d469e39da7
Services: - ja4sentinel: TLS/JA4 fingerprint capture daemon (Go, libpcap) - logcorrelator: JA4 log correlation engine (Go, ClickHouse) - mod_reqin_log: Apache module (C, JSON request logging) - bot_detector: ML bot detection pipeline (Python) - dashboard: FastAPI/Streamlit analytics UI (Python) Shared libraries: - shared/go/ja4common: logger, config, shutdown, ipfilter (Go module) - shared/python/ja4_common: ClickHouseClient, ClickHouseSettings (Python package) - shared/clickhouse/: canonical SQL migrations (10 files) Build & packaging: - Unified 3-stage Dockerfile.package for Go RPMs (el8/el9/el10) - go.work workspace linking sentinel, correlator, ja4common - Makefile with test-all, build-all, rpm-* targets Fixes applied: - go.work: 1.21 → 1.24.6 (required by sentinel) - correlator Dockerfiles: golang:1.21 → golang:1.24 - replace directives in go.mod for ja4common local path - pyproject.toml: setuptools.backends → setuptools.build_meta - Removed static libpcap linking (unavailable on Rocky 9) - Fixed data races in output/writers_test.go (sync.Mutex + atomic.Int32) - Rewrote corrupted test files (logger_test.go × 2) Test coverage: - correlator: 67.1% total (unixsocket 80.5%, config 91.7%, app 83.3%, multi 87.7%, stdout 100%) - sentinel: all 10 packages pass (api, capture, config, fingerprint, ipfilter, logging, output, tlsparse) Documentation: - README.md + docs/ (architecture, development, 5 services, shared libs, DB schema & migrations) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
142 lines
5.0 KiB
Python
142 lines
5.0 KiB
Python
"""
|
|
Endpoints pour l'analyse des attaques par force brute sur les formulaires
|
|
"""
|
|
from fastapi import APIRouter, HTTPException, Query
|
|
|
|
from ..database import db
|
|
|
|
router = APIRouter(prefix="/api/bruteforce", tags=["bruteforce"])
|
|
|
|
|
|
@router.get("/targets")
|
|
async def get_bruteforce_targets():
|
|
"""Liste des hôtes ciblés par brute-force, triés par total_hits DESC."""
|
|
try:
|
|
sql = """
|
|
SELECT
|
|
host,
|
|
uniq(src_ip) AS unique_ips,
|
|
sum(hits) AS total_hits,
|
|
sum(query_params_count) AS total_params,
|
|
groupArray(3)(ja4) AS top_ja4s
|
|
FROM mabase_prod.view_form_bruteforce_detected
|
|
GROUP BY host
|
|
ORDER BY total_hits DESC
|
|
"""
|
|
result = db.query(sql)
|
|
items = []
|
|
for row in result.result_rows:
|
|
host = str(row[0])
|
|
unique_ips = int(row[1])
|
|
total_hits = int(row[2])
|
|
total_params= int(row[3])
|
|
top_ja4s = [str(j) for j in (row[4] or [])]
|
|
attack_type = (
|
|
"credential_stuffing"
|
|
if total_hits > 0 and total_params / total_hits > 0.5
|
|
else "enumeration"
|
|
)
|
|
items.append({
|
|
"host": host,
|
|
"unique_ips": unique_ips,
|
|
"total_hits": total_hits,
|
|
"total_params":total_params,
|
|
"attack_type": attack_type,
|
|
"top_ja4s": top_ja4s,
|
|
})
|
|
return {"items": items, "total": len(items)}
|
|
except Exception as e:
|
|
raise HTTPException(status_code=500, detail=str(e))
|
|
|
|
|
|
@router.get("/attackers")
|
|
async def get_bruteforce_attackers(limit: int = Query(50, ge=1, le=500)):
|
|
"""Top IPs attaquantes triées par total_hits DESC."""
|
|
try:
|
|
sql = """
|
|
SELECT
|
|
replaceRegexpAll(toString(src_ip), '^::ffff:', '') AS ip,
|
|
uniq(host) AS distinct_hosts,
|
|
sum(hits) AS total_hits,
|
|
sum(query_params_count) AS total_params,
|
|
argMax(ja4, hits) AS ja4
|
|
FROM mabase_prod.view_form_bruteforce_detected
|
|
GROUP BY src_ip
|
|
ORDER BY total_hits DESC
|
|
LIMIT %(limit)s
|
|
"""
|
|
result = db.query(sql, {"limit": limit})
|
|
items = []
|
|
for row in result.result_rows:
|
|
items.append({
|
|
"ip": str(row[0]),
|
|
"distinct_hosts":int(row[1]),
|
|
"total_hits": int(row[2]),
|
|
"total_params": int(row[3]),
|
|
"ja4": str(row[4]),
|
|
})
|
|
return {"items": items, "total": len(items)}
|
|
except Exception as e:
|
|
raise HTTPException(status_code=500, detail=str(e))
|
|
|
|
|
|
@router.get("/timeline")
|
|
async def get_bruteforce_timeline():
|
|
"""Hits par heure (dernières 72h) depuis agg_host_ip_ja4_1h."""
|
|
try:
|
|
sql = """
|
|
SELECT
|
|
toHour(window_start) AS hour,
|
|
sum(hits) AS hits,
|
|
uniq(replaceRegexpAll(toString(src_ip), '^::ffff:', '')) AS ips
|
|
FROM mabase_prod.agg_host_ip_ja4_1h
|
|
WHERE window_start >= now() - INTERVAL 72 HOUR
|
|
GROUP BY hour
|
|
ORDER BY hour ASC
|
|
"""
|
|
result = db.query(sql)
|
|
hours = []
|
|
for row in result.result_rows:
|
|
hours.append({
|
|
"hour": int(row[0]),
|
|
"hits": int(row[1]),
|
|
"ips": int(row[2]),
|
|
})
|
|
return {"hours": hours}
|
|
except Exception as e:
|
|
raise HTTPException(status_code=500, detail=str(e))
|
|
|
|
|
|
@router.get("/host/{host:path}/attackers")
|
|
async def get_host_attackers(host: str, limit: int = Query(20, ge=1, le=200)):
|
|
"""Top IPs attaquant un hôte spécifique, avec JA4 et type d'attaque."""
|
|
try:
|
|
sql = """
|
|
SELECT
|
|
replaceRegexpAll(toString(src_ip), '^::ffff:', '') AS ip,
|
|
sum(hits) AS total_hits,
|
|
sum(query_params_count) AS total_params,
|
|
argMax(ja4, hits) AS ja4,
|
|
max(hits) AS max_hits_per_window
|
|
FROM mabase_prod.view_form_bruteforce_detected
|
|
WHERE host = %(host)s
|
|
GROUP BY src_ip
|
|
ORDER BY total_hits DESC
|
|
LIMIT %(limit)s
|
|
"""
|
|
result = db.query(sql, {"host": host, "limit": limit})
|
|
items = []
|
|
for row in result.result_rows:
|
|
total_hits = int(row[1])
|
|
total_params = int(row[2])
|
|
items.append({
|
|
"ip": str(row[0]),
|
|
"total_hits": total_hits,
|
|
"total_params":total_params,
|
|
"ja4": str(row[3] or ""),
|
|
"attack_type": "credential_stuffing" if total_hits > 0 and total_params / total_hits > 0.5 else "enumeration",
|
|
})
|
|
return {"host": host, "items": items, "total": len(items)}
|
|
except Exception as e:
|
|
raise HTTPException(status_code=500, detail=str(e))
|