anti/DECNET
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

service-bus: document attacker.fingerprint_rotated topic 

New derived event published by the prober (via
decnet.correlation.fingerprint_rotation) when a probe produces a
different hash than the last persisted hash for the same
(attacker_uuid, port, probe_type) triple. Carries both old_hash and
new_hash so consumers don't have to join. See DECNET commit 6c6f97e8
for the producer-side implementation.
anti
2026-05-03 05:13:28 -04:00
parent 571691a866
commit 340be18cb5
1 changed files with 2 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
Service-Bus.md

@@ -159,6 +159,8 @@ Current topic families:
| `attacker.observed` | Correlator | first sighting; consumed by `decnet enrich` as a wake signal |
| `attacker.scored` | Profiler | post-enrichment score update; also wakes `decnet enrich` |
| `attacker.intel.enriched` | `decnet enrich` | `{attacker_ip, aggregate_verdict, providers}` after a threat-intel pass; webhook → SIEM |
| `attacker.fingerprinted` | Prober | `{attacker_ip, port, jarm_hash\|hassh_server\|tcpfp_hash, ...}` — fires on every successful active probe result. Distinct from `attacker.observed` (correlator first-sight); a fingerprint is additional evidence about an already-observed attacker. |
| `attacker.fingerprint_rotated` | Prober (via `decnet.correlation.fingerprint_rotation`) | `{attacker_uuid, attacker_ip, port, probe_type, old_hash, new_hash, rotation_count, ts}` — fires only when a probe produces a *different* hash than the last persisted hash for the same `(attacker_uuid, port, probe_type)` triple. Carries both old and new hash so consumers don't have to join. Indicates infrastructure churn / VPS rotation / banner rewrite / cert swap. Consumers: dashboard, forensics, attribution clustering. |
| `identity.formed` | _reserved (clusterer)_ | `{identity_uuid, observation_uuids: [...], confidence, first_seen_at}` — clusterer creates a new identity from one or more observations |
| `identity.observation.linked` | _reserved (clusterer)_ | `{identity_uuid, observation_uuid, confidence_after}` — observation attached / re-attached to an identity |
| `identity.merged` | _reserved (clusterer)_ | `{winner_uuid, loser_uuid, observation_uuids: [...], confidence_after}` — two identities collapsed; subscribers re-key cached references to the winner |