anti
11d749f13d
The active prober emits tcpfp_fingerprint events with TTL, window, MSS etc. from the attacker's SYN-ACK. These were invisible to the behavioral profiler for two reasons: 1. target_ip (prober's field name for attacker IP) was not in _IP_FIELDS in collector/worker.py or correlation/parser.py, so the profiler re-parsed raw_lines and got attacker_ip=None, never attributing prober events to the attacker profile. 2. sniffer_rollup only handled tcp_syn_fingerprint (passive sniffer) and ignored tcpfp_fingerprint (active prober). Prober events use different field names: window_size/window_scale/sack_ok vs window/wscale/has_sack. Changes: - Add target_ip to _IP_FIELDS in collector and parser - Add _PROBER_TCPFP_EVENT and _INITIAL_TTL table to behavioral.py - sniffer_rollup now processes tcpfp_fingerprint: maps field names, derives OS from TTL via _os_from_ttl, computes hop_distance = initial_ttl - observed - Expand prober DEFAULT_TCPFP_PORTS to [22,80,443,8080,8443,445,3389] for better SYN-ACK coverage on attacker machines - Add 4 tests covering prober OS detection, hop distance, and field mapping
12 KiB
12 KiB