abnormal_count": 26, "normal_count": 1, "timestamp": 1765433462038, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50580, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.2", "protocol": "tcp", "src_port": 49821, "dest_port": 8080, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50634, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.26", "protocol": "tcp", "src_port": 49995, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9973271032011077, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "118.89.204.198", "protocol": "tcp", "src_port": 50648, "dest_port": 443, "y_pred": 2, "y_pred_proba_max": 0.539671673599211, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "Behinder"}, {"src_ip": "10.1.131.158", "dest_ip": "120.222.152.64", "protocol": "tcp", "src_port": 50658, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7337989747885654, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50528, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.166.151", "protocol": "tcp", "src_port": 50296, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9998741851816862, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.185.134", "protocol": "tcp", "src_port": 50337, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9998485770667981, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.114.80", "protocol": "tcp", "src_port": 50381, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.63.215.47", "protocol": "tcp", "src_port": 49943, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9542007136130981, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.254", "protocol": "tcp", "src_port": 50237, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8347470129747349, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.29.14.183", "protocol": "tcp", "src_port": 50402, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9766503916105866, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.92", "protocol": "tcp", "src_port": 50398, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9866180027435798, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.105", "protocol": "tcp", "src_port": 50625, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9825246278129468, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50278, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.165.120", "protocol": "tcp", "src_port": 50414, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9781294486115352, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.29.14.183", "protocol": "tcp", "src_port": 50401, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9944651374268547, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50328, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50471, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9971823306211751, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50459, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8818531237715439, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.240.99.58", "protocol": "tcp", "src_port": 50480, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9758749087809037, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50484, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50287, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.232.40.133", "protocol": "tcp", "src_port": 50004, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9448851526818528, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50570, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 14:11:02.241] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 26|max_alert: 1000 [2025-12-11 14:11:02.241] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 14:11:02.241] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 14:11:02.241] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 14:11:05.452] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[1] at offset 24939 key: NULL payload: {"bucket":"2025-12-11","object":"14/output/gbm/alert.pcap.22.17610986931410.jsonl","url":"http://111.32.12.11:9000/2025-12-11/14/output/gbm/alert.pcap.22.17610986931410.jsonl?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Date=20251211T061105Z&X-Amz-Expires=604800&X-Amz-SignedHeaders=host&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Signature=a911f49ee899abaaebe6f757bf5f7b16ead97f1534bfc4b22777d03f79cd3c82"} [2025-12-11 14:11:05.452] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 14:11:05.452] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 14:11:05.452] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 14:11:05.452] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 14:11:05.452] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 14:11:05.453] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 14:11:05.700] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:14/output/gbm/alert.pcap.22.17610986931410.jsonl|result:{"code": 1, "total_count": 18, "alert_count": 17, "abnormal_count": 17, "normal_count": 1, "timestamp": 1765433465454, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50368, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 3.0, "2_sum": 3, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50118, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 3.0, "2_sum": 3, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.51.161.66", "protocol": "tcp", "src_port": 50123, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7731938946060795, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50028, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 3.0, "2_sum": 3, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.131.128.241", "protocol": "tcp", "src_port": 50585, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8249611815657307, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.114.80", "protocol": "tcp", "src_port": 50365, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.62.174.243", "protocol": "tcp", "src_port": 50545, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9624252679015631, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 49925, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.5747671805046822, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50612, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.965275103129727, "2_count": 3.0, "2_sum": 3, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.4.224.113", "protocol": "tcp", "src_port": 49854, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.5786036795604459, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50662, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8871346318388157, "2_count": 3.0, "2_sum": 3, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50530, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9024018957960891, "2_count": 3.0, "2_sum": 3, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.194.233", "protocol": "tcp", "src_port": 50440, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9902328849146982, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.63.215.47", "protocol": "tcp", "src_port": 49944, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9869387818080411, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.165.120", "protocol": "tcp", "src_port": 50357, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9389862274330749, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.92", "protocol": "tcp", "src_port": 50397, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9107999416750001, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.29.14.183", "protocol": "tcp", "src_port": 50026, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9986473928200259, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 14:11:05.700] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 17|max_alert: 1000 [2025-12-11 14:11:05.700] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 14:11:05.700] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 14:11:05.701] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 14:11:09.296] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 26095 key: NULL payload: {"bucket":"2025-12-11","object":"14/output/gbm/alert.pcap.23.17610986931410.jsonl","url":"http://111.32.12.11:9000/2025-12-11/14/output/gbm/alert.pcap.23.17610986931410.jsonl?X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20251211T061108Z&X-Amz-SignedHeaders=host&X-Amz-Signature=73cbdeeef045bc94532714f6d0e91cdabeef54b3d958b7ee7f20ade4a12c7193&X-Amz-Expires=604800&X-Amz-Algorithm=AWS4-HMAC-SHA256"} [2025-12-11 14:11:09.296] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 14:11:09.296] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 14:11:09.296] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 14:11:09.296] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 14:11:09.296] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 14:11:09.296] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 14:11:09.553] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:14/output/gbm/alert.pcap.23.17610986931410.jsonl|result:{"code": 1, "total_count": 21, "alert_count": 21, "abnormal_count": 21, "normal_count": 0, "timestamp": 1765433469297, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50562, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.25", "protocol": "tcp", "src_port": 50073, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9992385224413204, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50064, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50168, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.25", "protocol": "tcp", "src_port": 50382, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7011351746711142, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50514, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.158.247.186", "protocol": "tcp", "src_port": 50309, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.994290448467571, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50260, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.194.233", "protocol": "tcp", "src_port": 50126, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9961544144455967, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50042, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.150.160.206", "protocol": "tcp", "src_port": 50124, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9747845243097288, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "13.107.246.74", "protocol": "tcp", "src_port": 50506, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9605298901417075, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.222.152.64", "protocol": "tcp", "src_port": 50638, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9779043168436835, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50044, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50149, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.13.104.59", "protocol": "tcp", "src_port": 50627, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9944505609423887, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50640, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.122.55", "protocol": "tcp", "src_port": 50498, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9793698927690696, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50429, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50085, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50037, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 14:11:09.553] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 21|max_alert: 1000 [2025-12-11 14:11:09.553] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 14:11:09.553] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 14:11:09.553] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 14:11:12.540] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[2] at offset 25688 key: NULL payload: {"bucket":"2025-12-11","object":"14/output/gbm/alert.pcap.24.17610986931410.jsonl","url":"http://111.32.12.11:9000/2025-12-11/14/output/gbm/alert.pcap.24.17610986931410.jsonl?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Date=20251211T061112Z&X-Amz-Expires=604800&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-SignedHeaders=host&X-Amz-Signature=48fab473f6414431af3677243305bfefff43531dd81cb410bb6aff2d2778444a"} [2025-12-11 14:11:12.540] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 14:11:12.540] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 14:11:12.540] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 14:11:12.540] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 14:11:12.540] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 14:11:12.541] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 14:11:12.790] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:14/output/gbm/alert.pcap.24.17610986931410.jsonl|result:{"code": 1, "total_count": 18, "alert_count": 17, "abnormal_count": 17, "normal_count": 1, "timestamp": 1765433472541, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50259, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50482, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.13.104.59", "protocol": "tcp", "src_port": 50631, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9853386683896556, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.4.74", "protocol": "tcp", "src_port": 50319, "dest_port": 9000, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50281, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.46.68.203", "protocol": "tcp", "src_port": 50195, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9897633686170296, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.27", "protocol": "tcp", "src_port": 49985, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8652710729389349, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.38.119", "protocol": "tcp", "src_port": 50495, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9911306060967026, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.163.59.175", "protocol": "tcp", "src_port": 50011, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9883959426357691, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.13.28.21", "protocol": "tcp", "src_port": 49947, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9999415747476534, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50033, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50034, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 50229, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7784157580153467, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50031, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50594, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.163.59.175", "protocol": "tcp", "src_port": 50478, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.990150959540726, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50603, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 14:11:12.790] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 17|max_alert: 1000 [2025-12-11 14:11:12.790] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 14:11:12.790] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 14:11:12.790] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 14:11:15.972] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 26096 key: NULL payload: {"bucket":"2025-12-11","object":"14/output/gbm/alert.pcap.25.17610986931410.jsonl","url":"http://111.32.12.11:9000/2025-12-11/14/output/gbm/alert.pcap.25.17610986931410.jsonl?X-Amz-Signature=cdc84d017cdcef865d07a6f3f5794a578ee7914d1830a5917660a7e4d08d006f&X-Amz-Expires=604800&X-Amz-Date=20251211T061115Z&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-SignedHeaders=host&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request"} [2025-12-11 14:11:15.972] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 14:11:15.972] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 14:11:15.972] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 14:11:15.972] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 14:11:15.972] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 14:11:15.972] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 14:11:16.226] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:14/output/gbm/alert.pcap.25.17610986931410.jsonl|result:{"code": 1, "total_count": 18, "alert_count": 17, "abnormal_count": 17, "normal_count": 1, "timestamp": 1765433475972, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "36.155.160.140", "protocol": "tcp", "src_port": 49790, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.232.40.133", "protocol": "tcp", "src_port": 49919, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9172603475203133, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.232.40.133", "protocol": "tcp", "src_port": 50005, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8427110539814073, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.2", "protocol": "tcp", "src_port": 50125, "dest_port": 8080, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.88.223", "protocol": "tcp", "src_port": 50134, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9851867603065232, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50288, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4.0, "2_sum": 4, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.91", "protocol": "tcp", "src_port": 50334, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9530506499197517, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50062, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4.0, "2_sum": 4, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.240.99.58", "protocol": "tcp", "src_port": 50641, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9750652642107684, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50038, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4.0, "2_sum": 4, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50652, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4.0, "2_sum": 4, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50551, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8059095115195145, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "202.89.233.96", "dest_ip": "10.1.131.158", "protocol": "tcp", "src_port": 443, "dest_port": 49847, "y_pred": 1, "y_pred_proba_max": 0.9988023204669473, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.88.223", "protocol": "tcp", "src_port": 50258, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9955188316394289, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 50013, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "142.250.66.78", "protocol": "tcp", "src_port": 49742, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.201.232.63", "protocol": "tcp", "src_port": 50419, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.5238760318986195, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 14:11:16.226] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 17|max_alert: 1000 [2025-12-11 14:11:16.226] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 14:11:16.226] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 14:11:16.226] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 14:11:19.212] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[2] at offset 25689 key: NULL payload: {"bucket":"2025-12-11","object":"14/output/gbm/alert.pcap.26.17610986931410.jsonl","url":"http://111.32.12.11:9000/2025-12-11/14/output/gbm/alert.pcap.26.17610986931410.jsonl?X-Amz-Signature=66dd3ef13774511d09960af7c7ffc47b10c2fe576e90770feddb64a701dd3bcd&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Date=20251211T061118Z&X-Amz-Expires=604800&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-SignedHeaders=host"} [2025-12-11 14:11:19.212] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 14:11:19.212] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 14:11:19.212] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 14:11:19.212] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 14:11:19.212] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 14:11:19.212] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 14:11:19.471] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:14/output/gbm/alert.pcap.26.17610986931410.jsonl|result:{"code": 1, "total_count": 23, "alert_count": 22, "abnormal_count": 22, "normal_count": 1, "timestamp": 1765433479213, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "111.13.29.202", "protocol": "tcp", "src_port": 49897, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.99989131645703, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.92", "protocol": "tcp", "src_port": 50362, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9737436655985068, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.194.233", "protocol": "tcp", "src_port": 50439, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9853373018252618, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50322, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7.0, "2_sum": 7, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50512, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7.0, "2_sum": 7, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50521, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7.0, "2_sum": 7, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.165.120", "protocol": "tcp", "src_port": 50314, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.998447736613844, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.163.59.175", "protocol": "tcp", "src_port": 49930, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9813722275948225, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "151.101.1.229", "protocol": "tcp", "src_port": 50316, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.5882853156839113, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.9", "protocol": "tcp", "src_port": 50353, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9248568229582469, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.253", "protocol": "tcp", "src_port": 50117, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9786811180845782, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.27", "protocol": "tcp", "src_port": 49986, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9907578643456904, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.114.80", "protocol": "tcp", "src_port": 50375, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.45", "protocol": "tcp", "src_port": 50445, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9894949279716366, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50467, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7.0, "2_sum": 7, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.253", "protocol": "tcp", "src_port": 50347, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9363461552085169, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50593, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7.0, "2_sum": 7, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50040, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7.0, "2_sum": 7, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50463, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7.0, "2_sum": 7, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.13.29.134", "protocol": "tcp", "src_port": 49954, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9940003495439546, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 50230, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9601621867432435, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "43.140.12.43", "protocol": "tcp", "src_port": 50318, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9759535265977303, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 14:11:19.471] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 22|max_alert: 1000 [2025-12-11 14:11:19.471] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 14:11:19.471] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 14:11:19.471] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 14:11:22.439] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[1] at offset 24940 key: NULL payload: {"bucket":"2025-12-11","object":"14/output/gbm/alert.pcap.3.17610986931410.jsonl","url":"http://111.32.12.11:9000/2025-12-11/14/output/gbm/alert.pcap.3.17610986931410.jsonl?X-Amz-Signature=d49dfed72891b53f1b92f30ea2c073df3b9338c2589ac422cb7efe25f7a76869&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Date=20251211T061121Z&X-Amz-Expires=604800&X-Amz-SignedHeaders=host"} [2025-12-11 14:11:22.439] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 14:11:22.440] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 14:11:22.440] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 14:11:22.440] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 14:11:22.440] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 14:11:22.441] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 14:11:22.702] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:14/output/gbm/alert.pcap.3.17610986931410.jsonl|result:{"code": 1, "total_count": 31, "alert_count": 30, "abnormal_count": 30, "normal_count": 1, "timestamp": 1765433482441, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50573, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.92", "protocol": "tcp", "src_port": 49915, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8858063837145578, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.2", "protocol": "tcp", "src_port": 50143, "dest_port": 8080, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.166.151", "protocol": "tcp", "src_port": 50286, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9998887397093179, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.63.215.47", "protocol": "tcp", "src_port": 49982, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9977918468988228, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50128, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.13.104.59", "protocol": "tcp", "src_port": 50630, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9949141468870227, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.165.120", "protocol": "tcp", "src_port": 50423, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9079618105919538, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.29.14.183", "protocol": "tcp", "src_port": 50020, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9995274668813986, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50468, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.13.104.59", "protocol": "tcp", "src_port": 50639, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.5747755261992421, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 50399, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.27", "protocol": "tcp", "src_port": 49983, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9683054451954104, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.27", "protocol": "tcp", "src_port": 49987, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9439550958667982, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "142.250.66.68", "protocol": "tcp", "src_port": 50437, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.194.189.11", "protocol": "tcp", "src_port": 50307, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9974631042458713, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.253.253.233", "protocol": "tcp", "src_port": 50436, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8619378326923961, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.114.80", "protocol": "tcp", "src_port": 50473, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 49824, "dest_port": 37527, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50131, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50041, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50560, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9372883613254258, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.219.73.130", "protocol": "tcp", "src_port": 49890, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50579, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "124.70.62.170", "protocol": "tcp", "src_port": 50093, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9302011994091218, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50032, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.232.40.133", "protocol": "tcp", "src_port": 