fix: correction de 7 bugs UI/API sur les dashboards avancés

BruteForce: - Attaquants: strip ::ffff: des IPs (replaceRegexpAll dans SQL) - Cibles: 'Voir détails' remplacé par expansion inline avec top IPs par host + nouveau endpoint GET /api/bruteforce/host/{host}/attackers + interface BruteForceTarget: top_ja4 → top_ja4s (cohérence avec API) Header Fingerprint: - Détail cluster: data.ips → data.items (clé API incorrecte) Heatmap Temporelle: - Top hosts ciblés: data.hosts → data.items (clé API incorrecte) - Type annotation corrigé: { hosts: TopHost[] } → { items: TopHost[] } Botnets Distribués: - Clic sur ligne: data.countries → data.items (clé API incorrecte) Rotation & Persistance: - IPs rotateurs: strip ::ffff: (replaceRegexpAll dans SQL) - IPs menaces persistantes: strip ::ffff: (replaceRegexpAll dans SQL) - Historique JA4: data.history → data.ja4_history (clé API incorrecte) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
2026-03-16 00:24:53 +01:00
parent 735d8b6101
commit 8032ebaab8
7 changed files with 158 additions and 48 deletions
--- a/backend/routes/bruteforce.py
+++ b/backend/routes/bruteforce.py
@ -55,7 +55,7 @@ async def get_bruteforce_attackers(limit: int = Query(50, ge=1, le=500)):
    try:
        sql = """
        SELECT
-            src_ip                  AS ip,
+            replaceRegexpAll(toString(src_ip), '^::ffff:', '') AS ip,
            uniq(host)              AS distinct_hosts,
            sum(hits)               AS total_hits,
            sum(query_params_count) AS total_params,
@ -105,3 +105,37 @@ async def get_bruteforce_timeline():
        return {"hours": hours}
    except Exception as e:
        raise HTTPException(status_code=500, detail=str(e))
+
+
+@router.get("/host/{host:path}/attackers")
+async def get_host_attackers(host: str, limit: int = Query(20, ge=1, le=200)):
+    """Top IPs attaquant un hôte spécifique, avec JA4 et type d'attaque."""
+    try:
+        sql = """
+        SELECT
+            replaceRegexpAll(toString(src_ip), '^::ffff:', '') AS ip,
+            sum(hits)               AS total_hits,
+            sum(query_params_count) AS total_params,
+            argMax(ja4, hits)       AS ja4,
+            max(hits)               AS max_hits_per_window
+        FROM mabase_prod.view_form_bruteforce_detected
+        WHERE host = %(host)s
+        GROUP BY src_ip
+        ORDER BY total_hits DESC
+        LIMIT %(limit)s
+        """
+        result = db.query(sql, {"host": host, "limit": limit})
+        items = []
+        for row in result.result_rows:
+            total_hits   = int(row[1])
+            total_params = int(row[2])
+            items.append({
+                "ip":          str(row[0]),
+                "total_hits":  total_hits,
+                "total_params":total_params,
+                "ja4":         str(row[3] or ""),
+                "attack_type": "credential_stuffing" if total_hits > 0 and total_params / total_hits > 0.5 else "enumeration",
+            })
+        return {"host": host, "items": items, "total": len(items)}
+    except Exception as e:
+        raise HTTPException(status_code=500, detail=str(e))