feat(pr2): HTTP/2+HTTP/3 fingerprint extractors — JA4H, H2 SETTINGS, JA4-QUIC

2026-05-10 00:47:19 -04:00
parent 0653e500b5
commit 92632d7afd
25 changed files with 1885 additions and 48 deletions
--- a/decnet/web/db/models/attackers.py
+++ b/decnet/web/db/models/attackers.py
@@ -180,6 +180,15 @@ class AttackerIdentity(SQLModel, table=True):
    hassh_hashes: Optional[str] = Field(
        default=None, sa_column=Column("hassh_hashes", Text, nullable=True)
    )
+    ja4h_hashes: Optional[str] = Field(
+        default=None, sa_column=Column("ja4h_hashes", Text, nullable=True)
+    )
+    ja4_quic_hashes: Optional[str] = Field(
+        default=None, sa_column=Column("ja4_quic_hashes", Text, nullable=True)
+    )
+    http_versions_seen: Optional[str] = Field(
+        default=None, sa_column=Column("http_versions_seen", Text, nullable=True)
+    )
    # JSON list[str] — SHA-256 fingerprints of leaf certs presented by
    # attacker-run TLS servers, captured by the active prober alongside
    # JARM. Same federation-gossip rationale as ja3_hashes/hassh_hashes:
--- a/decnet/web/db/models/ttp.py
+++ b/decnet/web/db/models/ttp.py
@@ -89,6 +89,15 @@ class CanaryFingerprintEvidence(TypedDict):
    matched_signature: str  # signature ID, not raw fingerprint blob


+class HttpFingerprintEvidence(TypedDict):
+    kind: str          # "ja4h" | "h2_settings" | "h3_settings" | "ja4_quic"
+    hash: str          # fingerprint hash string (or empty for settings events)
+    protocol: str      # "h1" | "h2" | "h2c" | "h3"
+    client_ip: str
+    seen_at: str       # ISO8601 UTC
+    raw: Optional[dict]  # raw settings dict for h2_settings / h3_settings
+
+
 # ── Tables ──────────────────────────────────────────────────────────