49922, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7619577796081339, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.219.73.130", "protocol": "tcp", "src_port": 49889, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 50231, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9912641259791639, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50390, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 14:11:22.702] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 30|max_alert: 1000 [2025-12-11 14:11:22.702] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 14:11:22.702] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 14:11:22.702] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 14:11:25.569] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[2] at offset 25690 key: NULL payload: {"bucket":"2025-12-11","object":"14/output/gbm/alert.pcap.4.17610986931410.jsonl","url":"http://111.32.12.11:9000/2025-12-11/14/output/gbm/alert.pcap.4.17610986931410.jsonl?X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20251211T061125Z&X-Amz-Expires=604800&X-Amz-SignedHeaders=host&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Signature=6cb9479e038baa58d680538a06f85c1cdbf370e9fb202d3bd53c152b3f76c64c"} [2025-12-11 14:11:25.569] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 14:11:25.569] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 14:11:25.569] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 14:11:25.569] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 14:11:25.569] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 14:11:25.570] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 14:11:25.826] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:14/output/gbm/alert.pcap.4.17610986931410.jsonl|result:{"code": 1, "total_count": 16, "alert_count": 16, "abnormal_count": 16, "normal_count": 0, "timestamp": 1765433485570, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50039, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 9, "2_sum": 9, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.25", "protocol": "tcp", "src_port": 50340, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9557360906725153, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50653, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 9, "2_sum": 9, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.2", "protocol": "tcp", "src_port": 49815, "dest_port": 8080, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.4.224.113", "protocol": "tcp", "src_port": 49860, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8325953986089363, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "142.250.66.78", "protocol": "tcp", "src_port": 49761, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50428, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 9, "2_sum": 9, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.131.128.241", "protocol": "tcp", "src_port": 50461, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9531336479755481, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50268, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 9, "2_sum": 9, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50642, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 9, "2_sum": 9, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "104.18.38.233", "protocol": "tcp", "src_port": 49696, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "150.171.30.11", "protocol": "tcp", "src_port": 50007, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8576461187690411, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50664, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 9, "2_sum": 9, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50599, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 9, "2_sum": 9, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50170, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 9, "2_sum": 9, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50271, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 9, "2_sum": 9, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 14:11:25.826] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 16|max_alert: 1000 [2025-12-11 14:11:25.826] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 14:11:25.826] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 14:11:25.826] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 14:11:29.080] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[2] at offset 25691 key: NULL payload: {"bucket":"2025-12-11","object":"14/output/gbm/alert.pcap.5.17610986931410.jsonl","url":"http://111.32.12.11:9000/2025-12-11/14/output/gbm/alert.pcap.5.17610986931410.jsonl?X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-SignedHeaders=host&X-Amz-Signature=2fe6d9b9a28aae2ab626a20ae53da0d1f427c5d80a4c1ebd990cd2396efad8e3&X-Amz-Expires=604800&X-Amz-Date=20251211T061128Z"} [2025-12-11 14:11:29.080] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 14:11:29.080] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 14:11:29.080] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 14:11:29.080] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 14:11:29.080] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 14:11:29.081] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 14:11:29.263] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:14/output/gbm/alert.pcap.5.17610986931410.jsonl|result:{"code": 1, "total_count": 19, "alert_count": 18, "abnormal_count": 18, "normal_count": 1, "timestamp": 1765433489081, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "36.158.247.186", "protocol": "tcp", "src_port": 50121, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9753820447058325, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.91", "protocol": "tcp", "src_port": 50333, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9577733114926612, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.46.72.204", "protocol": "tcp", "src_port": 50136, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.956663066769366, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.4.74", "protocol": "tcp", "src_port": 50320, "dest_port": 9000, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50119, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 5.0, "2_sum": 5, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.51.80", "protocol": "tcp", "src_port": 49902, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.163.59.175", "protocol": "tcp", "src_port": 50422, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9849394001481901, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "13.89.179.10", "protocol": "tcp", "src_port": 49867, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8945460691510866, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.91", "protocol": "tcp", "src_port": 50242, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9588125203903446, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50541, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 5.0, "2_sum": 5, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 49924, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8509806284431485, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "112.34.111.235", "protocol": "tcp", "src_port": 50587, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9795590475790195, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50171, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 5.0, "2_sum": 5, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50564, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 5.0, "2_sum": 5, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50654, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9423199405388736, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50030, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 5.0, "2_sum": 5, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 50549, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50624, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9747306537408316, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 14:11:29.263] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 18|max_alert: 1000 [2025-12-11 14:11:29.263] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 14:11:29.263] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 14:11:29.263] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 14:11:32.220] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[2] at offset 25692 key: NULL payload: {"bucket":"2025-12-11","object":"14/output/gbm/alert.pcap.6.17610986931410.jsonl","url":"http://111.32.12.11:9000/2025-12-11/14/output/gbm/alert.pcap.6.17610986931410.jsonl?X-Amz-SignedHeaders=host&X-Amz-Signature=ab7bc363bdbd04475f6482a7c4ed59a5758b1e3253f935d401ed0a7c481eb6ce&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Expires=604800&X-Amz-Date=20251211T061131Z&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request"} [2025-12-11 14:11:32.220] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 14:11:32.220] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 14:11:32.220] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 14:11:32.220] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 14:11:32.220] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 14:11:32.220] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 14:11:32.401] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:14/output/gbm/alert.pcap.6.17610986931410.jsonl|result:{"code": 1, "total_count": 13, "alert_count": 13, "abnormal_count": 13, "normal_count": 0, "timestamp": 1765433492221, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50515, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.2.16.16", "protocol": "tcp", "src_port": 49975, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9999376387945121, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.102.211", "protocol": "tcp", "src_port": 50413, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9734791177969814, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50465, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.5306824619789472, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50391, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.26", "protocol": "tcp", "src_port": 50003, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8694093805364917, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.13.28.239", "protocol": "tcp", "src_port": 49901, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.938456651589145, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.57.94.38", "protocol": "tcp", "src_port": 49892, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9998694918181811, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.91", "protocol": "tcp", "src_port": 50339, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.986405059765616, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "13.89.179.10", "protocol": "tcp", "src_port": 49883, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9941602682227848, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "139.9.117.192", "protocol": "tcp", "src_port": 50372, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8894850327223105, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "139.9.117.192", "protocol": "tcp", "src_port": 50450, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9837263446909994, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "121.36.68.44", "protocol": "tcp", "src_port": 50504, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9358189956292381, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 14:11:32.401] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 13|max_alert: 1000 [2025-12-11 14:11:32.401] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 14:11:32.401] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 14:11:32.401] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 14:11:35.441] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 26097 key: NULL payload: {"bucket":"2025-12-11","object":"14/output/gbm/alert.pcap.7.17610986931410.jsonl","url":"http://111.32.12.11:9000/2025-12-11/14/output/gbm/alert.pcap.7.17610986931410.jsonl?X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20251211T061135Z&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Expires=604800&X-Amz-Signature=1111bd067c9ba1de47816e82629f6c8eddafb5733904ea955b615ddee6c9c64c&X-Amz-SignedHeaders=host"} [2025-12-11 14:11:35.441] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 14:11:35.441] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 14:11:35.441] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 14:11:35.441] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 14:11:35.441] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 14:11:35.442] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 14:11:35.622] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:14/output/gbm/alert.pcap.7.17610986931410.jsonl|result:{"code": 1, "total_count": 18, "alert_count": 18, "abnormal_count": 18, "normal_count": 0, "timestamp": 1765433495442, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "120.240.51.80", "protocol": "tcp", "src_port": 50010, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.26", "protocol": "tcp", "src_port": 49994, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9896285535627298, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 50116, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.194.233", "protocol": "tcp", "src_port": 50441, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9878625671600126, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50156, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4, "2_sum": 4, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.185.125.188", "protocol": "tcp", "src_port": 49872, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9978759357079158, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 50172, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9400817611226765, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.194.233", "protocol": "tcp", "src_port": 50255, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9107155218087142, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50270, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4, "2_sum": 4, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.4.224.113", "protocol": "tcp", "src_port": 49849, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9532634905214581, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.254", "protocol": "tcp", "src_port": 50199, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9600487826290192, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.219.73.130", "protocol": "tcp", "src_port": 49885, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.240.8.132", "protocol": "tcp", "src_port": 50227, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8897661563929269, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "112.34.111.235", "protocol": "tcp", "src_port": 50411, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.998549290571419, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50083, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4, "2_sum": 4, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50581, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4, "2_sum": 4, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50663, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.719260591950917, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.27", "protocol": "tcp", "src_port": 50100, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8412893359572905, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 14:11:35.622] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 18|max_alert: 1000 [2025-12-11 14:11:35.622] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 14:11:35.622] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 14:11:35.622] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 14:11:38.633] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 26098 key: NULL payload: {"bucket":"2025-12-11","object":"14/output/gbm/alert.pcap.8.17610986931410.jsonl","url":"http://111.32.12.11:9000/2025-12-11/14/output/gbm/alert.pcap.8.17610986931410.jsonl?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-SignedHeaders=host&X-Amz-Expires=604800&X-Amz-Date=20251211T061138Z&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Signature=4f32f881f81c9d57117c3cdfc083e2512731f873fb25608fc5c565bfd28bf75f"} [2025-12-11 14:11:38.633] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 14:11:38.633] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 14:11:38.633] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 14:11:38.633] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 14:11:38.633] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 14:11:38.633] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 14:11:38.821] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:14/output/gbm/alert.pcap.8.17610986931410.jsonl|result:{"code": 1, "total_count": 19, "alert_count": 19, "abnormal_count": 19, "normal_count": 0, "timestamp": 1765433498633, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 50184, "dest_port": 37527, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 49923, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.777270406334166, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50661, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.647571366572099, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.131.128.241", "protocol": "tcp", "src_port": 50591, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9050869489117033, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.63.215.47", "protocol": "tcp", "src_port": 49980, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9999657034539758, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.131.139.241", "protocol": "tcp", "src_port": 50556, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9803786101644398, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.232.40.133", "protocol": "tcp", "src_port": 49920, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9117178716777372, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "121.36.47.3", "protocol": "tcp", "src_port": 50015, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9995715118177109, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50388, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4, "2_sum": 4, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.26", "protocol": "tcp", "src_port": 49997, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.984269050955257, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "202.89.233.96", "protocol": "tcp", "src_port": 49865, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9973910874567038, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.219.73.130", "protocol": "tcp", "src_port": 49891, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50077, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4, "2_sum": 4, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "40.74.78.229", "protocol": "tcp", "src_port": 50370, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9939770881097445, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.45", "protocol": "tcp", "src_port": 50408, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9967591338452444, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50649, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9766422035502361, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50127, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4, "2_sum": 4, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50223, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4, "2_sum": 4, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.201.232.63", "protocol": "tcp", "src_port": 50420, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9757408487177269, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 14:11:38.821] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 19|max_alert: 1000 [2025-12-11 14:11:38.821] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 14:11:38.821] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 14:11:38.821] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 14:11:41.830] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[2] at offset 25693 key: NULL payload: {"bucket":"2025-12-11","object":"14/output/gbm/alert.pcap.9.17610986931410.jsonl","url":"http://111.32.12.11:9000/2025-12-11/14/output/gbm/alert.pcap.9.17610986931410.jsonl?X-Amz-Signature=71508962c6e7e8c8a352efd64c19dcd3cf89f9ad12bd0122408d4cab7c2e7c10&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Expires=604800&X-Amz-Date=20251211T061141Z&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-SignedHeaders=host"} [2025-12-11 14:11:41.830] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 14:11:41.830] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 14:11:41.830] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 14:11:41.830] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 14:11:41.830] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 14:11:41.831] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 14:11:42.015] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:14/output/gbm/alert.pcap.9.17610986931410.jsonl|result:{"code": 1, "total_count": 19, "alert_count": 19, "abnormal_count": 19, "normal_count": 0, "timestamp": 1765433501831, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 49928, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9931314740190077, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "124.71.234.74", "protocol": "tcp", "src_port": 50079, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8967653329082704, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50387, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "112.2.102.140", "protocol": "tcp", "src_port": 49880, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8833391308810551, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.219.73.130", "protocol": "tcp", "src_port": 49895, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.26", "protocol": "tcp", "src_port": 49993, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.987471741326815, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "150.171.30.11", "protocol": "tcp", "src_port": 50434, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.975176941910785, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "157.148.32.174", "protocol": "tcp", "src_port": 50216, "dest_port": 8106, "y_pred": 1, "y_pred_proba_max": 0.7815374741509655, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.29.14.183", "protocol": "tcp", "src_port": 50403, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9756646950440937, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50552, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9460026832017429, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50047, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.45", "protocol": "tcp", "src_port": 50444, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9975171238915119, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50279, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50571, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50577, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8828376373447289, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50582, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50323, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.163.59.175", "protocol": "tcp", "src_port": 50443, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9947042004868148, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50234, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 14:11:42.015] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 19|max_alert: 1000 [2025-12-11 14:11:42.015] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 14:11:42.015] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 14:11:42.015] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 14:14:52.903] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[2] at offset 25694 key: NULL payload: {"bucket":"2025-12-11","object":"14/output/gbm/alert.pcap.1.1765433552.jsonl","url":"http://111.32.12.11:9000/2025-12-11/14/output/gbm/alert.pcap.1.1765433552.jsonl?X-Amz-Signature=05f9ad62b44d1a3ab0bb65d0ae83c043685c9c72be790053471a1c41efb44dbb&X-Amz-Date=20251211T061452Z&X-Amz-SignedHeaders=host&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Expires=604800"} [2025-12-11 14:14:52.903] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 14:14:52.903] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 14:14:52.903] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 14:14:52.903] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 14:14:52.903] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 14:14:52.903] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 14:14:53.057] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:14/output/gbm/alert.pcap.1.1765433552.jsonl|result:{"code": 0, "total_count": 1, "alert_count": 0, "abnormal_count": 0, "normal_count": 1, "timestamp": 1765433692904, "module": "anquanchu", "alerted": false, "details": []} [2025-12-11 14:14:53.057] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 0|max_alert: 1000 [2025-12-11 14:14:53.057] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 14:17:08.515] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[2] at offset 25695 key: NULL payload: {"bucket":"2025-12-11","object":"14/output/gbm/alert.pcap.16.1765433571.jsonl","url":"http://111.32.12.11:9000/2025-12-11/14/output/gbm/alert.pcap.16.1765433571.jsonl?X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Expires=604800&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Date=20251211T061708Z&X-Amz-SignedHeaders=host&X-Amz-Signature=e7e9e2521f5c5be47b0bb613697123a15ead4af24233210bb71795f445d83850"} [2025-12-11 14:17:08.515] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 14:17:08.515] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 14:17:08.515] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 14:17:08.515] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 14:17:08.515] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 14:17:08.516] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 14:17:08.666] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:14/output/gbm/alert.pcap.16.1765433571.jsonl|result:{"code": 0, "total_count": 1, "alert_count": 0, "abnormal_count": 0, "normal_count": 1, "timestamp": 1765433828516, "module": "anquanchu", "alerted": false, "details": []} [2025-12-11 14:17:08.667] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 0|max_alert: 1000 [2025-12-11 14:17:08.667] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 14:17:59.523] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 26099 key: NULL payload: {"bucket":"2025-12-11","object":"14/output/gbm/alert.pcap.22.1765433569.jsonl","url":"http://111.32.12.11:9000/2025-12-11/14/output/gbm/alert.pcap.22.1765433569.jsonl?X-Amz-SignedHeaders=host&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Signature=fc583c4396e03495db162df7ed8113200c1b5c38a7ebcdc979f9809f20c4a396&X-Amz-Date=20251211T061759Z&X-Amz-Expires=604800&X-Amz-Algorithm=AWS4-HMAC-SHA256"} [2025-12-11 14:17:59.523] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 14:17:59.523] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 14:17:59.523] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 14:17:59.523] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 14:17:59.523] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 14:17:59.524] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 14:17:59.740] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:14/output/gbm/alert.pcap.22.1765433569.jsonl|result:{"code": 0, "total_count": 1, "alert_count": 0, "abnormal_count": 0, "normal_count": 1, "timestamp": 1765433879524, "module": "anquanchu", "alerted": false, "details": []} [2025-12-11 14:17:59.740] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 0|max_alert: 1000 [2025-12-11 14:17:59.740] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 14:18:33.524] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 26100 key: NULL payload: {"bucket":"2025-12-11","object":"14/output/gbm/alert.pcap.15.1765433574.jsonl","url":"http://111.32.12.11:9000/2025-12-11/14/output/gbm/alert.pcap.15.1765433574.jsonl?X-Amz-Signature=f03e4c9c2d5b93c6c0bee4d4cda7f4c57610ee1f0607b40c158ce4e99f9d6800&X-Amz-Expires=604800&X-Amz-Date=20251211T061833Z&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-SignedHeaders=host&X-Amz-Algorithm=AWS4-HMAC-SHA256"} [2025-12-11 14:18:33.524] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 14:18:33.524] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 14:18:33.525] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 14:18:33.525] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 14:18:33.525] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 14:18:33.526] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 14:18:33.765] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:14/output/gbm/alert.pcap.15.1765433574.jsonl|result:{"code": 0, "total_count": 1, "alert_count": 0, "abnormal_count": 0, "normal_count": 1, "timestamp": 1765433913526, "module": "anquanchu", "alerted": false, "details": []} [2025-12-11 14:18:33.765] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 0|max_alert: 1000 [2025-12-11 14:18:33.765] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 14:18:46.025] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[2] at offset 25696 key: NULL payload: {"bucket":"2025-12-11","object":"14/output/gbm/alert.pcap.21.1765433660.jsonl","url":"http://111.32.12.11:9000/2025-12-11/14/output/gbm/alert.pcap.21.1765433660.jsonl?X-Amz-Signature=a8f1bccd1869e2de7fea25373c2862d9bc8323c90e5d3a049ddef2ca111fbbed&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-SignedHeaders=host&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Expires=604800&X-Amz-Date=20251211T061845Z"} [2025-12-11 14:18:46.025] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 14:18:46.025] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 14:18:46.025] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 14:18:46.025] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 14:18:46.025] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 14:18:46.026] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 14:18:46.295] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:14/output/gbm/alert.pcap.21.1765433660.jsonl|result:{"code": 0, "total_count": 2, "alert_count": 0, "abnormal_count": 0, "normal_count": 2, "timestamp": 1765433926026, "module": "anquanchu", "alerted": false, "details": []} [2025-12-11 14:18:46.295] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 0|max_alert: 1000 [2025-12-11 14:18:46.295] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 14:18:58.525] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[1] at offset 24941 key: NULL payload: {"bucket":"2025-12-11","object":"14/output/gbm/alert.pcap.7.1765433547.jsonl","url":"http://111.32.12.11:9000/2025-12-11/14/output/gbm/alert.pcap.7.1765433547.jsonl?