Compare commits
5 Commits
58fb6476c5
...
051c5ee4a5
| Author | SHA1 | Date | |
|---|---|---|---|
|
051c5ee4a5 | ||
|
|
a15d4d660b | ||
|
|
dee64495cd | ||
|
|
16d13d6bee | ||
|
|
a4bf75394a |
@ -0,0 +1,4 @@
|
||||
curl -X POST http://localhost:8000/detect \
|
||||
-H "Content-Type: application/json" \
|
||||
-d '{"max_records": 5000, "hours_back": 1, "risk_threshold": 80, "auto_block": true}'
|
||||
{"detections":[{"source_ip":"108.139.210.107","risk_score":98.55466848373413,"confidence_level":"high","action_recommendation":"auto_block","anomaly_type":"ddos","reason":"High connection rate: 403.7 conn/s","log_count":1211,"total_packets":1211,"total_bytes":2101702,"first_seen":"2026-01-02T16:41:51","last_seen":"2026-01-02T16:41:54","confidence":95.0},{"source_ip":"216.58.209.54","risk_score":95.52801848493884,"confidence_level":"high","action_recommendation":"auto_block","anomaly_type":"brute_force","reason":"High connection rate: 184.7 conn/s","log_count":554,"total_packets":554,"total_bytes":782397,"first_seen":"2026-01-02T16:41:51","last_seen":"2026-01-02T16:41:54","confidence":95.0},{"source_ip":"95.127.69.202","risk_score":93.58280514393482,"confidence_level":"medium","action_recommendation":"manual_review","anomaly_type":"brute_force","reason":"High connection rate: 93.7 conn/s","log_count":281,"total_packets":281,"total_bytes":369875,"first_seen":"2026-01-02T16:41:51","last_seen":"2026-01-02T16:41:54","confidence":75.0},{"source_ip":"95.127.72.207","risk_score":92.50694363471318,"confidence_level":"medium","action_recommendation":"manual_review","anomaly_type":"brute_force","reason":"High connection rate: 76.3 conn/s","log_count":229,"total_packets":229,"total_bytes":293439,"first_seen":"2026-01-02T16:41:51","last_seen":"2026-01-02T16:41:54","confidence":75.0},{"source_ip":"95.110.183.67","risk_score":86.42278405656512,"confidence_level":"medium","action_recommendation":"manual_review","anomaly_type":"brute_force","reason":"High connection rate: 153.0 conn/s","log_count":459,"total_packets":459,"total_bytes":20822,"first_seen":"2026-01-02T16:41:51","last_seen":"2026-01-02T16:41:54","confidence":75.0},{"source_ip":"54.75.71.86","risk_score":83.42037059381207,"confidence_level":"medium","action_recommendation":"manual_review","anomaly_type":"brute_force","reason":"High connection rate: 58.0 conn/s","log_count":174,"total_packets":174,"total_bytes":25857,"first_seen":"2026-01-02T16:41:51","last_seen":"2026-01-02T16:41:54","confidence":75.0},{"source_ip":"79.10.127.217","risk_score":82.32814469102843,"confidence_level":"medium","action_recommendation":"manual_review","anomaly_type":"brute_force","reason":"High connection rate: 70.0 conn/s","log_count":210,"total_packets":210,"total_bytes":18963,"first_seen":"2026-01-02T16:41:51","last_seen":"2026-01-02T16:41:54","confidence":75.0},{"source_ip":"142.251.140.100","risk_score":76.61422108557721,"confidence_level":"medium","action_recommendation":"manual_review","anomaly_type":"botnet","reason":"Anomalous pattern detected (botnet)","log_count":16,"total_packets":16,"total_bytes":20056,"first_seen":"2026-01-02T16:41:51","last_seen":"2026-01-02T16:41:53","confidence":75.0},{"source_ip":"142.250.181.161","risk_score":76.3802033958719,"confidence_level":"medium","action_recommendation":"manual_review","anomaly_type":"botnet","reason":"Anomalous