anti
3f080f601d
New MalHashProvider sibling ABC (decnet/intel/base.py) since SHA-256 is a different keyspace from IntelProvider's IPs. MalwareBazaarProvider mirrors FeodoProvider's bulk-feed shape: 24h refresh via _ensure_fresh / _refresh, in-memory set[str] of hex-lowercased hashes, set-membership lookup. Auth-keyed via DECNET_MALWAREBAZAAR_AUTH_KEY; absent key silent-no-ops the lane (single warning, no HTTP traffic). Per-hash observations persist to a new observed_attachments table. DECNET is a honeypot platform — every attachment hash an attacker delivers is intel, regardless of whether anyone classified it. Verdict is sticky: True never downgrades to False/None on subsequent observations. Out of scope: API surface, federation export, retention. Ingester _publish_email_received calls the provider for each attachment sha256, sets mal_hash_match on the bus payload (omitted entirely when the message had no attachments — keeps R0046's `is True` predicate silent on hash-less mail, matching pre-paydown behavior), and upserts the row regardless of provider availability.
392 lines
8.3 KiB
Python
392 lines
8.3 KiB
Python
"""
|
|
Database tables (SQLModel) and HTTP request/response shapes (Pydantic).
|
|
|
|
Split into topical modules for readability, but every symbol is re-exported
|
|
from this package so ``from decnet.web.db.models import X`` keeps working
|
|
everywhere — no importer needs to know which submodule a class lives in.
|
|
"""
|
|
from ._base import (
|
|
NullableDatetime,
|
|
NullableString,
|
|
_BIG_TEXT,
|
|
_normalize_null,
|
|
)
|
|
from .common import (
|
|
MessageResponse,
|
|
)
|
|
from .canary import (
|
|
CanaryBlob,
|
|
CanaryBlobResponse,
|
|
CanaryBlobsResponse,
|
|
CanaryKind,
|
|
CanaryState,
|
|
CanaryToken,
|
|
CanaryTokenCreateRequest,
|
|
CanaryTokenResponse,
|
|
CanaryTokensResponse,
|
|
CanaryTrigger,
|
|
CanaryTriggerResponse,
|
|
CanaryTriggersResponse,
|
|
)
|
|
from .auth import (
|
|
AdminConfigResponse,
|
|
ChangePasswordRequest,
|
|
ConfigResponse,
|
|
CreateUserRequest,
|
|
DeploymentLimitRequest,
|
|
GlobalMutationIntervalRequest,
|
|
LoginRequest,
|
|
ResetUserPasswordRequest,
|
|
Token,
|
|
UpdateUserRoleRequest,
|
|
User,
|
|
UserResponse,
|
|
)
|
|
from .attackers import (
|
|
Attacker,
|
|
AttackerBehavior,
|
|
AttackerFingerprintState,
|
|
AttackerIdentity,
|
|
AttackersResponse,
|
|
SessionProfile,
|
|
SmtpTarget,
|
|
)
|
|
from .attacker_intel import (
|
|
AttackerIntel,
|
|
)
|
|
from .attachments import (
|
|
ObservedAttachment,
|
|
)
|
|
from .campaigns import (
|
|
Campaign,
|
|
CampaignsResponse,
|
|
)
|
|
from .deploy import (
|
|
DeployIniRequest,
|
|
DeployResponse,
|
|
MutateIntervalRequest,
|
|
PurgeResponse,
|
|
)
|
|
from .decky import (
|
|
DeckyFileDeleteRequest,
|
|
DeckyFileDropRequest,
|
|
DeckyServiceAddRequest,
|
|
DeckyServiceConfigRequest,
|
|
DeckyServiceConfigResponse,
|
|
DeckyServicesResponse,
|
|
ServiceConfigFieldDTO,
|
|
ServiceSchemaResponse,
|
|
)
|
|
from .fleet import (
|
|
LOCAL_HOST_SENTINEL,
|
|
FleetDecky,
|
|
)
|
|
from .health import (
|
|
ComponentHealth,
|
|
HealthResponse,
|
|
)
|
|
from .orchestrator import (
|
|
OrchestratorEmail,
|
|
OrchestratorEmailsResponse,
|
|
OrchestratorEvent,
|
|
OrchestratorEventsResponse,
|
|
)
|
|
