change detection rules default to alert only
This commit is contained in:
@@ -28,18 +28,18 @@ type ThreatRule struct {
|
||||
|
||||
// ThreatEvent represents a detected threat event
|
||||
type ThreatEvent struct {
|
||||
ID int `json:"id"`
|
||||
IP string `json:"ip"`
|
||||
Service string `json:"service"`
|
||||
EventType string `json:"event_type"` // "brute_force", "port_scan", "suspicious_activity"
|
||||
Severity string `json:"severity"` // "low", "medium", "high", "critical"
|
||||
Count int `json:"count"`
|
||||
FirstSeen time.Time `json:"first_seen"`
|
||||
LastSeen time.Time `json:"last_seen"`
|
||||
Details map[string]interface{} `json:"details"`
|
||||
RuleID *int `json:"rule_id,omitempty"`
|
||||
Blocked bool `json:"blocked"`
|
||||
CreatedAt time.Time `json:"created_at"`
|
||||
ID int `json:"id"`
|
||||
IP string `json:"ip"`
|
||||
Service string `json:"service"`
|
||||
EventType string `json:"event_type"` // "brute_force", "port_scan", "suspicious_activity"
|
||||
Severity string `json:"severity"` // "low", "medium", "high", "critical"
|
||||
Count int `json:"count"`
|
||||
FirstSeen time.Time `json:"first_seen"`
|
||||
LastSeen time.Time `json:"last_seen"`
|
||||
Details map[string]interface{} `json:"details"`
|
||||
RuleID *int `json:"rule_id,omitempty"`
|
||||
Blocked bool `json:"blocked"`
|
||||
CreatedAt time.Time `json:"created_at"`
|
||||
}
|
||||
|
||||
// IPReport represents comprehensive IP analysis
|
||||
@@ -143,9 +143,9 @@ func (ta *ThreatAnalyzer) insertDefaultRules() error {
|
||||
Description: "Detect SSH brute force attempts",
|
||||
Service: "ssh",
|
||||
Condition: "auth_attempts",
|
||||
Threshold: 10,
|
||||
Threshold: 5,
|
||||
TimeWindow: 60, // 1 hour
|
||||
Action: "block",
|
||||
Action: "alert",
|
||||
Enabled: true,
|
||||
},
|
||||
{
|
||||
@@ -163,9 +163,9 @@ func (ta *ThreatAnalyzer) insertDefaultRules() error {
|
||||
Description: "Detect port scanning across multiple services",
|
||||
Service: "*",
|
||||
Condition: "service_diversity",
|
||||
Threshold: 5, // 5 different services
|
||||
Threshold: 3, // 3 different services
|
||||
TimeWindow: 15, // 15 minutes
|
||||
Action: "block",
|
||||
Action: "alert",
|
||||
Enabled: true,
|
||||
},
|
||||
{
|
||||
@@ -173,9 +173,9 @@ func (ta *ThreatAnalyzer) insertDefaultRules() error {
|
||||
Description: "Detect FTP brute force attempts",
|
||||
Service: "ftp",
|
||||
Condition: "auth_attempts",
|
||||
Threshold: 15,
|
||||
Threshold: 5,
|
||||
TimeWindow: 60,
|
||||
Action: "block",
|
||||
Action: "alert",
|
||||
Enabled: true,
|
||||
},
|
||||
}
|
||||
@@ -206,7 +206,7 @@ func (ta *ThreatAnalyzer) ruleExists(name string) (bool, error) {
|
||||
func (ta *ThreatAnalyzer) CreateRule(rule ThreatRule) error {
|
||||
query := `INSERT INTO threat_rules (name, description, service, condition, threshold, time_window, action, enabled)
|
||||
VALUES (?, ?, ?, ?, ?, ?, ?, ?)`
|
||||
|
||||
|
||||
_, err := ta.db.Exec(query, rule.Name, rule.Description, rule.Service, rule.Condition,
|
||||
rule.Threshold, rule.TimeWindow, rule.Action, rule.Enabled)
|
||||
return err
|
||||
@@ -216,7 +216,7 @@ func (ta *ThreatAnalyzer) CreateRule(rule ThreatRule) error {
|
||||
func (ta *ThreatAnalyzer) GetRules() ([]ThreatRule, error) {
|
||||
query := `SELECT id, name, description, service, condition, threshold, time_window, action, enabled, created_at, updated_at
|
||||
FROM threat_rules ORDER BY created_at DESC`
|
||||
|
||||
|
||||
rows, err := ta.db.Query(query)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
@@ -244,11 +244,11 @@ func (ta *ThreatAnalyzer) AnalyzeIP(ip string) (*IPReport, error) {
|
||||
// Get basic IP statistics
|
||||
query := `SELECT total_connections, total_auth_attempts, services, threat_score, is_blocked, first_seen, last_seen, geo_location
|
||||
