feat: Phase 1 — JA3/JA3S sniffer, Attacker model, profile worker

Add passive TLS fingerprinting via a sniffer container on the MACVLAN interface, plus the Attacker table and periodic rebuild worker that correlates per-IP profiles from Log + Bounty + CorrelationEngine. - templates/sniffer/: Scapy sniffer with pure-Python TLS parser; emits tls_client_hello / tls_session RFC 5424 lines with ja3, ja3s, sni, alpn, raw_ciphers, raw_extensions; GREASE filtered per RFC 8701 - decnet/services/sniffer.py: service plugin (no ports, NET_RAW/NET_ADMIN) - decnet/web/db/models.py: Attacker SQLModel table + AttackersResponse - decnet/web/db/repository.py: 5 new abstract methods - decnet/web/db/sqlite/repository.py: implement all 5 (upsert, pagination, sort by recent/active/traversals, bounty grouping) - decnet/web/attacker_worker.py: 30s periodic rebuild via CorrelationEngine; extracts commands from log fields, merges fingerprint bounties - decnet/web/api.py: wire attacker_profile_worker into lifespan - decnet/web/ingester.py: extract JA3 bounty (fingerprint_type=ja3) - development/DEVELOPMENT.md: full attacker intelligence collection roadmap - pyproject.toml: scapy>=2.6.1 added to dev deps - tests: test_sniffer_ja3.py (40+ vectors), test_attacker_worker.py, test_base_repo.py / test_web_api.py updated for new surface
2026-04-13 20:22:08 -04:00
parent c9be447a38
commit 3dc5b509f6
16 changed files with 1818 additions and 8 deletions
--- a/decnet/web/db/models.py
+++ b/decnet/web/db/models.py
@@ -50,6 +50,27 @@ class State(SQLModel, table=True):
    key: str = Field(primary_key=True)
    value: str  # Stores JSON serialized DecnetConfig or other state blobs

+
+class Attacker(SQLModel, table=True):
+    __tablename__ = "attackers"
+    ip: str = Field(primary_key=True)
+    first_seen: datetime = Field(index=True)
+    last_seen: datetime = Field(index=True)
+    event_count: int = Field(default=0)
+    service_count: int = Field(default=0)
+    decky_count: int = Field(default=0)
+    services: str = Field(default="[]")       # JSON list[str]
+    deckies: str = Field(default="[]")        # JSON list[str], first-contact ordered
+    traversal_path: Optional[str] = None      # "decky-01 → decky-03 → decky-05"
+    is_traversal: bool = Field(default=False)
+    bounty_count: int = Field(default=0)
+    credential_count: int = Field(default=0)
+    fingerprints: str = Field(default="[]")   # JSON list[dict] — bounty fingerprints
+    commands: str = Field(default="[]")       # JSON list[dict] — commands per service/decky
+    updated_at: datetime = Field(
+        default_factory=lambda: datetime.now(timezone.utc), index=True
+    )
+
 # --- API Request/Response Models (Pydantic) ---

 class Token(BaseModel):
@@ -77,6 +98,12 @@ class BountyResponse(BaseModel):
    offset: int
    data: List[dict[str, Any]]

+class AttackersResponse(BaseModel):
+    total: int
+    limit: int
+    offset: int
+    data: List[dict[str, Any]]
+
 class StatsResponse(BaseModel):
    total_logs: int
    unique_attackers: int