from .realism import (
|
|
RealismConfig,
|
|
SyntheticFile,
|
|
SyntheticFilesResponse,
|
|
)
|
|
from .logs import (
|
|
Bounty,
|
|
BountyResponse,
|
|
Credential,
|
|
CredentialReuse,
|
|
CredentialReuseResponse,
|
|
CredentialsResponse,
|
|
Log,
|
|
LogsResponse,
|
|
State,
|
|
StatsResponse,
|
|
)
|
|
from .swarm import (
|
|
DeckyShard,
|
|
DeckyShardView,
|
|
SwarmCheckResponse,
|
|
SwarmDeployRequest,
|
|
SwarmDeployResponse,
|
|
SwarmEnrolledBundle,
|
|
SwarmEnrollRequest,
|
|
SwarmHost,
|
|
SwarmHostHealth,
|
|
SwarmHostResult,
|
|
SwarmHostView,
|
|
SwarmTeardownRequest,
|
|
SwarmUpdaterBundle,
|
|
)
|
|
from .topology import (
|
|
LAN,
|
|
ArchetypeCatalogResponse,
|
|
ArchetypeEntry,
|
|
DeckyCreateRequest,
|
|
DeckyRow,
|
|
DeckyUpdateRequest,
|
|
DeployAcceptedResponse,
|
|
EdgeCreateRequest,
|
|
EdgeRow,
|
|
LANCreateRequest,
|
|
LANRow,
|
|
LANUpdateRequest,
|
|
MutationEnqueueRequest,
|
|
MutationEnqueueResponse,
|
|
MutationRow,
|
|
NextIPResponse,
|
|
NextSubnetResponse,
|
|
NotEditableResponse,
|
|
ReapReportResponse,
|
|
ServiceCatalogResponse,
|
|
Topology,
|
|
TopologyDecky,
|
|
TopologyDetail,
|
|
TopologyEdge,
|
|
TopologyGenerateRequest,
|
|
TopologyListResponse,
|
|
TopologyMutation,
|
|
TopologyStatusEvent,
|
|
TopologyStatusEventRow,
|
|
TopologySummary,
|
|
ValidationErrorResponse,
|
|
ValidationIssueResponse,
|
|
VersionConflictResponse,
|
|
)
|
|
from .updater import (
|
|
HostReleaseInfo,
|
|
HostReleasesResponse,
|
|
PushUpdateRequest,
|
|
PushUpdateResponse,
|
|
PushUpdateResult,
|
|
RollbackRequest,
|
|
RollbackResponse,
|
|
)
|
|
from .webhooks import (
|
|
SimpleEvent,
|
|
WebhookCreateRequest,
|
|
WebhookCreateResponse,
|
|
WebhookResponse,
|
|
WebhookSubscription,
|
|
WebhookTestResponse,
|
|
WebhookUpdateRequest,
|
|
)
|
|
from .workers import (
|
|
StartAllResponse,
|
|
StartFailure,
|
|
WorkerControlResponse,
|
|
WorkersResponse,
|
|
WorkerStatus,
|
|
)
|
|
from .tarpit import (
|
|
TarpitEnableRequest,
|
|
TarpitRule,
|
|
TarpitRuleResponse,
|
|
TarpitStatusResponse,
|
|
)
|
|
from .ttp import (
|
|
CampaignTechniqueRow,
|
|
CanaryFingerprintEvidence,
|
|
CommandEvidence,
|
|
EmailEvidence,
|
|
IdentityTechniqueRow,
|
|
IntelEvidence,
|
|
NavigatorLayer,
|
|
NavigatorTechnique,
|
|
RuleCatalogueRow,
|
|
RuleStateRequest,
|
|
RuleStateResponse,
|
|
TTPRule,
|
|
TTPRuleState,
|
|
TTPTag,
|
|
TTPTagDetailRow,
|
|
TechniqueRollupRow,
|
|
compute_tag_uuid,
|
|
)
|
|
|
|
__all__ = [
|
|
# _base
|
|
"NullableDatetime",
|
|
"NullableString",
|
|
"_BIG_TEXT",
|
|
"_normalize_null",
|
|
# common
|
|
"MessageResponse",
|
|
# canary
|
|
"CanaryBlob",
|
|
"CanaryBlobResponse",
|
|
"CanaryBlobsResponse",
|
|
"CanaryKind",
|
|
"CanaryState",
|
|
"CanaryToken",
|
|
"CanaryTokenCreateRequest",
|
|
"CanaryTokenResponse",
|
|
"CanaryTokensResponse",
|
|
"CanaryTrigger",
|
|
"CanaryTriggerResponse",
|
|
"CanaryTriggersResponse",
|
|
# auth
|
|
"AdminConfigResponse",
|
|
"ChangePasswordRequest",
|
|
"ConfigResponse",
|
|
"CreateUserRequest",
|
|
"DeploymentLimitRequest",
|
|
"GlobalMutationIntervalRequest",
|
|
"LoginRequest",
|
|
"ResetUserPasswordRequest",
|
|
"Token",
|
|
"UpdateUserRoleRequest",
|
|
"User",
|
|
"UserResponse",
|
|
# attackers
|
|
"Attacker",
|
|
"AttackerBehavior",
|
|
"AttackerFingerprintState",
