DECNET/decnet/correlation/__init__.py at 7ad7e1e53b865d749d568629852d00dafcf29d2f - DECNET - RESACA Chile: Donde la ciberseguridad se chupa una chela.

anti/DECNET

Files

anti bff03d1198 Add cross-decky correlation engine and decnet correlate command

When the same attacker IP touches multiple deckies, the engine builds a
chronological traversal graph and reports the lateral movement path.

decnet/correlation/
  parser.py   — RFC 5424 line → LogEvent; handles src_ip + src field variants
  graph.py    — AttackerTraversal / TraversalHop data types with path/duration
  engine.py   — CorrelationEngine: ingest(), traversals(), report_table/json,
                traversal_syslog_lines() (emits WARNING-severity RFC 5424)
  __init__.py — public API re-exports

decnet/cli.py — `decnet correlate` command (--log-file, --min-deckies,
                --output table|json|syslog, --emit-syslog)

tests/test_correlation.py — 49 tests: parser, graph, engine, reporting

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

2026-04-04 13:53:30 -03:00

14 lines

353 B

Python

Raw Blame History

 """Cross-decky correlation engine for DECNET."""
 from decnet.correlation.engine import CorrelationEngine
 from decnet.correlation.graph import AttackerTraversal, TraversalHop
 from decnet.correlation.parser import LogEvent, parse_line
 __all__ = [
     "CorrelationEngine",
     "AttackerTraversal",
     "TraversalHop",
     "LogEvent",
     "parse_line",
 ]