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-SignedHeaders=host&X-Amz-Expires=604800&X-Amz-Signature=b1cc2a43c81f08b2abf7734598ac693bd6e1cdc9c80ed262737149645945e3e5&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20251211T061858Z"} [2025-12-11 14:18:58.525] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 14:18:58.525] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 14:18:58.525] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 14:18:58.526] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 14:18:58.526] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 14:18:58.526] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 14:18:58.766] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:14/output/gbm/alert.pcap.7.1765433547.jsonl|result:{"code": 0, "total_count": 1, "alert_count": 0, "abnormal_count": 0, "normal_count": 1, "timestamp": 1765433938527, "module": "anquanchu", "alerted": false, "details": []} [2025-12-11 14:18:58.766] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 0|max_alert: 1000 [2025-12-11 14:18:58.766] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 14:19:12.277] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[1] at offset 24942 key: NULL payload: {"bucket":"2025-12-11","object":"14/output/gbm/alert.pcap.8.1765433570.jsonl","url":"http://111.32.12.11:9000/2025-12-11/14/output/gbm/alert.pcap.8.1765433570.jsonl?X-Amz-Expires=604800&X-Amz-SignedHeaders=host&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Signature=fc9f21b7a8afc45110a85cfa516824b26e9153375535af508bb85f2ba1169c9c&X-Amz-Date=20251211T061911Z&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request"} [2025-12-11 14:19:12.277] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 14:19:12.277] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 14:19:12.277] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 14:19:12.277] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 14:19:12.277] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 14:19:12.278] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 14:19:12.518] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:14/output/gbm/alert.pcap.8.1765433570.jsonl|result:{"code": 0, "total_count": 2, "alert_count": 0, "abnormal_count": 0, "normal_count": 2, "timestamp": 1765433952278, "module": "anquanchu", "alerted": false, "details": []} [2025-12-11 14:19:12.518] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 0|max_alert: 1000 [2025-12-11 14:19:12.518] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 14:19:18.526] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[2] at offset 25697 key: NULL payload: {"bucket":"2025-12-11","object":"14/output/gbm/alert.pcap.19.1765433882.jsonl","url":"http://111.32.12.11:9000/2025-12-11/14/output/gbm/alert.pcap.19.1765433882.jsonl?X-Amz-Signature=a5fcae7cefb9ec066eba6e9def99d7dd31be028aeb6b160f4c939bfd5847bf21&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-SignedHeaders=host&X-Amz-Date=20251211T061918Z&X-Amz-Expires=604800"} [2025-12-11 14:19:18.527] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 14:19:18.527] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 14:19:18.527] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 14:19:18.527] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 14:19:18.527] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 14:19:18.528] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 14:19:18.777] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:14/output/gbm/alert.pcap.19.1765433882.jsonl|result:{"code": 0, "total_count": 1, "alert_count": 0, "abnormal_count": 0, "normal_count": 1, "timestamp": 1765433958528, "module": "anquanchu", "alerted": false, "details": []} [2025-12-11 14:19:18.777] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 0|max_alert: 1000 [2025-12-11 14:19:18.777] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 14:19:43.529] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[2] at offset 25698 key: NULL payload: {"bucket":"2025-12-11","object":"14/output/gbm/alert.pcap.5.1765433741.jsonl","url":"http://111.32.12.11:9000/2025-12-11/14/output/gbm/alert.pcap.5.1765433741.jsonl?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Expires=604800&X-Amz-Signature=85c6d8f37984dd884c3cd8a3f4149effceb87ec93831550baf0df778c1790a81&X-Amz-Date=20251211T061943Z&X-Amz-SignedHeaders=host&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request"} [2025-12-11 14:19:43.529] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 14:19:43.529] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 14:19:43.529] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 14:19:43.529] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 14:19:43.529] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 14:19:43.530] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 14:19:43.770] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:14/output/gbm/alert.pcap.5.1765433741.jsonl|result:{"code": 0, "total_count": 1, "alert_count": 0, "abnormal_count": 0, "normal_count": 1, "timestamp": 1765433983530, "module": "anquanchu", "alerted": false, "details": []} [2025-12-11 14:19:43.771] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 0|max_alert: 1000 [2025-12-11 14:19:43.771] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 14:19:54.787] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[2] at offset 25699 key: NULL payload: {"bucket":"2025-12-11","object":"14/output/gbm/alert.pcap.9.1765433819.jsonl","url":"http://111.32.12.11:9000/2025-12-11/14/output/gbm/alert.pcap.9.1765433819.jsonl?X-Amz-Date=20251211T061954Z&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-SignedHeaders=host&X-Amz-Signature=4832e473afae677269e656ec4744faa132d3557485811e62ced8c73a56f994f9&X-Amz-Expires=604800"} [2025-12-11 14:19:54.787] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 14:19:54.787] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 14:19:54.788] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 14:19:54.788] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 14:19:54.788] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 14:19:54.789] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 14:19:55.353] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:14/output/gbm/alert.pcap.9.1765433819.jsonl|result:{"code": 0, "total_count": 1, "alert_count": 0, "abnormal_count": 0, "normal_count": 1, "timestamp": 1765433994789, "module": "anquanchu", "alerted": false, "details": []} [2025-12-11 14:19:55.353] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 0|max_alert: 1000 [2025-12-11 14:19:55.353] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 14:20:07.284] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[1] at offset 24943 key: NULL payload: {"bucket":"2025-12-11","object":"14/output/gbm/alert.pcap.18.1765433531.jsonl","url":"http://111.32.12.11:9000/2025-12-11/14/output/gbm/alert.pcap.18.1765433531.jsonl?X-Amz-Date=20251211T062006Z&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Expires=604800&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-SignedHeaders=host&X-Amz-Signature=e6e71aba5515bcf77786aa0ffb335b8bec978b8973ab3abb6cee62a0c82a94aa"} [2025-12-11 14:20:07.285] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 14:20:07.285] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 14:20:07.285] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 14:20:07.285] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 14:20:07.285] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 14:20:07.286] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 14:20:07.531] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:14/output/gbm/alert.pcap.18.1765433531.jsonl|result:{"code": 0, "total_count": 1, "alert_count": 0, "abnormal_count": 0, "normal_count": 1, "timestamp": 1765434007286, "module": "anquanchu", "alerted": false, "details": []} [2025-12-11 14:20:07.531] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 0|max_alert: 1000 [2025-12-11 14:20:07.531] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 14:20:10.646] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 26101 key: NULL payload: {"bucket":"2025-12-11","object":"14/output/gbm/alert.pcap.10.17610986931420.jsonl","url":"http://111.32.12.11:9000/2025-12-11/14/output/gbm/alert.pcap.10.17610986931420.jsonl?X-Amz-Expires=604800&X-Amz-SignedHeaders=host&X-Amz-Signature=d5ee12dd05898ca8049b1cf7043b5deeb72f22b120e1d5c7cb43e413039327e4&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20251211T062010Z&X-Amz-Algorithm=AWS4-HMAC-SHA256"} [2025-12-11 14:20:10.646] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 14:20:10.646] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 14:20:10.646] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 14:20:10.646] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 14:20:10.646] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 14:20:10.647] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 14:20:10.897] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:14/output/gbm/alert.pcap.10.17610986931420.jsonl|result:{"code": 1, "total_count": 18, "alert_count": 18, "abnormal_count": 18, "normal_count": 0, "timestamp": 1765434010647, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50197, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50510, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "124.70.37.167", "protocol": "tcp", "src_port": 50497, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9671327905226952, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50202, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.162.10.192", "protocol": "tcp", "src_port": 50106, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7891251009837256, "2_count": 3, "2_sum": 3, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.38.119", "protocol": "tcp", "src_port": 50490, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9986222879414073, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.194.233", "protocol": "tcp", "src_port": 50251, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.6458299041355519, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.162.10.192", "protocol": "tcp", "src_port": 50102, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9628606284766527, "2_count": 3, "2_sum": 3, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.240.8.132", "protocol": "tcp", "src_port": 49942, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9833686131374094, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50155, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.162.10.192", "protocol": "tcp", "src_port": 50105, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8497049935950336, "2_count": 3, "2_sum": 3, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50527, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50247, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50180, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.9", "protocol": "tcp", "src_port": 50354, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9266852516381958, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 49802, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "124.70.62.170", "protocol": "tcp", "src_port": 50384, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9944584265644585, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "112.34.113.250", "protocol": "tcp", "src_port": 50417, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9871899379387804, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 14:20:10.897] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 18|max_alert: 1000 [2025-12-11 14:20:10.897] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 14:20:10.897] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 14:20:10.897] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 14:20:13.793] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 26102 key: NULL payload: {"bucket":"2025-12-11","object":"14/output/gbm/alert.pcap.11.17610986931420.jsonl","url":"http://111.32.12.11:9000/2025-12-11/14/output/gbm/alert.pcap.11.17610986931420.jsonl?X-Amz-Expires=604800&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-SignedHeaders=host&X-Amz-Signature=01e9c84bf1a7718400336674ab113d4a589847ae5b2123db9648f00ebcb2f058&X-Amz-Date=20251211T062013Z&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request"} [2025-12-11 14:20:13.793] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 14:20:13.793] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 14:20:13.793] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 14:20:13.793] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 14:20:13.793] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 14:20:13.794] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 14:20:14.031] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:14/output/gbm/alert.pcap.11.17610986931420.jsonl|result:{"code": 1, "total_count": 20, "alert_count": 20, "abnormal_count": 20, "normal_count": 0, "timestamp": 1765434013794, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50176, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.122.55", "protocol": "tcp", "src_port": 50503, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9854062911109006, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.165.120", "protocol": "tcp", "src_port": 50305, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9986466602684037, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50561, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50050, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50520, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50523, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.25", "protocol": "tcp", "src_port": 50379, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8940216726975259, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 49811, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50179, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.38.119", "protocol": "tcp", "src_port": 50494, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9837251088220053, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "106.52.100.183", "protocol": "tcp", "src_port": 50502, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9858931570717602, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.143.199.172", "protocol": "tcp", "src_port": 50142, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9881503019491974, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "57.155.120.218", "protocol": "tcp", "src_port": 50415, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9227656751828837, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.45", "protocol": "tcp", "src_port": 50447, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9871209269901958, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "13.107.253.49", "protocol": "tcp", "src_port": 50479, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9204671188927631, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.57.94.38", "protocol": "tcp", "src_port": 49888, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8913583475272854, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.45", "protocol": "tcp", "src_port": 50438, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9837569544664104, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50519, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.131.139.241", "protocol": "tcp", "src_port": 50546, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8893268365633519, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 14:20:14.031] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 20|max_alert: 1000 [2025-12-11 14:20:14.031] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 14:20:14.031] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 14:20:14.031] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 14:20:16.944] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 26103 key: NULL payload: {"bucket":"2025-12-11","object":"14/output/gbm/alert.pcap.1.17610986931420.jsonl","url":"http://111.32.12.11:9000/2025-12-11/14/output/gbm/alert.pcap.1.17610986931420.jsonl?X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-SignedHeaders=host&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Date=20251211T062016Z&X-Amz-Expires=604800&X-Amz-Signature=4faff5976a1834f21a151c9aee934e00e3deafb2ce1eff458f7c9ef7e792365a"} [2025-12-11 14:20:16.944] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 14:20:16.944] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 14:20:16.944] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 14:20:16.944] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 14:20:16.944] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 14:20:16.945] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 14:20:17.187] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:14/output/gbm/alert.pcap.1.17610986931420.jsonl|result:{"code": 1, "total_count": 23, "alert_count": 22, "abnormal_count": 22, "normal_count": 1, "timestamp": 1765434016945, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "23.2.16.16", "protocol": "tcp", "src_port": 49977, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9997183616258911, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.114.80", "protocol": "tcp", "src_port": 50380, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.2.16.16", "protocol": "tcp", "src_port": 49978, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9999741330258014, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.18", "protocol": "tcp", "src_port": 50607, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.254", "protocol": "tcp", "src_port": 50236, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8758576397939718, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50203, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.254", "protocol": "tcp", "src_port": 50161, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9861184497791043, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.18", "protocol": "tcp", "src_port": 50526, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.166.151", "protocol": "tcp", "src_port": 50297, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.99961990187526, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.131.139.241", "protocol": "tcp", "src_port": 50548, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9166098868921807, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50196, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50635, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "123.249.12.207", "protocol": "tcp", "src_port": 50349, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9517653518955267, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50451, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9935841069204537, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "104.18.38.233", "protocol": "tcp", "src_port": 49694, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50154, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.38.119", "protocol": "tcp", "src_port": 50487, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9993624819729473, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50511, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50660, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.5160756214892233, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.9", "protocol": "tcp", "src_port": 50352, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9822856114799795, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.9", "protocol": "tcp", "src_port": 50355, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9178209457268623, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50246, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 14:20:17.187] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 22|max_alert: 1000 [2025-12-11 14:20:17.187] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 14:20:17.187] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 14:20:17.187] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 14:20:20.144] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[2] at offset 25700 key: NULL payload: {"bucket":"2025-12-11","object":"14/output/gbm/alert.pcap.12.17610986931420.jsonl","url":"http://111.32.12.11:9000/2025-12-11/14/output/gbm/alert.pcap.12.17610986931420.jsonl?X-Amz-Expires=604800&X-Amz-SignedHeaders=host&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Signature=1c3609f55b170d3c78970e2bd21f69fb766e32fda439ce09d4fd5a305fbb4af9&X-Amz-Date=20251211T062019Z&X-Amz-Algorithm=AWS4-HMAC-SHA256"} [2025-12-11 14:20:20.144] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 14:20:20.144] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 14:20:20.144] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 14:20:20.144] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 14:20:20.144] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 14:20:20.144] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 14:20:20.385] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:14/output/gbm/alert.pcap.12.17610986931420.jsonl|result:{"code": 1, "total_count": 23, "alert_count": 23, "abnormal_count": 23, "normal_count": 0, "timestamp": 1765434020144, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "120.232.40.133", "protocol": "tcp", "src_port": 49918, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9434178651974208, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 49801, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "150.171.28.10", "protocol": "tcp", "src_port": 50098, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.979476406385797, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.91", "protocol": "tcp", "src_port": 50312, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8775283158754487, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.88.223", "protocol": "tcp", "src_port": 50256, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9952297098413537, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.91", "protocol": "tcp", "src_port": 50325, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9723471895815434, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50327, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 10, "2_sum": 10, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50517, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 10, "2_sum": 10, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.88.223", "protocol": "tcp", "src_port": 50135, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9151737736531406, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50036, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 10, "2_sum": 10, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.32.132.48", "protocol": "tcp", "src_port": 50596, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8736367684939467, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50048, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 10, "2_sum": 10, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50063, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 10, "2_sum": 10, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50289, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 10, "2_sum": 10, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 50446, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "43.132.242.154", "protocol": "tcp", "src_port": 49882, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9890063873624129, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.162.10.192", "protocol": "tcp", "src_port": 50115, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9982562146170709, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50290, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 10, "2_sum": 10, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50043, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 10, "2_sum": 10, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.253", "protocol": "tcp", "src_port": 50374, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9124107711631884, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50524, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 10, "2_sum": 10, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50563, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 10, "2_sum": 10, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.46.51.20", "protocol": "tcp", "src_port": 50273, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8949209220998952, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 14:20:20.385] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 23|max_alert: 1000 [2025-12-11 14:20:20.385] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 14:20:20.385] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 14:20:20.386] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 14:20:23.305] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[1] at offset 24944 key: NULL payload: {"bucket":"2025-12-11","object":"14/output/gbm/alert.pcap.13.17610986931420.jsonl","url":"http://111.32.12.11:9000/2025-12-11/14/output/gbm/alert.pcap.13.17610986931420.jsonl?X-Amz-SignedHeaders=host&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Expires=604800&X-Amz-Signature=e0b494ebd55a057c676e0e2c7107d94777685277667eec067d52db779cf7bfa2&X-Amz-Date=20251211T062022Z"} [2025-12-11 