ORM Models - jastit00/IT-Sec-Projekt GitHub Wiki

Author: Vincent K

Motivation

This documentation describes the structure and purpose of the database ORM models used in log_processor and incident_detector. The models enable structured storage of log data and security incidents, forming the data backbone for log analysis and incident detection.

Technical Description

The models are implemented using Django’s ORM. They define database tables for storing log events, configuration changes, network packets, and detected security incidents. Relationships between models (e.g. linking logs to incidents) are managed via foreign keys.

The image shows the ORM entity-relationship (ER) model of the incident_detector and log_processor models, without internal Django tables.

Note: The diagram is slightly outdated and does not include the DetectionConfig table.

Log Processor Models

UserLogin

Represents a user login event.

Fields:

timestamp (DateTimeField) – Timestamp of the login
username (CharField) – Username
src_ip_address (GenericIPAddressField) – Source IP address
terminal (CharField) – Terminal/session
result (CharField) – Result (e.g. success, failure)
event_type (CharField) – Type of event
severity (CharField) – Severity level

Example log line:

type=USER_LOGIN msg=audit(1743072594.508:45): pid=5148 uid=0 auid=4294967295 ses=4294967295 msg='op=user-login acct="admin" exe="web" hostname=? addr=192.168.0.42 terminal=cda8 res=success'UID="root" AUID="unset"

UserLogout

Represents a user logout event.

Fields:

timestamp (DateTimeField) – Timestamp of the logout
username (CharField) – Username
terminal (CharField) – Terminal/session
result (CharField) – Result
event_type (CharField) – Type of event
severity (CharField) – Severity level

Example log lines:

type=USER_LOGOUT msg=audit(1743072873.900:25): pid=5148 uid=0 auid=4294967295 ses=4294967295 msg='op=user-logout acct="admin" exe="web" hostname=? addr=? terminal=cda8 res=success'UID="root" AUID="unset"

type=USER_END msg=audit(1743466282.880:11): pid=2575 uid=0 auid=4294967295 ses=4294967295 msg='op=user-session-timeout acct="admin" exe="web" hostname=? addr=? terminal=1a91 res=success'UID="root" AUID="unset"

UsysConfig

Represents a user system configuration change.

Fields:

timestamp (DateTimeField) – Timestamp
table (CharField) – Table affected
action (CharField) – Action type (insert, update, delete)
key (CharField) – Key affected
value (TextField) – New value
condition (CharField) – Condition applied
terminal (CharField) – Terminal/session
result (CharField) – Result
event_type (CharField) – Type of event
severity (CharField) – Severity level

Example log line:

type=USYS_CONFIG msg=audit(1725545178.468:27): pid=5179 uid=0 auid=4294967295 ses=4294967295 msg='table="config" action="update" key="password_policy" value="" condition="" exe="/usr/sbin/systemd" hostname=? addr=? terminal=admin res=failed'UID="root" AUID="unset"

NetfilterPackets

Represents logged network packets.

Fields:

timestamp (DateTimeField) – Timestamp
src_ip_address (GenericIPAddressField) – Source IP
dst_ip_address (GenericIPAddressField) – Destination IP
protocol (CharField) – Protocol (e.g. TCP, UDP)
event_type (CharField) – Event type
count (IntegerField) – Number of packets
severity (CharField) – Severity level

Example Log Line:

type=NETFILTER_PKT msg=audit(1747246515.310:49431): mark=0x0 saddr=172.16.0.2 daddr=192.168.0.88 proto=6

UploadedLogFile

Represents a log file upload.

Fields:

filename (CharField) – Filename
file_hash (CharField) – Unique file hash
source (CharField) – Source identifier
uploaded_by (CharField) – Uploader
uploaded_at (DateTimeField) – Upload timestamp
status (CharField) – Status
entries_created (IntegerField) – Number of log entries created
incidents_created_total (IntegerField) – Total incidents created
incident_counts (JSONField) – Counts of incidents by type

DetectionConfig

Represents detection rules or configurations.

Fields:

key (CharField) – Configuration key
data (JSONField) – Configuration data
updated_at (DateTimeField) – Last update timestamp

Incident Detector Models

DosIncident

Represents a detected DoS incident.

Fields:

timestamp (DateTimeField) – Timestamp
timeDelta (CharField) – Duration/delta
src_ip_address (GenericIPAddressField) – Source IP
dst_ip_address (GenericIPAddressField) – Destination IP
event_type (CharField) – Event type
severity (CharField) – Severity level
incident_type (CharField) – Incident type
packets (IntegerField) – Number of packets
protocol (CharField) – Protocol used
reason (TextField) – Reason description

DDosIncident

Represents a detected DDoS incident.

Fields:

timestamp (DateTimeField) – Timestamp
timeDelta (CharField) – Duration/delta
dst_ip_address (GenericIPAddressField) – Target IP
event_type (CharField) – Event type
severity (CharField) – Severity level
incident_type (CharField) – Incident type
packets (IntegerField) – Number of packets
protocol (CharField) – Protocol used
reason (TextField) – Reason description
sources (TextField) – Sources involved

ConcurrentLoginIncident

Represents detected concurrent logins for the same user.

Fields:

timestamp (DateTimeField) – Timestamp
src_ip_address (GenericIPAddressField) – Source IP
username (CharField) – Username
reason (TextField) – Reason
event_type (CharField) – Event type
severity (CharField) – Severity level
incident_type (CharField) – Incident type

ConfigIncident

Represents suspicious configuration change activity.

Fields:

timestamp (DateTimeField) – Timestamp
src_ip_address (GenericIPAddressField) – Source IP
username (CharField) – Username
reason (TextField) – Reason
event_type (CharField) – Event type
severity (CharField) – Severity level
incident_type (CharField) – Incident type

BruteforceIncident

Represents a detected bruteforce attack.

Fields:

timestamp (DateTimeField) – Timestamp
timeDelta (CharField) – Duration
src_ip_address (GenericIPAddressField) – Source IP
username (CharField) – Username
reason (TextField) – Reason
attempts (IntegerField) – Number of attempts
successful (IntegerField) – Successful attempts
event_type (CharField) – Event type
severity (CharField) – Severity level
incident_type (CharField) – Incident type

RelatedLog

Links incidents to specific log records.

Fields:

dos_incident (ForeignKey) – Related DoS incident
ddos_incident (ForeignKey) – Related DDoS incident
bruteforce_incident (ForeignKey) – Related bruteforce incident
concurrent_login_incident (ForeignKey) – Related concurrent login incident
config_incident (ForeignKey) – Related config change incident
user_login (ForeignKey) – Related login
user_logout (ForeignKey) – Related logout
usys_config (ForeignKey) – Related config change
netfilter_packet (ForeignKey) – Related network packet

Risks

• Field size limits (e.g. max_length) may cause truncation or errors
• Data integrity issues if relationships are not enforced
• Migration changes must be handled carefully to avoid corruption