anti/DECNET
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(stix_export): wire fingerprint bounties through all endpoints + tests

Browse Source 
Remaining files from the fingerprint-bounties + characterizes-SRO commit:
misp_export, repository, bounties mixin, all 4 router endpoints, and test suite
updates. Prerequisite: previous commit added _extract_fingerprint_bounty_data
and the stix_export changes.
This commit is contained in:
anti
2026-05-09 09:14:48 -04:00
parent 51d0fc7b6c
commit 4c6b12dcf8
13 changed files with 181 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
decnet/ttp/misp_export.py
View File

@@ -48,6 +48,7 @@ def build_attacker_misp_event(
smtp_targets: list[dict[str, Any]],
commands: list[str] | None = None,
observations: list[dict[str, Any]] | None = None,
fingerprint_bounties: list[dict[str, Any]] | None = None,
) -> dict[str, Any]:
"""Return a MISP event dict for *attacker*.
@@ -65,6 +66,7 @@ def build_attacker_misp_event(
smtp_targets=smtp_targets,
commands=commands,
observations=observations,
fingerprint_bounties=fingerprint_bounties,
)
return _parse_bundle(bundle)
@@ -73,6 +75,7 @@ def build_fleet_misp_collection(
rows: list[dict[str, Any]],
ttp_by_attacker: dict[str, list[dict[str, Any]]],
observations_by_attacker: dict[str, list[dict[str, Any]]] | None = None,
fingerprint_bounties_by_ip: dict[str, list[dict[str, Any]]] | None = None,
) -> dict[str, Any]:
"""Return a MISP collection dict with one event per attacker in *rows*.
@@ -84,6 +87,7 @@ def build_fleet_misp_collection(
"""
events: list[dict[str, Any]] = []
obs_map = observations_by_attacker or {}
fp_map = fingerprint_bounties_by_ip or {}
for row in rows:
raw_cmds = row.get("commands") or []
if isinstance(raw_cmds, str):
@@ -107,6 +111,7 @@ def build_fleet_misp_collection(
smtp_targets=[],
commands=cmds,
observations=obs_map.get(row["uuid"]),
fingerprint_bounties=fp_map.get(row.get("ip", ""), []),
)
event = _parse_bundle(bundle)
if event:

21
decnet/web/db/repository.py
View File

@@ -394,6 +394,27 @@ class BaseRepository(ABC):
"""
raise NotImplementedError
async def get_fingerprint_bounties_by_ip(
self, ip: str
) -> list[dict[str, Any]]:
"""Return all fingerprint bounties for *ip* with parsed payload dicts.
Filters to ``bounty_type='fingerprint'``. Each returned dict has the
standard Bounty columns plus a decoded ``payload`` dict.
"""
raise NotImplementedError
async def get_all_fingerprint_bounties_for_export(
self,
) -> dict[str, list[dict[str, Any]]]:
"""Return ``{attacker_ip: [bounty_dict, ...]}`` for all fingerprint
bounties in the database.
Used by fleet exports to attach per-attacker fingerprint bounties
(JARM hashes, HTTP quirks) without N+1 queries.
"""
raise NotImplementedError
async def upsert_observed_attachment(
self,
*,

34
decnet/web/db/sqlmodel_repo/bounties.py
View File

@@ -141,6 +141,40 @@ class BountiesMixin(_MixinBase):
grouped[item.attacker_ip].append(d)
return dict(grouped)
async def get_fingerprint_bounties_by_ip(self, ip: str) -> List[dict[str, Any]]:
async with self._session() as session:
result = await session.execute(
select(Bounty)
.where(Bounty.attacker_ip == ip, Bounty.bounty_type == "fingerprint")
.order_by(asc(Bounty.timestamp))
)
out: List[dict[str, Any]] = []
for item in result.scalars().all():
d = item.model_dump(mode="json")
try:
d["payload"] = json.loads(d["payload"])
except (json.JSONDecodeError, TypeError):
pass
out.append(d)
return out
async def get_all_fingerprint_bounties_for_export(self) -> dict[str, List[dict[str, Any]]]:
async with self._session() as session:
result = await session.execute(
select(Bounty)
.where(Bounty.bounty_type == "fingerprint")
.order_by(asc(Bounty.timestamp))
)
grouped: dict[str, List[dict[str, Any]]] = defaultdict(list)
for item in result.scalars().all():
d = item.model_dump(mode="json")
try:
d["payload"] = json.loads(d["payload"])
except (json.JSONDecodeError, TypeError):
pass
grouped[item.attacker_ip].append(d)
return dict(grouped)
async def count_probe_relays(self, attacker_ip: str, decky: str) -> int:
"""Return how many probe_relay bounties exist for this (attacker_ip, decky) pair."""
async with self._session() as session:

3
decnet/web/router/attackers/api_export_attacker_misp.py
View File

@@ -66,6 +66,7 @@ async def api_export_attacker_misp(
repo.list_smtp_targets(uuid),
repo.list_attacker_commands_deduped(uuid),
repo.list_observations_by_attacker(uuid),
repo.get_fingerprint_bounties_by_ip(attacker["ip"]),
)
behavior = cast(dict[str, Any] | None, results[0])
identity = cast(dict[str, Any] | None, results[1])
@@ -76,6 +77,7 @@ async def api_export_attacker_misp(
smtp_targets = cast(list[dict[str, Any]], results[6])
commands = cast(list[str], results[7])
observations = cast(list[dict[str, Any]], results[8])
fingerprint_bounties = cast(list[dict[str, Any]], results[9])
event = build_attacker_misp_event(
attacker=attacker,
@@ -91,6 +93,7 @@ async def api_export_attacker_misp(
smtp_targets=smtp_targets,
commands=commands,
observations=observations,
fingerprint_bounties=fingerprint_bounties,
)
return Response(
content=json.dumps(event, default=str),

3
decnet/web/router/attackers/api_export_attacker_stix.py
View File

@@ -70,6 +70,7 @@ async def api_export_attacker_stix(
repo.list_smtp_targets(uuid),
repo.list_attacker_commands_deduped(uuid),
repo.list_observations_by_attacker(uuid),
repo.get_fingerprint_bounties_by_ip(attacker["ip"]),
)
behavior = cast(dict[str, Any] | None, results[0])
identity = cast(dict[str, Any] | None, results[1])
@@ -80,6 +81,7 @@ async def api_export_attacker_stix(
smtp_targets = cast(list[dict[str, Any]], results[6])
commands = cast(list[str], results[7])
observations = cast(list[dict[str, Any]], results[8])
fingerprint_bounties = cast(list[dict[str, Any]], results[9])
bundle = build_attacker_bundle(
attacker=attacker,
@@ -95,6 +97,7 @@ async def api_export_attacker_stix(
smtp_targets=smtp_targets,
commands=commands,
observations=observations,
fingerprint_bounties=fingerprint_bounties,
)
return Response(
content=bundle.serialize(pretty=True, indent=2),

4
decnet/web/router/attackers/api_export_attackers_misp.py
View File

@@ -43,15 +43,17 @@ async def api_export_attackers_misp(
user: dict[str, Any] = Depends(require_viewer),
) -> Response:
"""Download a MISP collection JSON covering every observed attacker."""
rows, ttp_by_attacker, obs_by_attacker = await asyncio.gather(
rows, ttp_by_attacker, obs_by_attacker, fp_by_ip = await asyncio.gather(
repo.get_all_attackers_for_export(),
repo.get_all_ttp_rollups_for_export(),
repo.get_all_observations_for_export(),
repo.get_all_fingerprint_bounties_for_export(),
)
collection = build_fleet_misp_collection(
rows=rows,
ttp_by_attacker=ttp_by_attacker,
observations_by_attacker=obs_by_attacker,
fingerprint_bounties_by_ip=fp_by_ip,
)
ts = datetime.now(timezone.utc).strftime("%Y%m%dT%H%M%SZ")
return Response(

9
decnet/web/router/attackers/api_export_attackers_stix.py
View File

@@ -42,11 +42,12 @@ async def api_export_attackers_stix(
user: dict[str, Any] = Depends(require_viewer),
) -> Response:
"""Download a STIX 2.1 bundle covering every observed attacker."""
rows, ttp_by_attacker, obs_by_attacker = await _gather_fleet_data()
rows, ttp_by_attacker, obs_by_attacker, fp_by_ip = await _gather_fleet_data()
bundle = build_fleet_bundle(
rows=rows,
ttp_by_attacker=ttp_by_attacker,
observations_by_attacker=obs_by_attacker,
fingerprint_bounties_by_ip=fp_by_ip,
)
ts = datetime.now(timezone.utc).strftime("%Y%m%dT%H%M%SZ")
return Response(
@@ -64,11 +65,13 @@ async def _gather_fleet_data() -> tuple[
list[dict[str, Any]],
dict[str, list[dict[str, Any]]],
dict[str, list[dict[str, Any]]],
dict[str, list[dict[str, Any]]],
]:
import asyncio
rows, ttp_by_attacker, obs_by_attacker = await asyncio.gather(
rows, ttp_by_attacker, obs_by_attacker, fp_by_ip = await asyncio.gather(
repo.get_all_attackers_for_export(),
repo.get_all_ttp_rollups_for_export(),
repo.get_all_observations_for_export(),
repo.get_all_fingerprint_bounties_for_export(),
)
return rows, ttp_by_attacker, obs_by_attacker
return rows, ttp_by_attacker, obs_by_attacker, fp_by_ip