14:20:23.305] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 14:20:23.305] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 14:20:23.306] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 14:20:23.306] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 14:20:23.306] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 14:20:23.306] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 14:20:23.551] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:14/output/gbm/alert.pcap.13.17610986931420.jsonl|result:{"code": 1, "total_count": 25, "alert_count": 25, "abnormal_count": 25, "normal_count": 0, "timestamp": 1765434023306, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50167, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50602, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50035, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50483, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.22.3", "protocol": "tcp", "src_port": 49941, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9027507773608666, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "142.250.66.78", "protocol": "tcp", "src_port": 49939, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.163.59.175", "protocol": "tcp", "src_port": 50009, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9898052087615025, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50276, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50283, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "150.171.29.11", "protocol": "tcp", "src_port": 50366, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9811379852086798, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50074, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "202.89.233.96", "protocol": "tcp", "src_port": 49842, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50657, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9858390475712154, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50029, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.185.134", "protocol": "tcp", "src_port": 50405, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9906477192719227, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 50550, "dest_port": 37527, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50150, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.38.119", "protocol": "tcp", "src_port": 50493, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9895604510076603, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.38.119", "protocol": "tcp", "src_port": 50507, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.992095265861976, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "150.171.30.11", "protocol": "tcp", "src_port": 50629, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9221505003231499, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.4.224.113", "protocol": "tcp", "src_port": 49856, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.6505383816340582, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50153, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50206, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50280, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.114.80", "protocol": "tcp", "src_port": 50364, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 14:20:23.551] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 25|max_alert: 1000 [2025-12-11 14:20:23.551] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 14:20:23.551] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 14:20:23.551] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 14:20:26.669] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[2] at offset 25701 key: NULL payload: {"bucket":"2025-12-11","object":"14/output/gbm/alert.pcap.14.17610986931420.jsonl","url":"http://111.32.12.11:9000/2025-12-11/14/output/gbm/alert.pcap.14.17610986931420.jsonl?X-Amz-Expires=604800&X-Amz-Signature=e8d94a6af4dcd63fa62405a79c736b38fce14c3c198d17592a3a333126912b86&X-Amz-SignedHeaders=host&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20251211T062026Z&X-Amz-Algorithm=AWS4-HMAC-SHA256"} [2025-12-11 14:20:26.669] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 14:20:26.669] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 14:20:26.669] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 14:20:26.669] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 14:20:26.669] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 14:20:26.670] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 14:20:26.897] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:14/output/gbm/alert.pcap.14.17610986931420.jsonl|result:{"code": 1, "total_count": 22, "alert_count": 22, "abnormal_count": 22, "normal_count": 0, "timestamp": 1765434026670, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50045, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.4.224.113", "protocol": "tcp", "src_port": 49858, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.948833755868132, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "150.171.28.10", "protocol": "tcp", "src_port": 50547, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9810893334081382, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50075, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50488, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.92", "protocol": "tcp", "src_port": 50350, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9581254078848882, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50087, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.114.80", "protocol": "tcp", "src_port": 50462, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50431, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.201.232.61", "protocol": "tcp", "src_port": 50406, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8074537105643911, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.45", "protocol": "tcp", "src_port": 50232, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8427978520815071, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50282, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.201.232.63", "protocol": "tcp", "src_port": 50185, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8623842237021218, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50148, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50299, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50464, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50509, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50151, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 50008, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7325211921496005, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.131.128.241", "protocol": "tcp", "src_port": 50628, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.6327220629300937, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50481, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50277, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 13, "2_sum": 13, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 14:20:26.897] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 22|max_alert: 1000 [2025-12-11 14:20:26.897] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 14:20:26.897] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 14:20:26.897] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 14:20:29.788] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[2] at offset 25702 key: NULL payload: {"bucket":"2025-12-11","object":"14/output/gbm/alert.pcap.15.17610986931420.jsonl","url":"http://111.32.12.11:9000/2025-12-11/14/output/gbm/alert.pcap.15.17610986931420.jsonl?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Expires=604800&X-Amz-Signature=2e2e345baafb5ccb3761a2bb98931784cf096648d70fdf9b605fbb5db4a1c3d8&X-Amz-Date=20251211T062029Z&X-Amz-SignedHeaders=host&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request"} [2025-12-11 14:20:29.789] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 14:20:29.789] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 14:20:29.789] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 14:20:29.789] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 14:20:29.789] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 14:20:29.790] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 14:20:30.029] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:14/output/gbm/alert.pcap.15.17610986931420.jsonl|result:{"code": 1, "total_count": 21, "alert_count": 21, "abnormal_count": 21, "normal_count": 0, "timestamp": 1765434029790, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50542, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.46.216.189", "protocol": "tcp", "src_port": 50192, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9854409930237161, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.13.29.202", "protocol": "tcp", "src_port": 49899, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9319984670207415, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.166.151", "protocol": "tcp", "src_port": 50300, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9931981638327161, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.241.198", "protocol": "tcp", "src_port": 49881, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9908791961625715, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.51.80", "protocol": "tcp", "src_port": 49914, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "124.70.37.167", "protocol": "tcp", "src_port": 50505, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8862503171336631, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50298, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.175.38.6", "protocol": "tcp", "src_port": 50508, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9251013815505887, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50061, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.165.120", "protocol": "tcp", "src_port": 50427, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9451570018511891, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.194.233", "protocol": "tcp", "src_port": 50442, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9870391528574759, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50489, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50452, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.165.120", "protocol": "tcp", "src_port": 50418, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9596977275034663, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.194.189.11", "protocol": "tcp", "src_port": 50426, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9895428159947536, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "13.89.179.10", "protocol": "tcp", "src_port": 49878, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9974829953380221, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "13.107.213.50", "protocol": "tcp", "src_port": 50090, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9195643673584233, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "142.250.66.78", "protocol": "tcp", "src_port": 50474, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50516, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.114.80", "protocol": "tcp", "src_port": 50358, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 14:20:30.029] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 21|max_alert: 1000 [2025-12-11 14:20:30.029] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 14:20:30.029] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 14:20:30.029] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 14:20:33.148] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[2] at offset 25703 key: NULL payload: {"bucket":"2025-12-11","object":"14/output/gbm/alert.pcap.16.17610986931420.jsonl","url":"http://111.32.12.11:9000/2025-12-11/14/output/gbm/alert.pcap.16.17610986931420.jsonl?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Expires=604800&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-SignedHeaders=host&X-Amz-Date=20251211T062032Z&X-Amz-Signature=3e9b5d2545efc767934cf2921095cd69b23db650b53f668cfdf29be7328368d8"} [2025-12-11 14:20:33.148] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 14:20:33.148] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 14:20:33.148] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 14:20:33.148] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 14:20:33.148] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 14:20:33.149] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 14:20:33.413] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:14/output/gbm/alert.pcap.16.17610986931420.jsonl|result:{"code": 1, "total_count": 26, "alert_count": 26, "abnormal_count": 26, "normal_count": 0, "timestamp": 1765434033149, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "120.226.165.120", "protocol": "tcp", "src_port": 50304, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9425584919270099, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.2", "protocol": "tcp", "src_port": 49916, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.26", "protocol": "tcp", "src_port": 50053, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9859420979243508, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.92", "protocol": "tcp", "src_port": 50344, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.4285159353571787, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.219.73.130", "protocol": "tcp", "src_port": 49887, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.88.223", "protocol": "tcp", "src_port": 50262, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9920454156536166, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.46.216.189", "protocol": "tcp", "src_port": 50095, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8005313339363406, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50367, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50331, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.13.25.27", "protocol": "tcp", "src_port": 49953, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9999659947187012, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.4.224.113", "protocol": "tcp", "src_port": 49857, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.873642452450752, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50177, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50207, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.253", "protocol": "tcp", "src_port": 50377, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9228634096625739, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.32.132.48", "protocol": "tcp", "src_port": 50416, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.872489769645985, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50496, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7047630891986135, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50522, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.1", "protocol": "tcp", "src_port": 49927, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.220.77.56", "protocol": "tcp", "src_port": 50313, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9756469161092314, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.29.14.183", "protocol": "tcp", "src_port": 50404, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9858144175177987, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50500, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "211.151.19.148", "protocol": "tcp", "src_port": 50239, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9867736940219898, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50051, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.185.134", "protocol": "tcp", "src_port": 50557, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9312191603697401, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "13.89.179.10", "protocol": "tcp", "src_port": 49873, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9740054173010114, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.29.14.183", "protocol": "tcp", "src_port": 49861, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9202885873733923, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 14:20:33.413] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 26|max_alert: 1000 [2025-12-11 14:20:33.413] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 14:20:33.413] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 14:20:33.413] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 14:20:36.621] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 26104 key: NULL payload: {"bucket":"2025-12-11","object":"14/output/gbm/alert.pcap.17.17610986931420.jsonl","url":"http://111.32.12.11:9000/2025-12-11/14/output/gbm/alert.pcap.17.17610986931420.jsonl?X-Amz-Signature=73343d7cd4e70a43d30f6797d1fb571eba7bf1d4a4c6c65f47f6488e1e9a9aa6&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Expires=604800&X-Amz-Date=20251211T062036Z&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-SignedHeaders=host"} [2025-12-11 14:20:36.621] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 14:20:36.621] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 14:20:36.621] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 14:20:36.621] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 14:20:36.621] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 14:20:36.622] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 14:20:36.881] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:14/output/gbm/alert.pcap.17.17610986931420.jsonl|result:{"code": 1, "total_count": 18, "alert_count": 18, "abnormal_count": 18, "normal_count": 0, "timestamp": 1765434036622, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "120.241.86.9", "protocol": "tcp", "src_port": 50012, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9956502822261911, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "124.70.62.170", "protocol": "tcp", "src_port": 50094, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9999212365720671, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50606, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9790099228201751, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.88.223", "protocol": "tcp", "src_port": 50257, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9990492370434219, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.122.55", "protocol": "tcp", "src_port": 50101, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9697454177805649, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.194.233", "protocol": "tcp", "src_port": 50435, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9837705668750215, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "124.70.62.170", "protocol": "tcp", "src_port": 50395, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.999908459646488, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.2.16.16", "protocol": "tcp", "src_port": 49973, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9993460937257912, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.27", "protocol": "tcp", "src_port": 49989, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8500557914131911, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.162.10.192", "protocol": "tcp", "src_port": 50103, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.5419285978798709, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.114.80", "protocol": "tcp", "src_port": 50476, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.27", "protocol": "tcp", "src_port": 49990, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9979995189937263, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50499, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.38.151", "protocol": "tcp", "src_port": 49788, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.162.10.192", "protocol": "tcp", "src_port": 50114, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.976863610352734, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 50225, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9087545563693218, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.122.55", "protocol": "tcp", "src_port": 50448, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.5769980707430126, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.234.97.89", "protocol": "tcp", "src_port": 50409, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.733240780563495, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 14:20:36.881] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 18|max_alert: 1000 [2025-12-11 14:20:36.881] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 14:20:36.881] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 14:20:36.881] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 14:20:39.753] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[2] at offset 25704 key: NULL payload: {"bucket":"2025-12-11","object":"14/output/gbm/alert.pcap.18.17610986931420.jsonl","url":"http://111.32.12.11:9000/2025-12-11/14/output/gbm/alert.pcap.18.17610986931420.jsonl?X-Amz-Signature=108696c5df9e1028ad4b9fea0af8d2ae9577b4af5cb3bc3e9348a95cfa52aaf9&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Expires=604800&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Date=20251211T062039Z&X-Amz-SignedHeaders=host"} [2025-12-11 14:20:39.753] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 14:20:39.753] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 14:20:39.753] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 14:20:39.753] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 14:20:39.753] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 14:20:39.753] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 14:20:39.994] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:14/output/gbm/alert.pcap.18.17610986931420.jsonl|result:{"code": 1, "total_count": 19, "alert_count": 18, "abnormal_count": 18, "normal_count": 1, "timestamp": 1765434039753, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50220, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.232.40.133", "protocol": "tcp", "src_port": 49935, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8955605067471277, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.219.73.130", "protocol": "tcp", "src_port": 49893, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50553, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9263918774338468, "2_count": 4.0, "2_sum": 4, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.232.40.133", "protocol": "tcp", "src_port": 49929, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9272505117395095, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50088, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50475, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9477100345633777, "2_count": 4.0, "2_sum": 4, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.92", "protocol": "tcp", "src_port": 50383, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7481021796885889, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50650, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9941374340185456, "2_count": 4.0, "2_sum": 4, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50046, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50141, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50386, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.253.255.38", "protocol": "tcp", "src_port": 50449, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9496389457889445, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.113.130.85", "protocol": "tcp", "src_port": 50373, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 50169, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50132, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6.0, "2_sum": 6, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.166.151", "protocol": "tcp", "src_port": 50371, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9989794701501156, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50554, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9489417371813754, "2_count": 4.0, "2_sum": 4, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 14:20:39.994] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 18|max_alert: 1000 [2025-12-11 14:20:39.994] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 14:20:39.994] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 14:20:39.994] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 14:20:42.881] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 26105 key: NULL payload: {"bucket":"2025-12-11","object":"14/output/gbm/alert.pcap.19.17610986931420.jsonl","url":"http://111.32.12.11:9000/2025-12-11/14/output/gbm/alert.pcap.19.17610986931420.jsonl?X-Amz-SignedHeaders=host&X-Amz-Date=20251211T062042Z&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Signature=c76379f6fe698b9043030566a0fa5187b10c1e4f4164a49d2374415b329b28b9&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Expires=604800"} [2025-12-11 14:20:42.881] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 14:20:42.881] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 14:20:42.881] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 14:20:42.881] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 14:20:42.881] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 14:20:42.881] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 14:20:43.141] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:14/output/gbm/alert.pcap.19.17610986931420.jsonl|result:{"code": 1, "total_count": 17, "alert_count": 17, "abnormal_count": 17, "normal_count": 0, "timestamp": 1765434042882, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "13.89.179.10", "protocol": "tcp", "src_port": 49870, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9985463831905574, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.158.247.186", "protocol": "tcp", "src_port": 50254, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9923373572362969, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.131.128.241", "protocol": "tcp", "src_port": 50589, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9358989909907683, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50432, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 5, "2_sum": 5, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "150.171.30.11", "protocol": "tcp", "src_port": 50623, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9724127917525347, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50651, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9127998696423738, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "211.151.19.148", "protocol": "tcp", "src_port": 50321, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9840336453751718, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 50183, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9671683755020176, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50222, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 5, "2_sum": 5, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50221, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 5, "2_sum": 5, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50140, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 5, "2_sum": 5, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.25", "protocol": "tcp", "src_port": 50345, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9053165640648995, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "124.70.62.170", "protocol": "tcp", "src_port": 50385, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9998863446143573, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "106.13.244.95", "protocol": "tcp", "src_port": 50626, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.991571871695044, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.61.248", "protocol": "tcp", "src_port": 50006, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9986048917384169, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.26", "protocol": "tcp", "src_port": 49999, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9723690262017185, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50267, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 5, "2_sum": 5, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 14:20:43.141] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 17|max_alert: 1000 [2025-12-11 14:20:43.141] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 14:20:43.141] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 14:20:43.141] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 14:20:46.054] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[1] at offset 24945 key: NULL payload: {"bucket":"2025-12-11","object":"14/output/gbm/alert.pcap.20.17610986931420.jsonl","url":"http://111.32.12.11:9000/2025-12-11/14/output/gbm/alert.pcap.20.17610986931420.jsonl?