|
|
"AttackerIdentity",
|
|
"AttackerIntel",
|
|
"AttackersResponse",
|
|
"ObservedAttachment",
|
|
"SessionProfile",
|
|
"SmtpTarget",
|
|
# campaigns
|
|
"Campaign",
|
|
"CampaignsResponse",
|
|
# deploy
|
|
"DeployIniRequest",
|
|
"DeployResponse",
|
|
"MutateIntervalRequest",
|
|
"PurgeResponse",
|
|
# fleet
|
|
"LOCAL_HOST_SENTINEL",
|
|
"DeckyFileDeleteRequest",
|
|
"DeckyFileDropRequest",
|
|
"DeckyServiceAddRequest",
|
|
"DeckyServiceConfigRequest",
|
|
"DeckyServiceConfigResponse",
|
|
"DeckyServicesResponse",
|
|
"FleetDecky",
|
|
"ServiceConfigFieldDTO",
|
|
"ServiceSchemaResponse",
|
|
# health
|
|
"ComponentHealth",
|
|
"HealthResponse",
|
|
# orchestrator
|
|
"OrchestratorEmail",
|
|
"OrchestratorEmailsResponse",
|
|
"OrchestratorEvent",
|
|
"OrchestratorEventsResponse",
|
|
# realism
|
|
"RealismConfig",
|
|
"SyntheticFile",
|
|
"SyntheticFilesResponse",
|
|
# logs
|
|
"Bounty",
|
|
"BountyResponse",
|
|
"Credential",
|
|
"CredentialReuse",
|
|
"CredentialReuseResponse",
|
|
"CredentialsResponse",
|
|
"Log",
|
|
"LogsResponse",
|
|
"State",
|
|
"StatsResponse",
|
|
# swarm
|
|
"DeckyShard",
|
|
"DeckyShardView",
|
|
"SwarmCheckResponse",
|
|
"SwarmDeployRequest",
|
|
"SwarmDeployResponse",
|
|
"SwarmEnrolledBundle",
|
|
"SwarmEnrollRequest",
|
|
"SwarmHost",
|
|
"SwarmHostHealth",
|
|
"SwarmHostResult",
|
|
"SwarmHostView",
|
|
"SwarmTeardownRequest",
|
|
"SwarmUpdaterBundle",
|
|
# topology
|
|
"LAN",
|
|
"ArchetypeCatalogResponse",
|
|
"ArchetypeEntry",
|
|
"DeckyCreateRequest",
|
|
"DeckyRow",
|
|
"DeckyUpdateRequest",
|
|
"DeployAcceptedResponse",
|
|
"EdgeCreateRequest",
|
|
"EdgeRow",
|
|
"LANCreateRequest",
|
|
"LANRow",
|
|
"LANUpdateRequest",
|
|
"MutationEnqueueRequest",
|
|
"MutationEnqueueResponse",
|
|
"MutationRow",
|
|
"NextIPResponse",
|
|
"NextSubnetResponse",
|
|
"NotEditableResponse",
|
|
"ReapReportResponse",
|
|
"ServiceCatalogResponse",
|
|
"Topology",
|
|
"TopologyDecky",
|
|
"TopologyDetail",
|
|
"TopologyEdge",
|
|
"TopologyGenerateRequest",
|
|
"TopologyListResponse",
|
|
"TopologyMutation",
|
|
"TopologyStatusEvent",
|
|
"TopologyStatusEventRow",
|
|
"TopologySummary",
|
|
"ValidationErrorResponse",
|
|
"ValidationIssueResponse",
|
|
"VersionConflictResponse",
|
|
# updater
|
|
"HostReleaseInfo",
|
|
"HostReleasesResponse",
|
|
"PushUpdateRequest",
|
|
"PushUpdateResponse",
|
|
"PushUpdateResult",
|
|
"RollbackRequest",
|
|
"RollbackResponse",
|
|
# webhooks
|
|
"SimpleEvent",
|
|
"WebhookCreateRequest",
|
|
"WebhookCreateResponse",
|
|
"WebhookResponse",
|
|
"WebhookSubscription",
|
|
"WebhookTestResponse",
|
|
"WebhookUpdateRequest",
|
|
# workers
|
|
"StartAllResponse",
|
|
"StartFailure",
|
|
"WorkerControlResponse",
|
|
"WorkersResponse",
|
|
"WorkerStatus",
|
|
# tarpit
|
|
"TarpitEnableRequest",
|
|
"TarpitRule",
|
|
"TarpitRuleResponse",
|
|
"TarpitStatusResponse",
|
|
# ttp
|
|
"CampaignTechniqueRow",
|
|
"CanaryFingerprintEvidence",
|
|
"CommandEvidence",
|
|
"EmailEvidence",
|
|
"IdentityTechniqueRow",
|
|
"TTPTagDetailRow",
|
|
"IntelEvidence",
|
|
"NavigatorLayer",
|
|
"NavigatorTechnique",
|
|
"RuleCatalogueRow",
|
|
"RuleStateRequest",
|
|
"RuleStateResponse",
|
|
"TTPRule",
|
|
"TTPRuleState",
|
|
"TTPTag",
|
|
"TechniqueRollupRow",
|
|
"compute_tag_uuid",
|
|
]
|