FROM ip_analysis WHERE ip = ?`
|
||||
|
||||
|
||||
var servicesJSON, geoJSON sql.NullString
|
||||
err := ta.db.QueryRow(query, ip).Scan(&report.TotalConnections, &report.TotalAuthAttempts,
|
||||
&servicesJSON, &report.ThreatScore, &report.IsBlocked, &report.FirstSeen, &report.LastSeen, &geoJSON)
|
||||
|
||||
|
||||
if err != nil && err != sql.ErrNoRows {
|
||||
return nil, err
|
||||
}
|
||||
@@ -276,7 +276,7 @@ func (ta *ThreatAnalyzer) AnalyzeIP(ip string) (*IPReport, error) {
|
||||
func (ta *ThreatAnalyzer) GetThreatEventsByIP(ip string) ([]ThreatEvent, error) {
|
||||
query := `SELECT id, ip, service, event_type, severity, count, first_seen, last_seen, details, rule_id, blocked, created_at
|
||||
FROM threat_events WHERE ip = ? ORDER BY last_seen DESC`
|
||||
|
||||
|
||||
rows, err := ta.db.Query(query, ip)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
@@ -314,7 +314,7 @@ func (ta *ThreatAnalyzer) GetThreatEventsByIP(ip string) ([]ThreatEvent, error)
|
||||
func (ta *ThreatAnalyzer) GetIPReports(filters map[string]interface{}) ([]IPReport, error) {
|
||||
query := `SELECT ip, total_connections, total_auth_attempts, services, threat_score, is_blocked, first_seen, last_seen, geo_location
|
||||
FROM ip_analysis WHERE 1=1`
|
||||
|
||||
|
||||
var args []interface{}
|
||||
var conditions []string
|
||||
|
||||
@@ -491,11 +491,11 @@ func (ta *ThreatAnalyzer) evaluateRule(rule ThreatRule, record LogRecord) (bool,
|
||||
// createThreatEvent creates a new threat event
|
||||
func (ta *ThreatAnalyzer) createThreatEvent(rule ThreatRule, record LogRecord) error {
|
||||
detailsJSON, _ := json.Marshal(record.Details)
|
||||
|
||||
|
||||
// Determine event type and severity based on rule
|
||||
eventType := "suspicious_activity"
|
||||
severity := "medium"
|
||||
|
||||
|
||||
if strings.Contains(strings.ToLower(rule.Name), "brute") {
|
||||
eventType = "brute_force"
|
||||
severity = "high"
|
||||
@@ -510,11 +510,11 @@ func (ta *ThreatAnalyzer) createThreatEvent(rule ThreatRule, record LogRecord) e
|
||||
count = count + 1,
|
||||
last_seen = ?,
|
||||
details = ?`
|
||||
|
||||
|
||||
_, err := ta.db.Exec(query, record.IP, record.Service, eventType, severity,
|
||||
record.Timestamp, record.Timestamp, string(detailsJSON), rule.ID,
|
||||
record.Timestamp, string(detailsJSON))
|
||||
|
||||
|
||||
// If this is a blocking rule, add to blocklist
|
||||
if rule.Action == "block" {
|
||||
ta.blockIP(record.IP, rule.ID)
|
||||
@@ -528,11 +528,11 @@ func (ta *ThreatAnalyzer) blockIP(ip string, ruleID int) error {
|
||||
// Update IP analysis to mark as blocked
|
||||
query := `UPDATE ip_analysis SET is_blocked = 1 WHERE ip = ?`
|
||||
_, err := ta.db.Exec(query, ip)
|
||||
|
||||
|
||||
// Update threat events to mark as blocked
|
||||
query2 := `UPDATE threat_events SET blocked = 1 WHERE ip = ? AND rule_id = ?`
|
||||
_, err2 := ta.db.Exec(query2, ip, ruleID)
|
||||
|
||||
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
@@ -542,7 +542,7 @@ func (ta *ThreatAnalyzer) blockIP(ip string, ruleID int) error {
|
||||
// GetBlockedIPs returns all currently blocked IPs
|
||||
func (ta *ThreatAnalyzer) GetBlockedIPs() ([]string, error) {
|
||||
query := `SELECT ip FROM ip_analysis WHERE is_blocked = 1 ORDER BY last_seen DESC`
|
||||
|
||||
|
||||
rows, err := ta.db.Query(query)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
@@ -565,10 +565,10 @@ func (ta *ThreatAnalyzer) GetBlockedIPs() ([]string, error) {
|
||||
func (ta *ThreatAnalyzer) UnblockIP(ip string) error {
|
||||
query := `UPDATE ip_analysis SET is_blocked = 0 WHERE ip = ?`
|
||||
_, err := ta.db.Exec(query, ip)
|
||||
|
||||
|
||||
query2 := `UPDATE threat_events SET blocked = 0 WHERE ip = ?`
|
||||
_, err2 := ta.db.Exec(query2, ip)
|
||||
|
||||
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user