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Expires=604800&X-Amz-Signature=9cbd1715a6a893943f4c395f09b2a8d5780bf7a0e9506a72c231e4a2a698e284&X-Amz-Date=20251211T062045Z&X-Amz-SignedHeaders=host&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request"} [2025-12-11 14:20:46.054] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 14:20:46.054] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 14:20:46.054] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 14:20:46.054] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 14:20:46.054] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 14:20:46.055] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 14:20:46.240] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:14/output/gbm/alert.pcap.20.17610986931420.jsonl|result:{"code": 1, "total_count": 17, "alert_count": 17, "abnormal_count": 17, "normal_count": 0, "timestamp": 1765434046055, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "23.2.16.16", "protocol": "tcp", "src_port": 49970, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9999655776123294, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50598, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.972751885055052, "2_count": 3, "2_sum": 3, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50616, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.981431987646444, "2_count": 3, "2_sum": 3, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "142.250.66.78", "protocol": "tcp", "src_port": 49773, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "124.71.236.98", "protocol": "tcp", "src_port": 50400, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9777942042208041, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.46.68.203", "protocol": "tcp", "src_port": 50096, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9610043927222635, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50082, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50622, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9949329167991451, "2_count": 3, "2_sum": 3, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50453, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.9", "protocol": "tcp", "src_port": 50356, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9753376675463165, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.166.151", "protocol": "tcp", "src_port": 50378, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.996645095315891, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.220.151.49", "protocol": "tcp", "src_port": 49991, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9681277345350449, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.48.172.241", "protocol": "tcp", "src_port": 50129, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9417868802887015, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "124.71.234.74", "protocol": "tcp", "src_port": 50189, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8094812727311573, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.219.73.130", "protocol": "tcp", "src_port": 49894, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.62.174.243", "protocol": "tcp", "src_port": 50555, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9719451686850884, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.253.253.233", "protocol": "tcp", "src_port": 50317, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.4786736570096651, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 14:20:46.241] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 17|max_alert: 1000 [2025-12-11 14:20:46.241] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 14:20:46.241] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 14:20:46.241] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 14:20:49.205] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 26106 key: NULL payload: {"bucket":"2025-12-11","object":"14/output/gbm/alert.pcap.21.17610986931420.jsonl","url":"http://111.32.12.11:9000/2025-12-11/14/output/gbm/alert.pcap.21.17610986931420.jsonl?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Date=20251211T062048Z&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Expires=604800&X-Amz-Signature=4359ef16653bdc167fda6a5d0527fc5d83d877211af06fc45680a386d775b53b&X-Amz-SignedHeaders=host"} [2025-12-11 14:20:49.205] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 14:20:49.205] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 14:20:49.205] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 14:20:49.205] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 14:20:49.205] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 14:20:49.205] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 14:20:49.394] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:14/output/gbm/alert.pcap.21.17610986931420.jsonl|result:{"code": 1, "total_count": 20, "alert_count": 20, "abnormal_count": 20, "normal_count": 0, "timestamp": 1765434049206, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "10.1.9.18", "protocol": "tcp", "src_port": 50191, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 49933, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.983522767485445, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 50211, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9942232611378077, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "150.171.27.10", "protocol": "tcp", "src_port": 49871, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9792783921980416, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.194.233", "protocol": "tcp", "src_port": 50315, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9974657537062649, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.25", "protocol": "tcp", "src_port": 50346, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7253580536479742, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50389, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.253", "protocol": "tcp", "src_port": 50348, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9663875797170431, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.234.97.89", "protocol": "tcp", "src_port": 50477, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7967743601421772, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50233, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50633, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9961574170482782, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.254", "protocol": "tcp", "src_port": 50018, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9989742169573105, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.27", "protocol": "tcp", "src_port": 50014, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7728545617685111, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.232.40.133", "protocol": "tcp", "src_port": 49921, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9758065422065172, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50076, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.26", "protocol": "tcp", "src_port": 50027, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8630319401034162, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50330, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50407, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9700577356238725, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50086, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50574, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 6, "2_sum": 6, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 14:20:49.394] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 20|max_alert: 1000 [2025-12-11 14:20:49.394] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 14:20:49.394] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 14:20:49.394] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 14:20:52.394] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[2] at offset 25705 key: NULL payload: {"bucket":"2025-12-11","object":"14/output/gbm/alert.pcap.2.17610986931420.jsonl","url":"http://111.32.12.11:9000/2025-12-11/14/output/gbm/alert.pcap.2.17610986931420.jsonl?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Signature=8b4f169128bcc88d4774429b7fb7313fd8ebec981c870fe353cff37e2733c6d8&X-Amz-SignedHeaders=host&X-Amz-Date=20251211T062052Z&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Expires=604800"} [2025-12-11 14:20:52.394] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 14:20:52.394] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 14:20:52.394] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 14:20:52.394] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 14:20:52.394] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 14:20:52.394] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 14:20:52.609] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:14/output/gbm/alert.pcap.2.17610986931420.jsonl|result:{"code": 1, "total_count": 27, "alert_count": 26, "abnormal_count": 26, "normal_count": 1, "timestamp": 1765434052394, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50634, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "118.89.204.198", "protocol": "tcp", "src_port": 50648, "dest_port": 443, "y_pred": 2, "y_pred_proba_max": 0.539671673599211, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "Behinder"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50287, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50459, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8818531237715439, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.222.152.64", "protocol": "tcp", "src_port": 50658, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7337989747885654, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.26", "protocol": "tcp", "src_port": 49995, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9973271032011077, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.185.134", "protocol": "tcp", "src_port": 50337, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9998485770667981, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.165.120", "protocol": "tcp", "src_port": 50414, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9781294486115352, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.254", "protocol": "tcp", "src_port": 50237, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8347470129747349, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50570, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50580, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50471, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9971823306211751, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50278, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.29.14.183", "protocol": "tcp", "src_port": 50402, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9766503916105866, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.114.80", "protocol": "tcp", "src_port": 50381, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50484, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50528, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50328, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.29.14.183", "protocol": "tcp", "src_port": 50401, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9944651374268547, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.166.151", "protocol": "tcp", "src_port": 50296, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9998741851816862, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.63.215.47", "protocol": "tcp", "src_port": 49943, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9542007136130981, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.105", "protocol": "tcp", "src_port": 50625, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9825246278129468, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.2", "protocol": "tcp", "src_port": 49821, "dest_port": 8080, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.92", "protocol": "tcp", "src_port": 50398, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9866180027435798, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.232.40.133", "protocol": "tcp", "src_port": 50004, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9448851526818528, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.240.99.58", "protocol": "tcp", "src_port": 50480, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9758749087809037, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 14:20:52.609] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 26|max_alert: 1000 [2025-12-11 14:20:52.609] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 14:20:52.609] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 14:20:52.609] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 14:20:55.890] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[1] at offset 24946 key: NULL payload: {"bucket":"2025-12-11","object":"14/output/gbm/alert.pcap.22.17610986931420.jsonl","url":"http://111.32.12.11:9000/2025-12-11/14/output/gbm/alert.pcap.22.17610986931420.jsonl?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-SignedHeaders=host&X-Amz-Expires=604800&X-Amz-Signature=1ac1f44ef1e5a8d53faa80c924eacb7118d15ec5cb9d4fb8ded28fcedfe9493d&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20251211T062055Z"} [2025-12-11 14:20:55.891] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 14:20:55.891] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 14:20:55.891] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 14:20:55.891] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 14:20:55.891] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 14:20:55.891] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 14:20:56.155] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:14/output/gbm/alert.pcap.22.17610986931420.jsonl|result:{"code": 1, "total_count": 18, "alert_count": 17, "abnormal_count": 17, "normal_count": 1, "timestamp": 1765434055891, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50028, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 3.0, "2_sum": 3, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.114.80", "protocol": "tcp", "src_port": 50365, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.4.224.113", "protocol": "tcp", "src_port": 49854, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.5786036795604459, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50662, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8871346318388157, "2_count": 3.0, "2_sum": 3, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.131.128.241", "protocol": "tcp", "src_port": 50585, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8249611815657307, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50530, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9024018957960891, "2_count": 3.0, "2_sum": 3, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.29.14.183", "protocol": "tcp", "src_port": 50026, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9986473928200259, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.62.174.243", "protocol": "tcp", "src_port": 50545, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9624252679015631, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50612, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.965275103129727, "2_count": 3.0, "2_sum": 3, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 49925, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.5747671805046822, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.63.215.47", "protocol": "tcp", "src_port": 49944, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9869387818080411, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.51.161.66", "protocol": "tcp", "src_port": 50123, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7731938946060795, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.92", "protocol": "tcp", "src_port": 50397, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9107999416750001, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50118, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 3.0, "2_sum": 3, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.165.120", "protocol": "tcp", "src_port": 50357, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9389862274330749, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.194.233", "protocol": "tcp", "src_port": 50440, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9902328849146982, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50368, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 3.0, "2_sum": 3, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 14:20:56.155] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 17|max_alert: 1000 [2025-12-11 14:20:56.155] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 14:20:56.155] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 14:20:56.155] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 14:20:59.732] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[2] at offset 25706 key: NULL payload: {"bucket":"2025-12-11","object":"14/output/gbm/alert.pcap.23.17610986931420.jsonl","url":"http://111.32.12.11:9000/2025-12-11/14/output/gbm/alert.pcap.23.17610986931420.jsonl?X-Amz-Signature=21da44d778f46e3d4e8f9f141902822edba6a88fd3c1295589cef145fab786b0&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Date=20251211T062059Z&X-Amz-Expires=604800&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-SignedHeaders=host"} [2025-12-11 14:20:59.732] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 14:20:59.732] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 14:20:59.732] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 14:20:59.732] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 14:20:59.732] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 14:20:59.733] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 14:20:59.974] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:14/output/gbm/alert.pcap.23.17610986931420.jsonl|result:{"code": 1, "total_count": 21, "alert_count": 21, "abnormal_count": 21, "normal_count": 0, "timestamp": 1765434059733, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "223.111.194.233", "protocol": "tcp", "src_port": 50126, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9961544144455967, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "13.107.246.74", "protocol": "tcp", "src_port": 50506, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9605298901417075, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.13.104.59", "protocol": "tcp", "src_port": 50627, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9944505609423887, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.150.160.206", "protocol": "tcp", "src_port": 50124, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9747845243097288, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50260, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50064, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.122.55", "protocol": "tcp", "src_port": 50498, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9793698927690696, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50042, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50044, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50562, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50640, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.25", "protocol": "tcp", "src_port": 50073, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9992385224413204, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50514, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50085, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50429, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.158.247.186", "protocol": "tcp", "src_port": 50309, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.994290448467571, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50149, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50168, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.25", "protocol": "tcp", "src_port": 50382, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7011351746711142, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.222.152.64", "protocol": "tcp", "src_port": 50638, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9779043168436835, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50037, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 12, "2_sum": 12, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 14:20:59.974] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 21|max_alert: 1000 [2025-12-11 14:20:59.975] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 14:20:59.975] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 14:20:59.975] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 14:21:02.959] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[1] at offset 24947 key: NULL payload: {"bucket":"2025-12-11","object":"14/output/gbm/alert.pcap.24.17610986931420.jsonl","url":"http://111.32.12.11:9000/2025-12-11/14/output/gbm/alert.pcap.24.17610986931420.jsonl?X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Expires=604800&X-Amz-SignedHeaders=host&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Date=20251211T062102Z&X-Amz-Signature=75c6a165dc24a5480b76d1454da39a6a1a8b0c2f1cae2d10b2bc4959ab203155"} [2025-12-11 14:21:02.959] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 14:21:02.959] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 14:21:02.960] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 14:21:02.960] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 14:21:02.960] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 14:21:02.960] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 14:21:03.190] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:14/output/gbm/alert.pcap.24.17610986931420.jsonl|result:{"code": 1, "total_count": 18, "alert_count": 17, "abnormal_count": 17, "normal_count": 1, "timestamp": 1765434062960, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 50229, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7784157580153467, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.46.68.203", "protocol": "tcp", "src_port": 50195, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9897633686170296, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50482, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.38.119", "protocol": "tcp", "src_port": 50495, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9911306060967026, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50603, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.13.28.21", "protocol": "tcp", "src_port": 49947, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9999415747476534, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.163.59.175", "protocol": "tcp", "src_port": 50478, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.990150959540726, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50034, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.27", "protocol": "tcp", "src_port": 49985, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8652710729389349, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50281, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.13.104.59", "protocol": "tcp", "src_port": 50631, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9853386683896556, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50594, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50031, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50033, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50259, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.163.59.175", "protocol": "tcp", "src_port": 50011, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9883959426357691, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.4.74", "protocol": "tcp", "src_port": 50319, "dest_port": 9000, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 14:21:03.190] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 17|max_alert: 1000 [2025-12-11 14:21:03.190] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 14:21:03.190] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 14:21:03.190] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 14:21:06.389] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 26107 key: NULL payload: {"bucket":"2025-12-11","object":"14/output/gbm/alert.pcap.25.17610986931420.jsonl","url":"http://111.32.12.11:9000/2025-12-11/14/output/gbm/alert.pcap.25.17610986931420.jsonl?X-Amz-Date=20251211T062105Z&X-Amz-Expires=604800&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-SignedHeaders=host&X-Amz-Signature=69d09d2c93dcb5f5fadc5ff74069184fb18c9bac410e3a7a348dda6ea79693fa"} [2025-12-11 14:21:06.389] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 14:21:06.389] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 14:21:06.389] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 14:21:06.389] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 14:21:06.389] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 14:21:06.390] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 14:21:06.635] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:14/output/gbm/alert.pcap.25.17610986931420.jsonl|result:{"code": 1, "total_count": 18, "alert_count": 17, "abnormal_count": 17, "normal_count": 1, "timestamp": 1765434066390, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 50013, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50038, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4.0, "2_sum": 4, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50062, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4.0, "2_sum": 4, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.2", "protocol": "tcp", "src_port": 50125, "dest_port": 8080, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.240.99.58", "protocol": "tcp", "src_port": 50641, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9750652642107684, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.88.223", "protocol": "tcp", "src_port": 50258, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9955188316394289, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50288, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4.0, "2_sum": 4, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.232.40.133", "protocol": "tcp", "src_port": 50005, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8427110539814073, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.88.223", "protocol": "tcp", "src_port": 50134, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9851867603065232, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50551, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8059095115195145, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.232.40.133", "protocol": "tcp", "src_port": 49919, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9172603475203133, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50652, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4.0, "2_sum": 4, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "202.89.233.96", "dest_ip": "10.1.131.158", "protocol": "tcp", "src_port": 443, "dest_port": 49847, "y_pred": 1, "y_pred_proba_max": 0.9988023204669473, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.201.232.63", "protocol": "tcp", "src_port": 50419, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.5238760318986195, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.155.160.140", "protocol": "tcp", "src_port": 