|
|
79d86eba23
|
schema sql
|
2026-03-12 11:21:11 +01:00 |
|
|
|
20ebe7240e
|
Feat: Détection menaces HTTP via vues ClickHouse + simplification shutdown
Build and Test / test (push) Has been cancelled
Build and Test / build (push) Has been cancelled
Build and Test / docker (push) Has been cancelled
Nouvelles vues de détection (sql/views.sql) :
- Identification hosts par IP/JA4 (view_host_identification, view_host_ja4_anomalies)
- Détection brute force POST et query params variables
- Header fingerprinting (ordre, headers modernes manquants, Sec-CH-UA)
- ALPN mismatch detection (h2 déclaré mais HTTP/1.1 parlé)
- Rate limiting & burst detection (50 req/min, 20 req/10s)
- Path enumeration/scanning (paths sensibles)
- Payload attacks (SQLi, XSS, path traversal)
- JA4 botnet detection (même fingerprint sur 20+ IPs)
- Correlation quality (orphan ratio >80%)
ClickHouse (sql/init.sql) :
- Compression ZSTD(3) sur champs texte (path, query, headers, ja3/ja4)
- TTL automatique : 1 jour (raw) + 7 jours (http_logs)
- Paramètre ttl_only_drop_parts = 1
Shutdown simplifié (internal/app/orchestrator.go) :
- Suppression ShutdownTimeout et logique de flush/attente
- Stop() = cancel() + Close() uniquement
- systemd TimeoutStopSec gère l'arrêt forcé si besoin
File output toggle (internal/config/*.go) :
- Ajout champ Enabled dans FileOutputConfig
- Le sink fichier n'est créé que si enabled && path != ''
- Tests : TestValidate_FileOutputDisabled, TestLoadConfig_FileOutputDisabled
RPM packaging (packaging/rpm/logcorrelator.spec) :
- Changelog 1.1.18 → 1.1.22
- Suppression logcorrelator-tmpfiles.conf (redondant RuntimeDirectory=)
Nettoyage :
- idees.txt → idees/ (dossier)
- Suppression 91.224.92.185.txt (logs exemple)
Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
|
2026-03-11 18:28:07 +01:00 |
|
|
|
5df2fd965b
|
view
Build and Test / test (push) Has been cancelled
Build and Test / build (push) Has been cancelled
Build and Test / docker (push) Has been cancelled
|
2026-03-09 08:37:59 +01:00 |
|
|
|
703b2b5181
|
maj des vue
|
2026-03-08 23:51:04 +01:00 |
|
|
|
7b5d31d1a9
|
files: ajout des requetes sql d aggregation
Build and Test / test (push) Has been cancelled
Build and Test / build (push) Has been cancelled
Build and Test / docker (push) Has been cancelled
|
2026-03-08 23:21:21 +01:00 |
|
|
|
9979644b62
|
fix: materialized view
Build and Test / test (push) Has been cancelled
Build and Test / build (push) Has been cancelled
Build and Test / docker (push) Has been cancelled
|
2026-03-05 16:35:40 +01:00 |
|
|
|
703cc22cac
|
fix: ajout de nouvelles collones dans clickhouse
|
2026-03-05 16:23:48 +01:00 |
|
|
|
ae3da359fa
|
docs: add sql/init.sql + update README ClickHouse schema
Build and Test / test (push) Has been cancelled
Build and Test / build (push) Has been cancelled
Build and Test / docker (push) Has been cancelled
- feat: sql/init.sql — initialisation complète ClickHouse (db, tables, MV, users)
- feat: table http_logs mise à jour avec tous les champs réels du JSON corrélé
- ajout tcp_meta_mss (UInt16), tcp_meta_window_scale (UInt8), tls_alpn (LowCardinality)
- ajout keepalives, a_timestamp, b_timestamp, conn_id, ip_meta_id, ip_meta_total_length
- ajout tous les header_* manquants (x_request_id, x_trace_id, sec_fetch_*, etc.)
- correction types: ip_meta_id/ip_meta_total_length UInt32 → UInt16
- feat: vue matérialisée complète avec coalesce() sur tous les champs
- docs: README schema section remplacée par référence à sql/init.sql + tableau des colonnes
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
|
2026-03-05 14:28:44 +01:00 |
|
