logcorrelator

Author	SHA1	Message	Date
toto	20ebe7240e	Feat: Détection menaces HTTP via vues ClickHouse + simplification shutdown Some checks failed Build and Test / test (push) Has been cancelled Details Build and Test / build (push) Has been cancelled Details Build and Test / docker (push) Has been cancelled Details Nouvelles vues de détection (sql/views.sql) : - Identification hosts par IP/JA4 (view_host_identification, view_host_ja4_anomalies) - Détection brute force POST et query params variables - Header fingerprinting (ordre, headers modernes manquants, Sec-CH-UA) - ALPN mismatch detection (h2 déclaré mais HTTP/1.1 parlé) - Rate limiting & burst detection (50 req/min, 20 req/10s) - Path enumeration/scanning (paths sensibles) - Payload attacks (SQLi, XSS, path traversal) - JA4 botnet detection (même fingerprint sur 20+ IPs) - Correlation quality (orphan ratio >80%) ClickHouse (sql/init.sql) : - Compression ZSTD(3) sur champs texte (path, query, headers, ja3/ja4) - TTL automatique : 1 jour (raw) + 7 jours (http_logs) - Paramètre ttl_only_drop_parts = 1 Shutdown simplifié (internal/app/orchestrator.go) : - Suppression ShutdownTimeout et logique de flush/attente - Stop() = cancel() + Close() uniquement - systemd TimeoutStopSec gère l'arrêt forcé si besoin File output toggle (internal/config/*.go) : - Ajout champ Enabled dans FileOutputConfig - Le sink fichier n'est créé que si enabled && path != '' - Tests : TestValidate_FileOutputDisabled, TestLoadConfig_FileOutputDisabled RPM packaging (packaging/rpm/logcorrelator.spec) : - Changelog 1.1.18 → 1.1.22 - Suppression logcorrelator-tmpfiles.conf (redondant RuntimeDirectory=) Nettoyage : - idees.txt → idees/ (dossier) - Suppression 91.224.92.185.txt (logs exemple) Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>	2026-03-11 18:28:07 +01:00
toto	7b5d31d1a9	files: ajout des requetes sql d aggregation Some checks failed Build and Test / test (push) Has been cancelled Details Build and Test / build (push) Has been cancelled Details Build and Test / docker (push) Has been cancelled Details	2026-03-08 23:21:21 +01:00
toto	9979644b62	fix: materialized view Some checks failed Build and Test / test (push) Has been cancelled Details Build and Test / build (push) Has been cancelled Details Build and Test / docker (push) Has been cancelled Details	2026-03-05 16:35:40 +01:00
toto	703cc22cac	fix: ajout de nouvelles collones dans clickhouse	2026-03-05 16:23:48 +01:00
toto	ae3da359fa	docs: add sql/init.sql + update README ClickHouse schema Some checks failed Build and Test / test (push) Has been cancelled Details Build and Test / build (push) Has been cancelled Details Build and Test / docker (push) Has been cancelled Details - feat: sql/init.sql — initialisation complète ClickHouse (db, tables, MV, users) - feat: table http_logs mise à jour avec tous les champs réels du JSON corrélé - ajout tcp_meta_mss (UInt16), tcp_meta_window_scale (UInt8), tls_alpn (LowCardinality) - ajout keepalives, a_timestamp, b_timestamp, conn_id, ip_meta_id, ip_meta_total_length - ajout tous les header_* manquants (x_request_id, x_trace_id, sec_fetch_*, etc.) - correction types: ip_meta_id/ip_meta_total_length UInt32 → UInt16 - feat: vue matérialisée complète avec coalesce() sur tous les champs - docs: README schema section remplacée par référence à sql/init.sql + tableau des colonnes Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>	2026-03-05 14:28:44 +01:00

5 Commits