49790, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.91", "protocol": "tcp", "src_port": 50334, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9530506499197517, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "142.250.66.78", "protocol": "tcp", "src_port": 49742, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 14:21:06.635] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 17|max_alert: 1000 [2025-12-11 14:21:06.635] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 14:21:06.635] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 14:21:06.635] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 14:21:09.633] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 26108 key: NULL payload: {"bucket":"2025-12-11","object":"14/output/gbm/alert.pcap.26.17610986931420.jsonl","url":"http://111.32.12.11:9000/2025-12-11/14/output/gbm/alert.pcap.26.17610986931420.jsonl?X-Amz-SignedHeaders=host&X-Amz-Signature=7104122d487fb487f29f5ad44994c3847c967875154c977c3eddb19400594841&X-Amz-Date=20251211T062109Z&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Expires=604800&X-Amz-Algorithm=AWS4-HMAC-SHA256"} [2025-12-11 14:21:09.633] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 14:21:09.633] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 14:21:09.633] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 14:21:09.633] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 14:21:09.633] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 14:21:09.634] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 14:21:09.884] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:14/output/gbm/alert.pcap.26.17610986931420.jsonl|result:{"code": 1, "total_count": 23, "alert_count": 22, "abnormal_count": 22, "normal_count": 1, "timestamp": 1765434069634, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "223.111.194.233", "protocol": "tcp", "src_port": 50439, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9853373018252618, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50521, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7.0, "2_sum": 7, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "151.101.1.229", "protocol": "tcp", "src_port": 50316, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.5882853156839113, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.163.59.175", "protocol": "tcp", "src_port": 49930, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9813722275948225, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.253", "protocol": "tcp", "src_port": 50347, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9363461552085169, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.13.29.134", "protocol": "tcp", "src_port": 49954, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9940003495439546, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50463, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7.0, "2_sum": 7, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.165.120", "protocol": "tcp", "src_port": 50314, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.998447736613844, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.253", "protocol": "tcp", "src_port": 50117, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9786811180845782, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50467, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7.0, "2_sum": 7, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.92", "protocol": "tcp", "src_port": 50362, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9737436655985068, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50512, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7.0, "2_sum": 7, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.114.80", "protocol": "tcp", "src_port": 50375, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.13.29.202", "protocol": "tcp", "src_port": 49897, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.99989131645703, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.27", "protocol": "tcp", "src_port": 49986, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9907578643456904, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 50230, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9601621867432435, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.9", "protocol": "tcp", "src_port": 50353, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9248568229582469, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50322, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7.0, "2_sum": 7, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.45", "protocol": "tcp", "src_port": 50445, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9894949279716366, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50593, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7.0, "2_sum": 7, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "43.140.12.43", "protocol": "tcp", "src_port": 50318, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9759535265977303, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50040, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7.0, "2_sum": 7, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 14:21:09.884] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 22|max_alert: 1000 [2025-12-11 14:21:09.884] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 14:21:09.884] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 14:21:09.884] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 14:21:12.850] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 26109 key: NULL payload: {"bucket":"2025-12-11","object":"14/output/gbm/alert.pcap.3.17610986931420.jsonl","url":"http://111.32.12.11:9000/2025-12-11/14/output/gbm/alert.pcap.3.17610986931420.jsonl?X-Amz-Signature=12a945a9b5a82904b2f48ada658c4795ead306c23ffc89090ee7852265a541ed&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Expires=604800&X-Amz-Date=20251211T062112Z&X-Amz-SignedHeaders=host&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request"} [2025-12-11 14:21:12.850] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 14:21:12.850] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 14:21:12.850] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 14:21:12.850] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 14:21:12.850] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 14:21:12.851] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 14:21:13.101] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:14/output/gbm/alert.pcap.3.17610986931420.jsonl|result:{"code": 1, "total_count": 31, "alert_count": 30, "abnormal_count": 30, "normal_count": 1, "timestamp": 1765434072852, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "124.70.62.170", "protocol": "tcp", "src_port": 50093, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9302011994091218, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.13.104.59", "protocol": "tcp", "src_port": 50630, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9949141468870227, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 50399, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 49824, "dest_port": 37527, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.232.40.133", "protocol": "tcp", "src_port": 49922, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.7619577796081339, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.13.104.59", "protocol": "tcp", "src_port": 50639, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.5747755261992421, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50032, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50390, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.2", "protocol": "tcp", "src_port": 50143, "dest_port": 8080, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50579, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 50231, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9912641259791639, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.253.253.233", "protocol": "tcp", "src_port": 50436, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8619378326923961, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.29.14.183", "protocol": "tcp", "src_port": 50020, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9995274668813986, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.63.215.47", "protocol": "tcp", "src_port": 49982, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9977918468988228, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.27", "protocol": "tcp", "src_port": 49987, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9439550958667982, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50560, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9372883613254258, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50131, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.92", "protocol": "tcp", "src_port": 49915, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8858063837145578, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.194.189.11", "protocol": "tcp", "src_port": 50307, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9974631042458713, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "142.250.66.68", "protocol": "tcp", "src_port": 50437, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50128, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.114.80", "protocol": "tcp", "src_port": 50473, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.165.120", "protocol": "tcp", "src_port": 50423, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9079618105919538, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.226.166.151", "protocol": "tcp", "src_port": 50286, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9998887397093179, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50573, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.219.73.130", "protocol": "tcp", "src_port": 49890, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.27", "protocol": "tcp", "src_port": 49983, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9683054451954104, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50041, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50468, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 8.0, "2_sum": 8, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.219.73.130", "protocol": "tcp", "src_port": 49889, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 14:21:13.101] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 30|max_alert: 1000 [2025-12-11 14:21:13.101] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 14:21:13.101] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 14:21:13.101] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 14:21:15.979] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[1] at offset 24948 key: NULL payload: {"bucket":"2025-12-11","object":"14/output/gbm/alert.pcap.4.17610986931420.jsonl","url":"http://111.32.12.11:9000/2025-12-11/14/output/gbm/alert.pcap.4.17610986931420.jsonl?X-Amz-Date=20251211T062115Z&X-Amz-SignedHeaders=host&X-Amz-Signature=9d158500171222e5767e096a84c7c984fcfd31ba89f333c5f593479ec448759e&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Expires=604800"} [2025-12-11 14:21:15.979] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 14:21:15.979] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 14:21:15.979] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 14:21:15.979] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 14:21:15.979] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 14:21:15.980] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 14:21:16.166] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:14/output/gbm/alert.pcap.4.17610986931420.jsonl|result:{"code": 1, "total_count": 16, "alert_count": 16, "abnormal_count": 16, "normal_count": 0, "timestamp": 1765434075980, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50599, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 9, "2_sum": 9, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50653, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 9, "2_sum": 9, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50271, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 9, "2_sum": 9, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.25", "protocol": "tcp", "src_port": 50340, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9557360906725153, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "142.250.66.78", "protocol": "tcp", "src_port": 49761, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "104.18.38.233", "protocol": "tcp", "src_port": 49696, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.2", "protocol": "tcp", "src_port": 49815, "dest_port": 8080, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50428, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 9, "2_sum": 9, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "150.171.30.11", "protocol": "tcp", "src_port": 50007, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8576461187690411, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50664, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 9, "2_sum": 9, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.131.128.241", "protocol": "tcp", "src_port": 50461, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9531336479755481, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50642, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 9, "2_sum": 9, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50039, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 9, "2_sum": 9, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50170, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 9, "2_sum": 9, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.4.224.113", "protocol": "tcp", "src_port": 49860, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8325953986089363, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50268, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 9, "2_sum": 9, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 14:21:16.166] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 16|max_alert: 1000 [2025-12-11 14:21:16.166] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 14:21:16.166] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 14:21:16.166] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 14:21:19.492] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 26110 key: NULL payload: {"bucket":"2025-12-11","object":"14/output/gbm/alert.pcap.5.17610986931420.jsonl","url":"http://111.32.12.11:9000/2025-12-11/14/output/gbm/alert.pcap.5.17610986931420.jsonl?X-Amz-Date=20251211T062119Z&X-Amz-SignedHeaders=host&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Expires=604800&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Signature=d1ef75ac3a68d82023c2a1f9c1db3273a7254129d58be16314bbb9f0123b2fef"} [2025-12-11 14:21:19.492] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 14:21:19.492] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 14:21:19.492] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 14:21:19.492] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 14:21:19.492] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 14:21:19.492] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 14:21:19.673] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:14/output/gbm/alert.pcap.5.17610986931420.jsonl|result:{"code": 1, "total_count": 19, "alert_count": 18, "abnormal_count": 18, "normal_count": 1, "timestamp": 1765434079493, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50119, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 5.0, "2_sum": 5, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 49924, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8509806284431485, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50624, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9747306537408316, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.91", "protocol": "tcp", "src_port": 50333, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9577733114926612, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.51.80", "protocol": "tcp", "src_port": 49902, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.4.74", "protocol": "tcp", "src_port": 50320, "dest_port": 9000, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 50549, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50564, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 5.0, "2_sum": 5, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50654, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9423199405388736, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.91", "protocol": "tcp", "src_port": 50242, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9588125203903446, "2_count": 2.0, "2_sum": 2, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "13.89.179.10", "protocol": "tcp", "src_port": 49867, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8945460691510866, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50030, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 5.0, "2_sum": 5, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.158.247.186", "protocol": "tcp", "src_port": 50121, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9753820447058325, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50171, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 5.0, "2_sum": 5, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.163.59.175", "protocol": "tcp", "src_port": 50422, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9849394001481901, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50541, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 5.0, "2_sum": 5, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "112.34.111.235", "protocol": "tcp", "src_port": 50587, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9795590475790195, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.46.72.204", "protocol": "tcp", "src_port": 50136, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.956663066769366, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 14:21:19.673] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 18|max_alert: 1000 [2025-12-11 14:21:19.673] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 14:21:19.673] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 14:21:19.673] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 14:21:22.633] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[2] at offset 25707 key: NULL payload: {"bucket":"2025-12-11","object":"14/output/gbm/alert.pcap.6.17610986931420.jsonl","url":"http://111.32.12.11:9000/2025-12-11/14/output/gbm/alert.pcap.6.17610986931420.jsonl?X-Amz-Date=20251211T062122Z&X-Amz-SignedHeaders=host&X-Amz-Signature=65574c5e1ce762aaf0a143ced4133a60b6b8f6f115fadd64ec20644118eaa5b0&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Expires=604800"} [2025-12-11 14:21:22.633] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 14:21:22.633] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 14:21:22.633] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 14:21:22.633] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 14:21:22.633] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 14:21:22.633] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 14:21:22.812] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:14/output/gbm/alert.pcap.6.17610986931420.jsonl|result:{"code": 1, "total_count": 13, "alert_count": 13, "abnormal_count": 13, "normal_count": 0, "timestamp": 1765434082633, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "121.36.68.44", "protocol": "tcp", "src_port": 50504, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9358189956292381, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "139.9.117.192", "protocol": "tcp", "src_port": 50450, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9837263446909994, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "13.89.179.10", "protocol": "tcp", "src_port": 49883, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9941602682227848, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.31.102.211", "protocol": "tcp", "src_port": 50413, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9734791177969814, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50465, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.5306824619789472, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.57.94.38", "protocol": "tcp", "src_port": 49892, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9998694918181811, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.26", "protocol": "tcp", "src_port": 50003, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8694093805364917, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.156.39.91", "protocol": "tcp", "src_port": 50339, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.986405059765616, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.2.16.16", "protocol": "tcp", "src_port": 49975, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9999376387945121, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50515, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.13.28.239", "protocol": "tcp", "src_port": 49901, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.938456651589145, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "139.9.117.192", "protocol": "tcp", "src_port": 50372, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8894850327223105, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50391, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 14:21:22.812] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 13|max_alert: 1000 [2025-12-11 14:21:22.812] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 14:21:22.812] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 14:21:22.812] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 14:21:25.848] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 26111 key: NULL payload: {"bucket":"2025-12-11","object":"14/output/gbm/alert.pcap.7.17610986931420.jsonl","url":"http://111.32.12.11:9000/2025-12-11/14/output/gbm/alert.pcap.7.17610986931420.jsonl?X-Amz-Signature=3d08742e2fd39c7ef4dbf215f2537f9c2c93706c9661568b32a68836bd89cd13&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20251211T062125Z&X-Amz-SignedHeaders=host&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Expires=604800"} [2025-12-11 14:21:25.848] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 14:21:25.848] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 14:21:25.848] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 14:21:25.848] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 14:21:25.848] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 14:21:25.848] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 14:21:26.031] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:14/output/gbm/alert.pcap.7.17610986931420.jsonl|result:{"code": 1, "total_count": 18, "alert_count": 18, "abnormal_count": 18, "normal_count": 0, "timestamp": 1765434085848, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "183.240.8.132", "protocol": "tcp", "src_port": 50227, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8897661563929269, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50581, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4, "2_sum": 4, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.4.224.113", "protocol": "tcp", "src_port": 49849, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9532634905214581, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.241.86.254", "protocol": "tcp", "src_port": 50199, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9600487826290192, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 50172, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9400817611226765, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 50116, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.185.125.188", "protocol": "tcp", "src_port": 49872, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9978759357079158, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.51.80", "protocol": "tcp", "src_port": 50010, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.194.233", "protocol": "tcp", "src_port": 50441, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9878625671600126, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50083, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4, "2_sum": 4, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50663, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.719260591950917, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "112.34.111.235", "protocol": "tcp", "src_port": 50411, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.998549290571419, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.219.73.130", "protocol": "tcp", "src_port": 49885, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50270, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4, "2_sum": 4, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.27", "protocol": "tcp", "src_port": 50100, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8412893359572905, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50156, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4, "2_sum": 4, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "223.111.194.233", "protocol": "tcp", "src_port": 50255, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9107155218087142, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.26", "protocol": "tcp", "src_port": 49994, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9896285535627298, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 14:21:26.031] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 18|max_alert: 1000 [2025-12-11 14:21:26.031] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 14:21:26.031] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 14:21:26.031] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 14:21:29.045] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[1] at offset 24949 key: NULL payload: {"bucket":"2025-12-11","object":"14/output/gbm/alert.pcap.8.17610986931420.jsonl","url":"http://111.32.12.11:9000/2025-12-11/14/output/gbm/alert.pcap.8.17610986931420.jsonl?