pattern detected (botnet)","log_count":15,"total_packets":15,"total_bytes":5214,"first_seen":"2026-01-02T16:41:51","last_seen":"2026-01-02T16:41:51","confidence":75.0},{"source_ip":"142.250.180.131","risk_score":72.7723405111559,"confidence_level":"medium","action_recommendation":"manual_review","anomaly_type":"suspicious","reason":"Anomalous pattern detected (suspicious)","log_count":8,"total_packets":8,"total_bytes":5320,"first_seen":"2026-01-02T16:41:51","last_seen":"2026-01-02T16:41:53","confidence":75.0},{"source_ip":"157.240.231.60","risk_score":72.26853648050493,"confidence_level":"medium","action_recommendation":"manual_review","anomaly_type":"botnet","reason":"Anomalous pattern detected (botnet)","log_count":16,"total_packets":16,"total_bytes":4624,"first_seen":"2026-01-02T16:41:51","last_seen":"2026-01-02T16:41:54","confidence":75.0}],"total":11,"blocked":0,"message":"Trovate 11 anomalie"}[root@ids python_ml]#
|
||||
@ -5,7 +5,7 @@ import { Button } from "@/components/ui/button";
|
||||
import { Input } from "@/components/ui/input";
|
||||
import { Select, SelectContent, SelectItem, SelectTrigger, SelectValue } from "@/components/ui/select";
|
||||
import { Slider } from "@/components/ui/slider";
|
||||
import { AlertTriangle, Search, Shield, Globe, MapPin, Building2, ShieldPlus, ShieldCheck } from "lucide-react";
|
||||
import { AlertTriangle, Search, Shield, Globe, MapPin, Building2, ShieldPlus, ShieldCheck, Unlock } from "lucide-react";
|
||||
import { format } from "date-fns";
|
||||
import { useState } from "react";
|
||||
import type { Detection, Whitelist } from "@shared/schema";
|
||||
@ -63,7 +63,7 @@ export default function Detections() {
|
||||
onSuccess: (_, detection) => {
|
||||
toast({
|
||||
title: "IP aggiunto alla whitelist",
|
||||
description: `${detection.sourceIp} è stato aggiunto alla whitelist con successo.`,
|
||||
description: `${detection.sourceIp} è stato aggiunto alla whitelist e sbloccato dai router.`,
|
||||
});
|
||||
queryClient.invalidateQueries({ queryKey: ["/api/whitelist"] });
|
||||
queryClient.invalidateQueries({ queryKey: ["/api/detections"] });
|
||||
@ -77,6 +77,29 @@ export default function Detections() {
|
||||
}
|
||||
});
|
||||
|
||||
// Mutation per sbloccare IP dai router
|
||||
const unblockMutation = useMutation({
|
||||
mutationFn: async (detection: Detection) => {
|
||||
return await apiRequest("POST", "/api/unblock-ip", {
|
||||
ipAddress: detection.sourceIp
|
||||
});
|
||||
},
|
||||
onSuccess: (data: any, detection) => {
|
||||
toast({
|
||||
title: "IP sbloccato",
|
||||
description: `${detection.sourceIp} è stato rimosso dalla blocklist di ${data.unblocked_from || 0} router.`,
|
||||
});
|
||||
queryClient.invalidateQueries({ queryKey: ["/api/detections"] });
|
||||
},
|
||||
onError: (error: any, detection) => {
|
||||
toast({
|
||||
title: "Errore sblocco",
|
||||
description: error.message || `Impossibile sbloccare ${detection.sourceIp} dai router.`,
|
||||
variant: "destructive",
|
||||
});
|
||||
}
|
||||
});
|
||||
|
||||
const getRiskBadge = (riskScore: string) => {
|
||||
const score = parseFloat(riskScore);
|
||||
if (score >= 85) return <Badge variant="destructive">CRITICO</Badge>;
|
||||
@ -310,6 +333,20 @@ export default function Detections() {
|
||||
Whitelist
|
||||
