8032ebaab8
BruteForce:
- Attaquants: strip ::ffff: des IPs (replaceRegexpAll dans SQL)
- Cibles: 'Voir détails' remplacé par expansion inline avec top IPs par host
+ nouveau endpoint GET /api/bruteforce/host/{host}/attackers
+ interface BruteForceTarget: top_ja4 → top_ja4s (cohérence avec API)
Header Fingerprint:
- Détail cluster: data.ips → data.items (clé API incorrecte)
Heatmap Temporelle:
- Top hosts ciblés: data.hosts → data.items (clé API incorrecte)
- Type annotation corrigé: { hosts: TopHost[] } → { items: TopHost[] }
Botnets Distribués:
- Clic sur ligne: data.countries → data.items (clé API incorrecte)
Rotation & Persistance:
- IPs rotateurs: strip ::ffff: (replaceRegexpAll dans SQL)
- IPs menaces persistantes: strip ::ffff: (replaceRegexpAll dans SQL)
- Historique JA4: data.history → data.ja4_history (clé API incorrecte)
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
102 lines
3.4 KiB
Python
102 lines
3.4 KiB
Python
"""
|
|
Endpoints pour la détection de la rotation de fingerprints JA4 et des menaces persistantes
|
|
"""
|
|
from fastapi import APIRouter, HTTPException, Query
|
|
|
|
from ..database import db
|
|
|
|
router = APIRouter(prefix="/api/rotation", tags=["rotation"])
|
|
|
|
|
|
@router.get("/ja4-rotators")
|
|
async def get_ja4_rotators(limit: int = Query(50, ge=1, le=500)):
|
|
"""IPs qui effectuent le plus de rotation de fingerprints JA4."""
|
|
try:
|
|
sql = """
|
|
SELECT
|
|
replaceRegexpAll(toString(src_ip), '^::ffff:', '') AS ip,
|
|
distinct_ja4_count,
|
|
total_hits
|
|
FROM mabase_prod.view_host_ip_ja4_rotation
|
|
ORDER BY distinct_ja4_count DESC
|
|
LIMIT %(limit)s
|
|
"""
|
|
result = db.query(sql, {"limit": limit})
|
|
items = []
|
|
for row in result.result_rows:
|
|
distinct = int(row[1])
|
|
items.append({
|
|
"ip": str(row[0]),
|
|
"distinct_ja4_count":distinct,
|
|
"total_hits": int(row[2]),
|
|
"evasion_score": min(100, distinct * 15),
|
|
})
|
|
return {"items": items, "total": len(items)}
|
|
except Exception as e:
|
|
raise HTTPException(status_code=500, detail=str(e))
|
|
|
|
|
|
@router.get("/persistent-threats")
|
|
async def get_persistent_threats(limit: int = Query(100, ge=1, le=1000)):
|
|
"""Menaces persistantes triées par score de persistance."""
|
|
try:
|
|
sql = """
|
|
SELECT
|
|
replaceRegexpAll(toString(src_ip), '^::ffff:', '') AS ip,
|
|
recurrence,
|
|
worst_score,
|
|
worst_threat_level,
|
|
first_seen,
|
|
last_seen
|
|
FROM mabase_prod.view_ip_recurrence
|
|
ORDER BY (least(100, recurrence * 20 + worst_score * 50)) DESC
|
|
LIMIT %(limit)s
|
|
"""
|
|
result = db.query(sql, {"limit": limit})
|
|
items = []
|
|
for row in result.result_rows:
|
|
recurrence = int(row[1])
|
|
worst_score = float(row[2] or 0)
|
|
items.append({
|
|
"ip": str(row[0]),
|
|
"recurrence": recurrence,
|
|
"worst_score": worst_score,
|
|
"worst_threat_level":str(row[3] or ""),
|
|
"first_seen": str(row[4]),
|
|
"last_seen": str(row[5]),
|
|
"persistence_score": min(100, recurrence * 20 + worst_score * 50),
|
|
})
|
|
return {"items": items, "total": len(items)}
|
|
except Exception as e:
|
|
raise HTTPException(status_code=500, detail=str(e))
|
|
|
|
|
|
@router.get("/ip/{ip}/ja4-history")
|
|
async def get_ip_ja4_history(ip: str):
|
|
"""Historique des JA4 utilisés par une IP donnée."""
|
|
try:
|
|
sql = """
|
|
SELECT
|
|
ja4,
|
|
sum(hits) AS hits,
|
|
min(window_start) AS first_seen,
|
|
max(window_start) AS last_seen
|
|
FROM mabase_prod.agg_host_ip_ja4_1h
|
|
WHERE replaceRegexpAll(toString(src_ip), '^::ffff:', '') = %(ip)s
|
|
GROUP BY ja4
|
|
ORDER BY hits DESC
|
|
"""
|
|
result = db.query(sql, {"ip": ip})
|
|
items = [
|
|
{
|
|
"ja4": str(row[0]),
|
|
"hits": int(row[1]),
|
|
"first_seen":str(row[2]),
|
|
"last_seen": str(row[3]),
|
|
}
|
|
for row in result.result_rows
|
|
]
|
|
return {"ip": ip, "ja4_history": items, "total": len(items)}
|
|
except Exception as e:
|
|
raise HTTPException(status_code=500, detail=str(e))
|