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Date=20251211T062128Z&X-Amz-SignedHeaders=host&X-Amz-Signature=ec2b9fccebd21db5e95ec593108cc95b007365b5802f5705fafafb4e832d814d&X-Amz-Expires=604800&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request"} [2025-12-11 14:21:29.045] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 14:21:29.045] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 14:21:29.045] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 14:21:29.045] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 14:21:29.045] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 14:21:29.045] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 14:21:29.259] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:14/output/gbm/alert.pcap.8.17610986931420.jsonl|result:{"code": 1, "total_count": 19, "alert_count": 19, "abnormal_count": 19, "normal_count": 0, "timestamp": 1765434089045, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "23.219.73.130", "protocol": "tcp", "src_port": 49891, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "121.36.47.3", "protocol": "tcp", "src_port": 50015, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9995715118177109, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.45", "protocol": "tcp", "src_port": 50408, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9967591338452444, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 49923, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.777270406334166, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50661, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.647571366572099, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.63.215.47", "protocol": "tcp", "src_port": 49980, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9999657034539758, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "172.16.92.3", "protocol": "tcp", "src_port": 50184, "dest_port": 37527, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "202.89.233.96", "protocol": "tcp", "src_port": 49865, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9973910874567038, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "183.201.232.63", "protocol": "tcp", "src_port": 50420, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9757408487177269, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50127, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4, "2_sum": 4, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.26", "protocol": "tcp", "src_port": 49997, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.984269050955257, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50223, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4, "2_sum": 4, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.131.128.241", "protocol": "tcp", "src_port": 50591, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9050869489117033, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "40.74.78.229", "protocol": "tcp", "src_port": 50370, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9939770881097445, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50649, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9766422035502361, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.232.40.133", "protocol": "tcp", "src_port": 49920, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9117178716777372, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "36.131.139.241", "protocol": "tcp", "src_port": 50556, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9803786101644398, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50077, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4, "2_sum": 4, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50388, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 4, "2_sum": 4, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 14:21:29.259] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 19|max_alert: 1000 [2025-12-11 14:21:29.259] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 14:21:29.259] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 14:21:29.259] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 14:21:32.236] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 26112 key: NULL payload: {"bucket":"2025-12-11","object":"14/output/gbm/alert.pcap.9.17610986931420.jsonl","url":"http://111.32.12.11:9000/2025-12-11/14/output/gbm/alert.pcap.9.17610986931420.jsonl?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Expires=604800&X-Amz-Signature=01f2548aff43872d6b4f3bc9fac55a9478b76ef2171c6eb3ef57a4f6e0ccab2e&X-Amz-SignedHeaders=host&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20251211T062131Z"} [2025-12-11 14:21:32.236] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 14:21:32.236] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 14:21:32.236] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 14:21:32.236] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 14:21:32.236] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 14:21:32.236] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 14:21:32.421] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:14/output/gbm/alert.pcap.9.17610986931420.jsonl|result:{"code": 1, "total_count": 19, "alert_count": 19, "abnormal_count": 19, "normal_count": 0, "timestamp": 1765434092236, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "10.1.131.158", "dest_ip": "120.240.80.41", "protocol": "tcp", "src_port": 49928, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9931314740190077, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50047, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50387, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "111.29.14.183", "protocol": "tcp", "src_port": 50403, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9756646950440937, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "112.2.102.140", "protocol": "tcp", "src_port": 49880, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8833391308810551, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50582, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50577, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8828376373447289, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "117.163.59.175", "protocol": "tcp", "src_port": 50443, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9947042004868148, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50323, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "23.219.73.130", "protocol": "tcp", "src_port": 49895, "dest_port": 80, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "150.171.30.11", "protocol": "tcp", "src_port": 50434, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.975176941910785, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50234, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "124.71.234.74", "protocol": "tcp", "src_port": 50079, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.8967653329082704, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.45", "protocol": "tcp", "src_port": 50444, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9975171238915119, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50571, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "157.148.32.174", "protocol": "tcp", "src_port": 50216, "dest_port": 8106, "y_pred": 1, "y_pred_proba_max": 0.7815374741509655, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "10.1.9.17", "protocol": "tcp", "src_port": 50279, "dest_port": 53, "y_pred": 1, "y_pred_proba_max": 0.9987206201280128, "2_count": 7, "2_sum": 7, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "120.233.3.26", "protocol": "tcp", "src_port": 49993, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.987471741326815, "2_count": 1, "2_sum": 1, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}, {"src_ip": "10.1.131.158", "dest_ip": "39.156.8.100", "protocol": "tcp", "src_port": 50552, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.9460026832017429, "2_count": 2, "2_sum": 2, "2_ratio": 1.0, "5_count": 1, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 14:21:32.421] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 19|max_alert: 1000 [2025-12-11 14:21:32.421] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 14:21:32.421] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 14:21:32.421] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 14:21:35.337] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 26113 key: NULL payload: {"bucket":"2025-12-11","object":"14/output/gbm/alert.pcap.12.1765433596.jsonl","url":"http://111.32.12.11:9000/2025-12-11/14/output/gbm/alert.pcap.12.1765433596.jsonl?X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-SignedHeaders=host&X-Amz-Date=20251211T062134Z&X-Amz-Signature=236a973515625137a561202d5a78ad02e9a483626fc901c7752c44b389611361&X-Amz-Expires=604800"} [2025-12-11 14:21:35.337] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 14:21:35.337] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 14:21:35.337] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 14:21:35.337] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 14:21:35.337] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 14:21:35.338] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 14:21:35.491] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:14/output/gbm/alert.pcap.12.1765433596.jsonl|result:{"code": 0, "total_count": 1, "alert_count": 0, "abnormal_count": 0, "normal_count": 1, "timestamp": 1765434095338, "module": "anquanchu", "alerted": false, "details": []} [2025-12-11 14:21:35.491] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 0|max_alert: 1000 [2025-12-11 14:21:35.491] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 14:21:38.438] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[2] at offset 25708 key: NULL payload: {"bucket":"2025-12-11","object":"14/output/gbm/alert.pcap.11.1765433987.jsonl","url":"http://111.32.12.11:9000/2025-12-11/14/output/gbm/alert.pcap.11.1765433987.jsonl?X-Amz-Signature=cc7d4b4ea76c705717d095eb0d78911c16fa5d52662851763caf39613c9b777f&X-Amz-Expires=604800&X-Amz-SignedHeaders=host&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Date=20251211T062138Z&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request"} [2025-12-11 14:21:38.438] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 14:21:38.438] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 14:21:38.438] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 14:21:38.438] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 14:21:38.439] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 14:21:38.439] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 14:21:38.629] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:14/output/gbm/alert.pcap.11.1765433987.jsonl|result:{"code": 0, "total_count": 2, "alert_count": 0, "abnormal_count": 0, "normal_count": 2, "timestamp": 1765434098439, "module": "anquanchu", "alerted": false, "details": []} [2025-12-11 14:21:38.629] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 0|max_alert: 1000 [2025-12-11 14:21:38.629] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 14:21:41.541] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[1] at offset 24950 key: NULL payload: {"bucket":"2025-12-11","object":"14/output/gbm/alert.pcap.26.1765433545.jsonl","url":"http://111.32.12.11:9000/2025-12-11/14/output/gbm/alert.pcap.26.1765433545.jsonl?X-Amz-Expires=604800&X-Amz-SignedHeaders=host&X-Amz-Signature=34bb4fc3af57e56f45b267b9a342c9c195723237bba19f1135f6bc275bf12373&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Date=20251211T062141Z&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request"} [2025-12-11 14:21:41.542] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 14:21:41.542] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 14:21:41.542] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 14:21:41.542] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 14:21:41.542] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 14:21:41.542] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 14:21:41.737] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:14/output/gbm/alert.pcap.26.1765433545.jsonl|result:{"code": 0, "total_count": 2, "alert_count": 0, "abnormal_count": 0, "normal_count": 2, "timestamp": 1765434101542, "module": "anquanchu", "alerted": false, "details": []} [2025-12-11 14:21:41.737] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 0|max_alert: 1000 [2025-12-11 14:21:41.737] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 14:21:44.643] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 26114 key: NULL payload: {"bucket":"2025-12-11","object":"14/output/gbm/alert.pcap.6.1765433547.jsonl","url":"http://111.32.12.11:9000/2025-12-11/14/output/gbm/alert.pcap.6.1765433547.jsonl?X-Amz-Signature=309a6441ce0c9b438221e2c4533dbe031b75927ed2b420f9511aae188a2b15fd&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-SignedHeaders=host&X-Amz-Date=20251211T062144Z&X-Amz-Expires=604800"} [2025-12-11 14:21:44.643] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 14:21:44.643] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 14:21:44.644] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 14:21:44.644] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 14:21:44.644] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 14:21:44.645] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 14:21:44.839] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:14/output/gbm/alert.pcap.6.1765433547.jsonl|result:{"code": 0, "total_count": 1, "alert_count": 0, "abnormal_count": 0, "normal_count": 1, "timestamp": 1765434104645, "module": "anquanchu", "alerted": false, "details": []} [2025-12-11 14:21:44.839] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 0|max_alert: 1000 [2025-12-11 14:21:44.839] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 14:21:52.291] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[1] at offset 24951 key: NULL payload: {"bucket":"2025-12-11","object":"14/output/gbm/alert.pcap.14.1765433572.jsonl","url":"http://111.32.12.11:9000/2025-12-11/14/output/gbm/alert.pcap.14.1765433572.jsonl?X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20251211T062151Z&X-Amz-SignedHeaders=host&X-Amz-Signature=632d099be0ba4a35e5e1b48f99b1eb66ed5a4986b01e34fc602f39b8a4495737&X-Amz-Expires=604800&X-Amz-Algorithm=AWS4-HMAC-SHA256"} [2025-12-11 14:21:52.292] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 14:21:52.292] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 14:21:52.292] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 14:21:52.292] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 14:21:52.292] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 14:21:52.293] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 14:21:52.521] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:14/output/gbm/alert.pcap.14.1765433572.jsonl|result:{"code": 0, "total_count": 1, "alert_count": 0, "abnormal_count": 0, "normal_count": 1, "timestamp": 1765434112293, "module": "anquanchu", "alerted": false, "details": []} [2025-12-11 14:21:52.521] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 0|max_alert: 1000 [2025-12-11 14:21:52.521] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 14:22:38.545] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[2] at offset 25709 key: NULL payload: {"bucket":"2025-12-11","object":"14/output/gbm/alert.pcap.2.1765433571.jsonl","url":"http://111.32.12.11:9000/2025-12-11/14/output/gbm/alert.pcap.2.1765433571.jsonl?X-Amz-Date=20251211T062238Z&X-Amz-Expires=604800&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-SignedHeaders=host&X-Amz-Signature=ee56673eed1720f9d253e5478053b2b55f524844e01b03afba67d2f6b431502a"} [2025-12-11 14:22:38.545] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 14:22:38.545] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 14:22:38.545] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 14:22:38.545] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 14:22:38.545] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 14:22:38.546] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 14:22:38.784] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:14/output/gbm/alert.pcap.2.1765433571.jsonl|result:{"code": 0, "total_count": 1, "alert_count": 0, "abnormal_count": 0, "normal_count": 1, "timestamp": 1765434158546, "module": "anquanchu", "alerted": false, "details": []} [2025-12-11 14:22:38.784] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 0|max_alert: 1000 [2025-12-11 14:22:38.784] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 14:26:51.064] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[1] at offset 24952 key: NULL payload: {"bucket":"2025-12-11","object":"14/output/gbm/alert.pcap.24.1765433571.jsonl","url":"http://111.32.12.11:9000/2025-12-11/14/output/gbm/alert.pcap.24.1765433571.jsonl?X-Amz-Expires=604800&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-SignedHeaders=host&X-Amz-Date=20251211T062650Z&X-Amz-Signature=da0a818b089becf2e08a27d6ce83a66eb875c5dbd2ef3045bddcbde8a9b1193c&X-Amz-Algorithm=AWS4-HMAC-SHA256"} [2025-12-11 14:26:51.064] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 14:26:51.064] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 14:26:51.065] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 14:26:51.065] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 14:26:51.065] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 14:26:51.065] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 14:26:51.308] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:14/output/gbm/alert.pcap.24.1765433571.jsonl|result:{"code": 0, "total_count": 2, "alert_count": 0, "abnormal_count": 0, "normal_count": 2, "timestamp": 1765434411066, "module": "anquanchu", "alerted": false, "details": []} [2025-12-11 14:26:51.308] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 0|max_alert: 1000 [2025-12-11 14:26:51.308] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 14:27:03.564] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[2] at offset 25710 key: NULL payload: {"bucket":"2025-12-11","object":"14/output/gbm/alert.pcap.25.1765433661.jsonl","url":"http://111.32.12.11:9000/2025-12-11/14/output/gbm/alert.pcap.25.1765433661.jsonl?X-Amz-SignedHeaders=host&X-Amz-Signature=9901faabbb21312213d58f55229d087c43207b7c92143d5a2fdf4aee035746e3&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Expires=604800&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Date=20251211T062703Z"} [2025-12-11 14:27:03.564] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 14:27:03.564] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 14:27:03.565] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 14:27:03.565] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 14:27:03.565] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 14:27:03.566] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 14:27:03.807] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:14/output/gbm/alert.pcap.25.1765433661.jsonl|result:{"code": 0, "total_count": 2, "alert_count": 0, "abnormal_count": 0, "normal_count": 2, "timestamp": 1765434423566, "module": "anquanchu", "alerted": false, "details": []} [2025-12-11 14:27:03.807] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 0|max_alert: 1000 [2025-12-11 14:27:03.807] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 14:27:42.317] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[1] at offset 24953 key: NULL payload: {"bucket":"2025-12-11","object":"14/output/gbm/alert.pcap.10.1765434404.jsonl","url":"http://111.32.12.11:9000/2025-12-11/14/output/gbm/alert.pcap.10.1765434404.jsonl?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-SignedHeaders=host&X-Amz-Expires=604800&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20251211T062741Z&X-Amz-Signature=6340887ef665b096806a8b27d12690ec2c6834868f0a48e320eb6f16c4507cca"} [2025-12-11 14:27:42.317] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 14:27:42.317] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 14:27:42.318] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 14:27:42.318] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 14:27:42.318] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 14:27:42.319] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 14:27:42.588] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:14/output/gbm/alert.pcap.10.1765434404.jsonl|result:{"code": 0, "total_count": 2, "alert_count": 0, "abnormal_count": 0, "normal_count": 2, "timestamp": 1765434462319, "module": "anquanchu", "alerted": false, "details": []} [2025-12-11 14:27:42.588] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 0|max_alert: 1000 [2025-12-11 14:27:42.588] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 14:29:18.319] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[2] at offset 25711 key: NULL payload: {"bucket":"2025-12-11","object":"14/output/gbm/alert.pcap.13.1765434550.jsonl","url":"http://111.32.12.11:9000/2025-12-11/14/output/gbm/alert.pcap.13.1765434550.jsonl?X-Amz-SignedHeaders=host&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20251211T062917Z&X-Amz-Expires=604800&X-Amz-Signature=fd1d173538e34ff23337727ac793a20af8512a6449306e6873ef19351f2c46c0&X-Amz-Algorithm=AWS4-HMAC-SHA256"} [2025-12-11 14:29:18.319] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 14:29:18.319] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 14:29:18.319] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 14:29:18.319] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 14:29:18.319] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 14:29:18.320] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 14:29:18.564] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:14/output/gbm/alert.pcap.13.1765434550.jsonl|result:{"code": 0, "total_count": 9, "alert_count": 0, "abnormal_count": 0, "normal_count": 9, "timestamp": 1765434558320, "module": "anquanchu", "alerted": false, "details": []} [2025-12-11 14:29:18.564] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 0|max_alert: 1000 [2025-12-11 14:29:18.564] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 14:29:21.427] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[2] at offset 25712 key: NULL payload: {"bucket":"2025-12-11","object":"14/output/gbm/alert.pcap.18.1765434550.jsonl","url":"http://111.32.12.11:9000/2025-12-11/14/output/gbm/alert.pcap.18.1765434550.jsonl?X-Amz-SignedHeaders=host&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Signature=258b0fd6707a8277771a3df92508e567db27f531c3820b822085061cfd565032&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Date=20251211T062921Z&X-Amz-Expires=604800"} [2025-12-11 14:29:21.427] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 14:29:21.427] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 14:29:21.427] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 14:29:21.427] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 14:29:21.427] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 14:29:21.428] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 14:29:21.631] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:14/output/gbm/alert.pcap.18.1765434550.jsonl|result:{"code": 0, "total_count": 10, "alert_count": 0, "abnormal_count": 0, "normal_count": 10, "timestamp": 1765434561428, "module": "anquanchu", "alerted": false, "details": []} [2025-12-11 14:29:21.631] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 0|max_alert: 1000 [2025-12-11 14:29:21.631] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 14:29:24.529] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[1] at offset 24954 key: NULL payload: {"bucket":"2025-12-11","object":"14/output/gbm/alert.pcap.6.1765434550.jsonl","url":"http://111.32.12.11:9000/2025-12-11/14/output/gbm/alert.pcap.6.1765434550.jsonl?X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Expires=604800&X-Amz-SignedHeaders=host&X-Amz-Signature=61e3a6650d7070fdf2dfc04a1614ab287d8ef4491defaae0f5595ab2fe9bda64&X-Amz-Date=20251211T062924Z"} [2025-12-11 14:29:24.529] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 14:29:24.529] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 14:29:24.530] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 14:29:24.530] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 14:29:24.530] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 14:29:24.530] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 14:29:24.730] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:14/output/gbm/alert.pcap.6.1765434550.jsonl|result:{"code": 0, "total_count": 3, "alert_count": 0, "abnormal_count": 0, "normal_count": 3, "timestamp": 1765434564530, "module": "anquanchu", "alerted": false, "details": []} [2025-12-11 14:29:24.730] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 0|max_alert: 1000 [2025-12-11 14:29:24.730] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 14:29:27.632] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[1] at offset 24955 key: NULL payload: {"bucket":"2025-12-11","object":"14/output/gbm/alert.pcap.26.1765434550.jsonl","url":"http://111.32.12.11:9000/2025-12-11/14/output/gbm/alert.pcap.26.1765434550.jsonl?X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Expires=604800&X-Amz-Signature=2de226b20df578068b8f6786fc2acb6100f7b44194dcedbb6b588d11d73a96b7&X-Amz-SignedHeaders=host&X-Amz-Date=20251211T062927Z&X-Amz-Algorithm=AWS4-HMAC-SHA256"} [2025-12-11 14:29:27.633] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 14:29:27.633] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 14:29:27.633] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 14:29:27.633] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 14:29:27.633] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 14:29:27.633] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 14:29:27.835] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:14/output/gbm/alert.pcap.26.1765434550.jsonl|result:{"code": 0, "total_count": 9, "alert_count": 0, "abnormal_count": 0, "normal_count": 9, "timestamp": 1765434567633, "module": "anquanchu", "alerted": false, "details": []} [2025-12-11 14:29:27.836] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 0|max_alert: 1000 [2025-12-11 14:29:27.836] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 14:29:30.742] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[1] at offset 24956 key: NULL payload: {"bucket":"2025-12-11","object":"14/output/gbm/alert.pcap.7.1765434550.jsonl","url":"http://111.32.12.11:9000/2025-12-11/14/output/gbm/alert.pcap.7.1765434550.jsonl?X-Amz-Expires=604800&X-Amz-Signature=2a11c88e1a379af3de58a5acec8443dc9fd51479dfedcc7a76b48246663d80d3&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-SignedHeaders=host&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20251211T062930Z"} [2025-12-11 14:29:30.742] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 14:29:30.742] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 14:29:30.742] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 14:29:30.742] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 14:29:30.742] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 14:29:30.743] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 14:29:30.947] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:14/output/gbm/alert.pcap.7.1765434550.jsonl|result:{"code": 0, "total_count": 7, "alert_count": 0, "abnormal_count": 0, "normal_count": 7, "timestamp": 1765434570743, "module": "anquanchu", "alerted": false, "details": []} [2025-12-11 14:29:30.947] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 0|max_alert: 1000 [2025-12-11 14:29:30.947] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 14:29:33.846] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[1] at offset 24957 key: NULL payload: {"bucket":"2025-12-11","object":"14/output/gbm/alert.pcap.22.1765434550.jsonl","url":"http://111.32.12.11:9000/2025-12-11/14/output/gbm/alert.pcap.22.1765434550.jsonl?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Expires=604800&X-Amz-Signature=93a22b60a99694ed423c8b7ca9dc52df5df80f93bb54a8d8b6d683340bedeeb0&X-Amz-Date=20251211T062933Z&X-Amz-SignedHeaders=host"} [2025-12-11 14:29:33.847] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 14:29:33.847] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 14:29:33.847] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 14:29:33.847] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 14:29:33.847] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 14:29:33.847] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 14:29:34.056] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:14/output/gbm/alert.pcap.22.1765434550.jsonl|result:{"code": 0, "total_count": 9, "alert_count": 0, "abnormal_count": 0, "normal_count": 9, "timestamp": 1765434573847, "module": "anquanchu", "alerted": false, "details": []} [2025-12-11 14:29:34.056] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 0|max_alert: 1000 [2025-12-11 14:29:34.056] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 14:29:36.951] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[2] at offset 25713 key: NULL payload: {"bucket":"2025-12-11","object":"14/output/gbm/alert.pcap.2.1765434550.jsonl","url":"http://111.32.12.11:9000/2025-12-11/14/output/gbm/alert.pcap.2.1765434550.jsonl?X-Amz-SignedHeaders=host&X-Amz-Signature=b64cd8002b4d1df03dcfe7b22b0a13e4bd85793223f5d7489666963ee8823fe1&X-Amz-Date=20251211T062936Z&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Expires=604800"} [2025-12-11 14:29:36.951] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 14:29:36.951] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 14:29:36.951] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 14:29:36.951] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 14:29:36.951] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 14:29:36.952] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 14:29:37.158] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:14/output/gbm/alert.pcap.2.1765434550.jsonl|result:{"code": 0, "total_count": 14, "alert_count": 0, "abnormal_count": 0, "normal_count": 14, "timestamp": 1765434576952, "module": "anquanchu", "alerted": false, "details": []} [2025-12-11 14:29:37.158] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 0|max_alert: 1000 [2025-12-11 14:29:37.158] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 14:29:40.056] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 26115 key: NULL payload: {"bucket":"2025-12-11","object":"14/output/gbm/alert.pcap.24.1765434550.jsonl","url":"http://111.32.12.11:9000/2025-12-11/14/output/gbm/alert.pcap.24.1765434550.jsonl?