</Button>
|
||||
)}
|
||||
|
||||
{detection.blocked && (
|
||||
<Button
|
||||
variant="outline"
|
||||
size="sm"
|
||||
onClick={() => unblockMutation.mutate(detection)}
|
||||
disabled={unblockMutation.isPending}
|
||||
className="w-full"
|
||||
data-testid={`button-unblock-${detection.id}`}
|
||||
>
|
||||
<Unlock className="h-3 w-3 mr-1" />
|
||||
Sblocca Router
|
||||
</Button>
|
||||
)}
|
||||
</div>
|
||||
</div>
|
||||
</div>
|
||||
|
||||
@ -2,7 +2,7 @@
|
||||
-- PostgreSQL database dump
|
||||
--
|
||||
|
||||
\restrict PRKBLjzmAC8I39HJVa9aOlkzFFiqgPPqt4hjKaZLwxRVM51Z47YCL9xNIeoXWQj
|
||||
\restrict 0WksqiXSxEbKkimrOffHTFz303y80NXUjCIEjcTgyodl4SsmTQnolXeqWX5mUy4
|
||||
|
||||
-- Dumped from database version 16.11 (74c6bb6)
|
||||
-- Dumped by pg_dump version 16.10
|
||||
@ -387,5 +387,5 @@ ALTER TABLE ONLY public.public_blacklist_ips
|
||||
-- PostgreSQL database dump complete
|
||||
--
|
||||
|
||||
\unrestrict PRKBLjzmAC8I39HJVa9aOlkzFFiqgPPqt4hjKaZLwxRVM51Z47YCL9xNIeoXWQj
|
||||
\unrestrict 0WksqiXSxEbKkimrOffHTFz303y80NXUjCIEjcTgyodl4SsmTQnolXeqWX5mUy4
|
||||
|
||||
|
||||
@ -25,7 +25,7 @@ The IDS employs a React-based frontend for real-time monitoring, detection visua
|
||||
**Key Architectural Decisions & Features:**
|
||||
- **Log Collection & Processing**: MikroTik syslog data (UDP:514) is parsed by `syslog_parser.py` and stored in PostgreSQL with a 3-day retention policy. The parser includes auto-reconnect and error recovery mechanisms.
|
||||
- **Machine Learning**: An Isolation Forest model (sklearn.IsolectionForest) trained on 25 network log features performs real-time anomaly detection, assigning a risk score (0-100 across five risk levels). A hybrid ML detector (Isolation Forest + Ensemble Classifier with weighted voting) reduces false positives. The system supports weekly automatic retraining of models.
|
||||
- **Automated Blocking**: Critical IPs (score >= 80) are automatically blocked in parallel across configured MikroTik routers via their REST API.
|
||||
- **Automated Blocking**: Critical IPs (score >= 80) are automatically blocked in parallel across configured MikroTik routers via their REST API. **Auto-unblock on whitelist**: When an IP is added to the whitelist, it is automatically removed from all router blocklists. Manual unblock button available in Detections page.
|
||||
- **Public Lists Integration (v2.0.0 - CIDR Complete)**: Automatic fetcher syncs blacklist/whitelist feeds every 10 minutes (Spamhaus, Talos, AWS, GCP, Cloudflare, IANA, NTP Pool). **Full CIDR support** using PostgreSQL INET/CIDR types with `<<=` containment operators for network range matching. Priority-based merge logic: Manual whitelist > Public whitelist > Blacklist (CIDR-aware). Detections created for blacklisted IPs/ranges (excluding whitelisted ranges). CRUD API + UI for list management. See `deployment/docs/PUBLIC_LISTS_V2_CIDR.md` for implementation details.
|
||||
- **Automatic Cleanup**: An hourly systemd timer (`cleanup_detections.py`) removes old detections (48h) and auto-unblocks IPs (2h).
|
||||
- **Service Monitoring & Management**: A dashboard provides real-time status (ML Backend, Database, Syslog Parser). API endpoints, secured with API key authentication and Systemd integration, allow for service management (start/stop/restart) of Python services.
