Add cross-decky correlation engine and decnet correlate command

When the same attacker IP touches multiple deckies, the engine builds a chronological traversal graph and reports the lateral movement path. decnet/correlation/ parser.py — RFC 5424 line → LogEvent; handles src_ip + src field variants graph.py — AttackerTraversal / TraversalHop data types with path/duration engine.py — CorrelationEngine: ingest(), traversals(), report_table/json, traversal_syslog_lines() (emits WARNING-severity RFC 5424) __init__.py — public API re-exports decnet/cli.py — `decnet correlate` command (--log-file, --min-deckies, --output table|json|syslog, --emit-syslog) tests/test_correlation.py — 49 tests: parser, graph, engine, reporting Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-04 13:53:30 -03:00
parent 7aff040579
commit bff03d1198
6 changed files with 870 additions and 0 deletions
--- a/decnet/correlation/init.py
+++ b/decnet/correlation/init.py
@@ -0,0 +1,13 @@
+"""Cross-decky correlation engine for DECNET."""
+
+from decnet.correlation.engine import CorrelationEngine
+from decnet.correlation.graph import AttackerTraversal, TraversalHop
+from decnet.correlation.parser import LogEvent, parse_line
+
+__all__ = [
+    "CorrelationEngine",
+    "AttackerTraversal",
+    "TraversalHop",
+    "LogEvent",
+    "parse_line",
+]