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20251211T062939Z&X-Amz-Expires=604800&X-Amz-Signature=5cc3d4fa13e5c8abc5674cfdfa4544a5e1a52dec1d966c48501df643f6795811&X-Amz-SignedHeaders=host"} [2025-12-11 14:29:40.056] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 14:29:40.056] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 14:29:40.056] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 14:29:40.056] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 14:29:40.056] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 14:29:40.057] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 14:29:40.255] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:14/output/gbm/alert.pcap.24.1765434550.jsonl|result:{"code": 0, "total_count": 6, "alert_count": 0, "abnormal_count": 0, "normal_count": 6, "timestamp": 1765434580057, "module": "anquanchu", "alerted": false, "details": []} [2025-12-11 14:29:40.255] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 0|max_alert: 1000 [2025-12-11 14:29:40.255] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 14:29:43.159] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 26116 key: NULL payload: {"bucket":"2025-12-11","object":"14/output/gbm/alert.pcap.16.1765434550.jsonl","url":"http://111.32.12.11:9000/2025-12-11/14/output/gbm/alert.pcap.16.1765434550.jsonl?X-Amz-SignedHeaders=host&X-Amz-Date=20251211T062942Z&X-Amz-Signature=3b55b4239215644bfafb5c42733583720c4103cf4c0dee04acbf2bd9351f6d7c&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Expires=604800&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request"} [2025-12-11 14:29:43.159] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 14:29:43.159] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 14:29:43.159] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 14:29:43.159] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 14:29:43.159] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 14:29:43.160] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 14:29:43.357] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:14/output/gbm/alert.pcap.16.1765434550.jsonl|result:{"code": 0, "total_count": 8, "alert_count": 0, "abnormal_count": 0, "normal_count": 8, "timestamp": 1765434583160, "module": "anquanchu", "alerted": false, "details": []} [2025-12-11 14:29:43.357] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 0|max_alert: 1000 [2025-12-11 14:29:43.357] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 14:29:46.261] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[1] at offset 24958 key: NULL payload: {"bucket":"2025-12-11","object":"14/output/gbm/alert.pcap.14.1765434550.jsonl","url":"http://111.32.12.11:9000/2025-12-11/14/output/gbm/alert.pcap.14.1765434550.jsonl?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-SignedHeaders=host&X-Amz-Signature=f7e2dd567e0406265957b0c779e41d493496a15e538d35630a3da6a0c617b527&X-Amz-Date=20251211T062945Z&X-Amz-Expires=604800"} [2025-12-11 14:29:46.261] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 14:29:46.261] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 14:29:46.261] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 14:29:46.262] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 14:29:46.262] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 14:29:46.262] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 14:29:46.470] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:14/output/gbm/alert.pcap.14.1765434550.jsonl|result:{"code": 0, "total_count": 10, "alert_count": 0, "abnormal_count": 0, "normal_count": 10, "timestamp": 1765434586262, "module": "anquanchu", "alerted": false, "details": []} [2025-12-11 14:29:46.470] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 0|max_alert: 1000 [2025-12-11 14:29:46.470] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 14:29:49.366] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 26117 key: NULL payload: {"bucket":"2025-12-11","object":"14/output/gbm/alert.pcap.15.1765434550.jsonl","url":"http://111.32.12.11:9000/2025-12-11/14/output/gbm/alert.pcap.15.1765434550.jsonl?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Expires=604800&X-Amz-SignedHeaders=host&X-Amz-Date=20251211T062948Z&X-Amz-Signature=83e4ca9f159cdaa964c0cc1c1288ef14d6cc46f4630c80d65affe4964d230a9b&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request"} [2025-12-11 14:29:49.366] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 14:29:49.366] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 14:29:49.366] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 14:29:49.366] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 14:29:49.366] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 14:29:49.367] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 14:29:49.592] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:14/output/gbm/alert.pcap.15.1765434550.jsonl|result:{"code": 0, "total_count": 9, "alert_count": 0, "abnormal_count": 0, "normal_count": 9, "timestamp": 1765434589367, "module": "anquanchu", "alerted": false, "details": []} [2025-12-11 14:29:49.592] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 0|max_alert: 1000 [2025-12-11 14:29:49.592] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 14:29:52.472] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[1] at offset 24959 key: NULL payload: {"bucket":"2025-12-11","object":"14/output/gbm/alert.pcap.12.1765434550.jsonl","url":"http://111.32.12.11:9000/2025-12-11/14/output/gbm/alert.pcap.12.1765434550.jsonl?X-Amz-Expires=604800&X-Amz-SignedHeaders=host&X-Amz-Date=20251211T062952Z&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Signature=798845fa73ea41fad33db3923b7c2f8864dae06d6e13efbde67fc936e2fd2583&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request"} [2025-12-11 14:29:52.472] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 14:29:52.472] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 14:29:52.472] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 14:29:52.472] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 14:29:52.472] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 14:29:52.472] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 14:29:52.669] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:14/output/gbm/alert.pcap.12.1765434550.jsonl|result:{"code": 0, "total_count": 8, "alert_count": 0, "abnormal_count": 0, "normal_count": 8, "timestamp": 1765434592472, "module": "anquanchu", "alerted": false, "details": []} [2025-12-11 14:29:52.669] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 0|max_alert: 1000 [2025-12-11 14:29:52.669] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 14:29:55.585] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[2] at offset 25714 key: NULL payload: {"bucket":"2025-12-11","object":"14/output/gbm/alert.pcap.8.1765434550.jsonl","url":"http://111.32.12.11:9000/2025-12-11/14/output/gbm/alert.pcap.8.1765434550.jsonl?X-Amz-Date=20251211T062955Z&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Expires=604800&X-Amz-SignedHeaders=host&X-Amz-Signature=6863e9a556422c8f76e4fbde92679584c7212b4c83a7444052dad477b959db75"} [2025-12-11 14:29:55.585] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 14:29:55.585] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 14:29:55.585] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 14:29:55.585] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 14:29:55.585] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 14:29:55.586] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 14:29:55.787] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:14/output/gbm/alert.pcap.8.1765434550.jsonl|result:{"code": 0, "total_count": 7, "alert_count": 0, "abnormal_count": 0, "normal_count": 7, "timestamp": 1765434595586, "module": "anquanchu", "alerted": false, "details": []} [2025-12-11 14:29:55.787] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 0|max_alert: 1000 [2025-12-11 14:29:55.787] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 14:29:58.688] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[2] at offset 25715 key: NULL payload: {"bucket":"2025-12-11","object":"14/output/gbm/alert.pcap.4.1765434550.jsonl","url":"http://111.32.12.11:9000/2025-12-11/14/output/gbm/alert.pcap.4.1765434550.jsonl?X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-SignedHeaders=host&X-Amz-Signature=9b33cf08f448ce5d6f5008b99bb447ad436e6c6f9b58ecd2bf5337bbb5b98304&X-Amz-Date=20251211T062958Z&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Expires=604800"} [2025-12-11 14:29:58.688] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 14:29:58.688] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 14:29:58.688] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 14:29:58.688] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 14:29:58.688] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 14:29:58.688] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 14:29:58.883] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:14/output/gbm/alert.pcap.4.1765434550.jsonl|result:{"code": 0, "total_count": 10, "alert_count": 0, "abnormal_count": 0, "normal_count": 10, "timestamp": 1765434598688, "module": "anquanchu", "alerted": false, "details": []} [2025-12-11 14:29:58.883] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 0|max_alert: 1000 [2025-12-11 14:29:58.883] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 14:30:01.799] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[2] at offset 25716 key: NULL payload: {"bucket":"2025-12-11","object":"14/output/gbm/alert.pcap.20.1765434550.jsonl","url":"http://111.32.12.11:9000/2025-12-11/14/output/gbm/alert.pcap.20.1765434550.jsonl?X-Amz-Date=20251211T063001Z&X-Amz-Signature=d4fec17550af2c02d3b8363ff059be2351b30cddf2728bbdd32a39760d22b38c&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-SignedHeaders=host&X-Amz-Expires=604800"} [2025-12-11 14:30:01.800] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 14:30:01.800] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 14:30:01.800] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 14:30:01.800] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 14:30:01.800] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 14:30:01.800] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 14:30:02.001] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:14/output/gbm/alert.pcap.20.1765434550.jsonl|result:{"code": 1, "total_count": 5, "alert_count": 1, "abnormal_count": 1, "normal_count": 4, "timestamp": 1765434601800, "module": "anquanchu", "alerted": true, "proto": "tcp", "details": [{"src_ip": "192.168.61.142", "dest_ip": "175.24.252.168", "protocol": "tcp", "src_port": 49837, "dest_port": 443, "y_pred": 1, "y_pred_proba_max": 0.5057799051455484, "2_count": 1.0, "2_sum": 1, "2_ratio": 1.0, "5_count": 1.0, "5_sum": 1, "5_ratio": 1.0, "y_pred_text": "AntSword"}]} [2025-12-11 14:30:02.001] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 1|max_alert: 1000 [2025-12-11 14:30:02.001] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 14:30:02.001] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:362) 根据预测结果alert_count 判断上报文件到kafka. [2025-12-11 14:30:02.001] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:374) 上报kafka. [2025-12-11 14:37:54.999] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[1] at offset 24960 key: NULL payload: {"bucket":"2025-12-11","object":"14/output/gbm/alert.pcap.9.1765435059.jsonl","url":"http://111.32.12.11:9000/2025-12-11/14/output/gbm/alert.pcap.9.1765435059.jsonl?X-Amz-Date=20251211T063754Z&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-SignedHeaders=host&X-Amz-Expires=604800&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Signature=942ede46929804fb856fb1e5b46271544bb206c075cd3955a4995dce0d22c608"} [2025-12-11 14:37:54.999] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 14:37:54.999] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 14:37:55.000] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 14:37:55.000] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 14:37:55.000] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 14:37:55.000] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 14:37:55.277] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:14/output/gbm/alert.pcap.9.1765435059.jsonl|result:{"code": 0, "total_count": 10, "alert_count": 0, "abnormal_count": 0, "normal_count": 10, "timestamp": 1765435075001, "module": "anquanchu", "alerted": false, "details": []} [2025-12-11 14:37:55.277] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 0|max_alert: 1000 [2025-12-11 14:37:55.277] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 14:37:55.617] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 26118 key: NULL payload: {"bucket":"2025-12-11","object":"14/output/gbm/alert.pcap.11.1765435059.jsonl","url":"http://111.32.12.11:9000/2025-12-11/14/output/gbm/alert.pcap.11.1765435059.jsonl?X-Amz-Date=20251211T063755Z&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Expires=604800&X-Amz-Signature=8aac2478d03b0577c827e24ddc42ecf2b96d9be263ec66f45f00346d9e16312a&X-Amz-SignedHeaders=host"} [2025-12-11 14:37:55.617] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 14:37:55.617] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 14:37:55.617] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 14:37:55.617] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 14:37:55.617] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 14:37:55.618] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 14:37:55.813] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:14/output/gbm/alert.pcap.11.1765435059.jsonl|result:{"code": 0, "total_count": 6, "alert_count": 0, "abnormal_count": 0, "normal_count": 6, "timestamp": 1765435075618, "module": "anquanchu", "alerted": false, "details": []} [2025-12-11 14:37:55.813] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 0|max_alert: 1000 [2025-12-11 14:37:55.813] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 14:37:56.154] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[2] at offset 25717 key: NULL payload: {"bucket":"2025-12-11","object":"14/output/gbm/alert.pcap.23.1765435059.jsonl","url":"http://111.32.12.11:9000/2025-12-11/14/output/gbm/alert.pcap.23.1765435059.jsonl?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-SignedHeaders=host&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20251211T063756Z&X-Amz-Expires=604800&X-Amz-Signature=d9ce42c5d7b456d2bacdb9155223de7bf7e508bca7026a6eea44886c2a03e212"} [2025-12-11 14:37:56.154] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 14:37:56.154] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 14:37:56.155] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 14:37:56.155] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 14:37:56.155] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 14:37:56.155] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 14:37:56.351] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:14/output/gbm/alert.pcap.23.1765435059.jsonl|result:{"code": 0, "total_count": 5, "alert_count": 0, "abnormal_count": 0, "normal_count": 5, "timestamp": 1765435076155, "module": "anquanchu", "alerted": false, "details": []} [2025-12-11 14:37:56.351] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 0|max_alert: 1000 [2025-12-11 14:37:56.351] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 14:37:56.679] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[2] at offset 25718 key: NULL payload: {"bucket":"2025-12-11","object":"14/output/gbm/alert.pcap.3.1765435059.jsonl","url":"http://111.32.12.11:9000/2025-12-11/14/output/gbm/alert.pcap.3.1765435059.jsonl?X-Amz-Expires=604800&X-Amz-SignedHeaders=host&X-Amz-Date=20251211T063756Z&X-Amz-Signature=d65454470b96c3b8febe2adb6d9d28ce19e3249ed210d90474eaf7a1c2079d92&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request"} [2025-12-11 14:37:56.679] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 14:37:56.679] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 14:37:56.679] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 14:37:56.679] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 14:37:56.679] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 14:37:56.679] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 14:37:56.865] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:14/output/gbm/alert.pcap.3.1765435059.jsonl|result:{"code": 0, "total_count": 2, "alert_count": 0, "abnormal_count": 0, "normal_count": 2, "timestamp": 1765435076679, "module": "anquanchu", "alerted": false, "details": []} [2025-12-11 14:37:56.865] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 0|max_alert: 1000 [2025-12-11 14:37:56.865] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 14:37:57.188] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 26119 key: NULL payload: {"bucket":"2025-12-11","object":"14/output/gbm/alert.pcap.19.1765435059.jsonl","url":"http://111.32.12.11:9000/2025-12-11/14/output/gbm/alert.pcap.19.1765435059.jsonl?X-Amz-SignedHeaders=host&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Expires=604800&X-Amz-Signature=ade059b7c548fe46b2ecb60edafa5830fcb3ba71aa53837d9357a9569507b14f&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Date=20251211T063757Z"} [2025-12-11 14:37:57.188] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 14:37:57.188] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 14:37:57.188] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 14:37:57.188] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 14:37:57.188] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 14:37:57.188] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 14:37:57.382] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:14/output/gbm/alert.pcap.19.1765435059.jsonl|result:{"code": 0, "total_count": 8, "alert_count": 0, "abnormal_count": 0, "normal_count": 8, "timestamp": 1765435077188, "module": "anquanchu", "alerted": false, "details": []} [2025-12-11 14:37:57.382] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 0|max_alert: 1000 [2025-12-11 14:37:57.382] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 14:37:57.748] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[1] at offset 24961 key: NULL payload: {"bucket":"2025-12-11","object":"14/output/gbm/alert.pcap.5.1765435059.jsonl","url":"http://111.32.12.11:9000/2025-12-11/14/output/gbm/alert.pcap.5.1765435059.jsonl?X-Amz-SignedHeaders=host&X-Amz-Expires=604800&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20251211T063757Z&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Signature=574e9da97fd578ffe53d9e27a11d79d7b4aca10862f1787bf5782ee93283d0de"} [2025-12-11 14:37:57.748] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 14:37:57.748] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 14:37:57.748] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 14:37:57.748] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 14:37:57.748] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 14:37:57.748] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 14:37:57.973] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:14/output/gbm/alert.pcap.5.1765435059.jsonl|result:{"code": 0, "total_count": 6, "alert_count": 0, "abnormal_count": 0, "normal_count": 6, "timestamp": 1765435077748, "module": "anquanchu", "alerted": false, "details": []} [2025-12-11 14:37:57.973] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 0|max_alert: 1000 [2025-12-11 14:37:57.973] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 15:38:43.969] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[1] at offset 24962 key: NULL payload: {"bucket":"2025-12-11","object":"15/output/gbm/alert.pcap.11.1765435059.jsonl","url":"http://111.32.12.11:9000/2025-12-11/15/output/gbm/alert.pcap.11.1765435059.jsonl?X-Amz-Expires=604800&X-Amz-SignedHeaders=host&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20251211T073843Z&X-Amz-Signature=6ee88e033b6453c234c37ae41149e775b72bc5d7dc06017ea490401a913700d5"} [2025-12-11 15:38:43.970] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 15:38:43.970] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 15:38:43.970] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 15:38:43.970] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 15:38:43.970] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 15:38:43.971] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 15:38:44.218] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:15/output/gbm/alert.pcap.11.1765435059.jsonl|result:{"code": 0, "total_count": 6, "alert_count": 0, "abnormal_count": 0, "normal_count": 6, "timestamp": 1765438723971, "module": "anquanchu", "alerted": false, "details": []} [2025-12-11 15:38:44.218] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 0|max_alert: 1000 [2025-12-11 15:38:44.218] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 15:41:58.977] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 26120 key: NULL payload: {"bucket":"2025-12-11","object":"15/output/gbm/alert.pcap.19.1765435059.jsonl","url":"http://111.32.12.11:9000/2025-12-11/15/output/gbm/alert.pcap.19.1765435059.jsonl?X-Amz-SignedHeaders=host&X-Amz-Date=20251211T074158Z&X-Amz-Signature=88e039e0b3d6963b2bbdcea97cd29f096f4bd32e5276a551c13246ee653203e3&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Expires=604800"} [2025-12-11 15:41:58.977] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 15:41:58.977] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 15:41:58.978] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 15:41:58.978] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 15:41:58.978] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 15:41:58.979] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 15:41:59.225] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:15/output/gbm/alert.pcap.19.1765435059.jsonl|result:{"code": 0, "total_count": 8, "alert_count": 0, "abnormal_count": 0, "normal_count": 8, "timestamp": 1765438918979, "module": "anquanchu", "alerted": false, "details": []} [2025-12-11 15:41:59.225] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 0|max_alert: 1000 [2025-12-11 15:41:59.225] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 15:42:02.083] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[1] at offset 24963 key: NULL payload: {"bucket":"2025-12-11","object":"15/output/gbm/alert.pcap.23.1765435059.jsonl","url":"http://111.32.12.11:9000/2025-12-11/15/output/gbm/alert.pcap.23.1765435059.jsonl?X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Expires=604800&X-Amz-Signature=021c029d06558b747ce68aa3bf5a82cdf284d09a905dfdaf19888cd9bb924687&X-Amz-SignedHeaders=host&X-Amz-Date=20251211T074201Z"} [2025-12-11 15:42:02.083] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 15:42:02.083] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 15:42:02.083] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 15:42:02.083] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 15:42:02.083] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 15:42:02.084] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 15:42:02.281] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:15/output/gbm/alert.pcap.23.1765435059.jsonl|result:{"code": 0, "total_count": 5, "alert_count": 0, "abnormal_count": 0, "normal_count": 5, "timestamp": 1765438922084, "module": "anquanchu", "alerted": false, "details": []} [2025-12-11 15:42:02.281] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 0|max_alert: 1000 [2025-12-11 15:42:02.281] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 15:42:05.186] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 26121 key: NULL payload: {"bucket":"2025-12-11","object":"15/output/gbm/alert.pcap.3.1765435059.jsonl","url":"http://111.32.12.11:9000/2025-12-11/15/output/gbm/alert.pcap.3.1765435059.jsonl?X-Amz-Date=20251211T074204Z&X-Amz-Expires=604800&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-SignedHeaders=host&X-Amz-Signature=b64362136dd38023e7301585f5fb59ca5d9bce0470a7ca7fc520b905d460ea78&X-Amz-Algorithm=AWS4-HMAC-SHA256"} [2025-12-11 15:42:05.186] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 15:42:05.186] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 15:42:05.187] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 15:42:05.187] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 15:42:05.187] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 15:42:05.187] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 15:42:05.338] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:15/output/gbm/alert.pcap.3.1765435059.jsonl|result:{"code": 0, "total_count": 2, "alert_count": 0, "abnormal_count": 0, "normal_count": 2, "timestamp": 1765438925187, "module": "anquanchu", "alerted": false, "details": []} [2025-12-11 15:42:05.338] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 0|max_alert: 1000 [2025-12-11 15:42:05.338] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 15:42:08.291] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[0] at offset 26122 key: NULL payload: {"bucket":"2025-12-11","object":"15/output/gbm/alert.pcap.5.1765435059.jsonl","url":"http://111.32.12.11:9000/2025-12-11/15/output/gbm/alert.pcap.5.1765435059.jsonl?X-Amz-Signature=693d414d8f989b095f7ecfa9844a5ed886c6b645060d7d3160ff87a95c1008d5&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-SignedHeaders=host&X-Amz-Date=20251211T074207Z&X-Amz-Expires=604800"} [2025-12-11 15:42:08.291] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 15:42:08.291] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 15:42:08.291] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 15:42:08.291] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 15:42:08.291] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 15:42:08.292] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 15:42:08.449] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:15/output/gbm/alert.pcap.5.1765435059.jsonl|result:{"code": 0, "total_count": 6, "alert_count": 0, "abnormal_count": 0, "normal_count": 6, "timestamp": 1765438928292, "module": "anquanchu", "alerted": false, "details": []} [2025-12-11 15:42:08.449] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 0|max_alert: 1000 [2025-12-11 15:42:08.449] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib [2025-12-11 15:42:11.394] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:411) Message in-> topic:analyzed_queue_gbm partition:[2] at offset 25719 key: NULL payload: {"bucket":"2025-12-11","object":"15/output/gbm/alert.pcap.9.1765435059.jsonl","url":"http://111.32.12.11:9000/2025-12-11/15/output/gbm/alert.pcap.9.1765435059.jsonl?X-Amz-Credential=UDM59PO2GGFR6AM8LSXP%2F20251211%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Expires=604800&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Date=20251211T074210Z&X-Amz-Signature=04896cbba0da79a47997e0b7c10ee2cb79bd2e1f00c65632ec5d096d45e4fbca&X-Amz-SignedHeaders=host"} [2025-12-11 15:42:11.394] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:259) process model: 1 [2025-12-11 15:42:11.394] [INFO] [tid:129356944758464] (AiModule.cpp:129) load so_code_gbm.so lib [2025-12-11 15:42:11.395] [INFO] [tid:129356944758464] (AiModule.cpp:131) load so module so_code_gbm [2025-12-11 15:42:11.395] [INFO] [tid:129356944758464] (AiModule.cpp:140) get function load [2025-12-11 15:42:11.395] [INFO] [tid:129356944758464] (AiModule.cpp:148) prepare args for function load [2025-12-11 15:42:11.395] [INFO] [tid:129356944758464] (AiModule.cpp:158) load result:0 [2025-12-11 15:42:11.560] [DEBUG] [tid:129356944758464] (AiModule.cpp:211) bucket:2025-12-11|object:15/output/gbm/alert.pcap.9.1765435059.jsonl|result:{"code": 0, "total_count": 10, "alert_count": 0, "abnormal_count": 0, "normal_count": 10, "timestamp": 1765438931395, "module": "anquanchu", "alerted": false, "details": []} [2025-12-11 15:42:11.560] [INFO] [tid:129356944758464] (KafkaConsumer.cpp:332) gbm alert_count: 0|max_alert: 1000 [2025-12-11 15:42:11.560] [DEBUG] [tid:129356944758464] (KafkaConsumer.cpp:333) gbm检测模型:webshell_lgbm_classifier.lgb.20250902_171938.joblib