|
||||
|
||||
@ -130,12 +130,74 @@ export async function registerRoutes(app: Express): Promise<Server> {
|
||||
try {
|
||||
const validatedData = insertWhitelistSchema.parse(req.body);
|
||||
const item = await storage.createWhitelist(validatedData);
|
||||
|
||||
// Auto-unblock from routers when adding to whitelist
|
||||
const mlBackendUrl = process.env.ML_BACKEND_URL || 'http://localhost:8000';
|
||||
const mlApiKey = process.env.IDS_API_KEY;
|
||||
try {
|
||||
const headers: Record<string, string> = { 'Content-Type': 'application/json' };
|
||||
if (mlApiKey) {
|
||||
headers['X-API-Key'] = mlApiKey;
|
||||
}
|
||||
const unblockResponse = await fetch(`${mlBackendUrl}/unblock-ip`, {
|
||||
method: 'POST',
|
||||
headers,
|
||||
body: JSON.stringify({ ip_address: validatedData.ipAddress })
|
||||
});
|
||||
if (unblockResponse.ok) {
|
||||
const result = await unblockResponse.json();
|
||||
console.log(`[WHITELIST] Auto-unblocked ${validatedData.ipAddress} from ${result.unblocked_from} routers`);
|
||||
} else {
|
||||
console.warn(`[WHITELIST] Failed to auto-unblock ${validatedData.ipAddress}: ${unblockResponse.status}`);
|
||||
}
|
||||
} catch (unblockError) {
|
||||
// Don't fail if ML backend is unavailable
|
||||
console.warn(`[WHITELIST] ML backend unavailable for auto-unblock: ${unblockError}`);
|
||||
}
|
||||
|
||||
res.json(item);
|
||||
} catch (error) {
|
||||
res.status(400).json({ error: "Invalid whitelist data" });
|
||||
}
|
||||
});
|
||||
|
||||
// Unblock IP from all routers (proxy to ML backend)
|
||||
app.post("/api/unblock-ip", async (req, res) => {
|
||||
try {
|
||||
const { ipAddress, listName = "ddos_blocked" } = req.body;
|
||||
|
||||
if (!ipAddress) {
|
||||
return res.status(400).json({ error: "IP address is required" });
|
||||
}
|
||||
|
||||
const mlBackendUrl = process.env.ML_BACKEND_URL || 'http://localhost:8000';
|
||||
const mlApiKey = process.env.IDS_API_KEY;
|
||||
const headers: Record<string, string> = { 'Content-Type': 'application/json' };
|
||||
if (mlApiKey) {
|
||||
headers['X-API-Key'] = mlApiKey;
|
||||
}
|
||||
|
||||
const response = await fetch(`${mlBackendUrl}/unblock-ip`, {
|
||||
method: 'POST',
|
||||
headers,
|
||||
body: JSON.stringify({ ip_address: ipAddress, list_name: listName })
|
||||
});
|
||||
|
||||
if (!response.ok) {
|
||||
const errorText = await response.text();
|
||||
console.error(`[UNBLOCK] ML backend error for ${ipAddress}: ${response.status} - ${errorText}`);
|
||||
return res.status(response.status).json({ error: errorText || "Failed to unblock IP" });
|
||||
}
|
||||
|
||||
const result = await response.json();
|
||||
console.log(`[UNBLOCK] Successfully unblocked ${ipAddress} from ${result.unblocked_from || 0} routers`);
|
||||
res.json(result);
|
||||
} catch (error: any) {
|
||||
console.error('[UNBLOCK] Error:', error);
|
||||
res.status(500).json({ error: error.message || "Failed to unblock IP from routers" });
|
||||
}
|
||||
});
|
||||
|
||||
app.delete("/api/whitelist/:id", async (req, res) => {
|
||||
try {
|
||||
const success = await storage.deleteWhitelist(req.params.id);
|
||||
|
||||
16
version.json
16
version.json
@ -1,7 +1,13 @@
|
||||
{
|
||||
"version": "1.0.99",
|
||||
"lastUpdate": "2026-01-02T15:39:39.640Z",
|
||||
"version": "1.0.100",
|
||||
"lastUpdate": "2026-01-02T15:51:11.271Z",
|
||||
"changelog": [
|
||||
{
|
||||
"version": "1.0.100",
|
||||
"date": "2026-01-02",
|
||||
"type": "patch",
|
||||
"description": "Deployment automatico v1.0.100"
|
||||
},
|
||||
{
|
||||
"version": "1.0.99",
|
||||
"date": "2026-01-02",
|
||||
@ -295,12 +301,6 @@
|
||||
"date": "2025-11-24",
|
||||
"type": "patch",
|
||||
"description": "Deployment automatico v1.0.51"
|
||||
},
|
||||
{
|
||||
"version": "1.0.50",
|
||||
"date": "2025-11-24",
|
||||
"type": "patch",
|
||||
"description": "Deployment automatico v1.0.50"
|
||||
}
|
||||
]
|
||||
}
|
||||
Loading…
Reference in New Issue
Block a user